16 February 2024

Cyber Security Week In Review: February 16, 2024


Cyber Security Week In Review: February 16, 2024

The US dismantles the Moobot botnet controlled by Russian military hackers

The US authorities announced they disrupted a notorious Moobot botnet comprising thousands of Ubiquiti Edge OS routers used by the Russian GRU-affiliated hacker group known as APT 28, Fancy Bear or Forrest Blizzard to conduct their cyberespionage operations.

According to the US Department of Justice, the court-authorized operation used the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. It also reversibly modified the routers’ firewall rules to block remote management access to the devices, and enabled the temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

According to Shadowserver, over 2,350 routers had been infected with the Moobot malware, with the highest numbers in the US (535), and France (220).

In related news, the US authorities seized internet domains involved in the sale of the Warzone RAT malware designed to infiltrate and steal data from unsuspecting victims. In addition, two individuals involved in the distribution and support of the Warzone RAT and other malware were arrested in Malta and Nigeria.

Microsoft fixes three zero-days

As part of this month’s Patch Tuesday release, Microsoft addressed over 70 security flaws, including three actively exploited vulnerabilities. Three zero-days are CVE-2024-21351, CVE-2024-21412 and CVE-2024-21410. The first two vulnerabilities have been described as a Windows SmartScreen security feature bypass issue that could be exploited for running malicious files on the system or remote code execution.

According to Trend Micro, CVE-2024-21412 has been exploited as part of a sophisticated zero-day attack chain by a threat actor tracked as Water Hydra (aka DarkCasino) that targeted financial market traders. The attackers leveraged the zero-day flaw to deploy the DarkMe malware.

The third zero-day flaw is a privilege escalation issue in Microsoft Exchange Server that can be exploited by a remote attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf. Currently, it’s unclear how or when this bug has been exploited.

QNAP rolls out patches to fix a zero-day in QNAP QTS and QuTS hero firmware

Taiwanese network-attached storage (NAS) appliance maker QNAP released security updates to fix a couple of security issues, one of which is a zero-day vulnerability discovered in November 2023.

The zero-day flaw, tracked as CVE-2023-50358, is an OS command injection issue in QTS and QuTScloud hero that can be used by a remote attacker to execute arbitrary shell commands on the system.

Ivanti SSRF vulnerability exploited to install a novel DSLog backdoor

Malicious actors are exploiting a recently disclosed server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a novel backdoor. Tracked as CVE-2024-21893, this is a server-side request forgery (SSRF) issue within the SAML component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. Successful exploitation of this vulnerability may allow a remote attacker to gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

The latest findings from Orange Cyberdefense show that attackers deployed a new backdoor called ‘DSLog’ that allows threat actors to execute commands on compromised devices remotely. The backdoor had been inserted into the appliance's code base, namely into an existing Perl file called ‘DSLog.pm’ through SAML authentication requests containing encoded commands designed to carry out various operations.

Security researchers warn that thousands of Ivanti Connect Secure and Policy Secure endpoints still remain unpatched against a number of vulnerabilities (CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888) disclosed more than a month ago.

In addition, researchers at Eclypsium discovered security weaknesses in the firmware running on Ivanti Pulse Secure appliances (version 9.1.18.2-24467.1), including the use of multiple outdated packages like the 11-year-old Linux version and old libraries with known CVEs and exploits.

Chinese Volt Typhoon cyberspies target US electric companies, emergency management services

A China-linked state-backed threat actor has been targeting the US critical infrastructure, including multiple electric companies, emergency management services, telecommunications, satellite services, and the defense industrial base, since early 2023. To gain access to the victim network, the group compromises external network perimeter applications and assets such as SOHO routers and virtual private network gateways, (Fortinet FortiGuard, PRTG Network Monitor appliances, FatePipe WARP, Ivanti Connect Secure VPN, Cisco ASA, and ManageEngine ADSelfService Plus). Once within the target’s network, the attackers leverage LOTL techniques and stolen credentials to move through the network.

Russian Turla APT targets Polish NGOs with a new TinyTurla-NG backdoor

Cisco’s Talos team released a report highlighting a new cyberespionage campaign by the Russian threat actor Turla focused on Polish non-governmental organizations (NGOs), including those supporting Ukraine.

The campaign involves TinyTurla-NG, a small “last chance” backdoor used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.

State-backed threat actors are abusing AI to enhance malicious operations

OpenAI said that it shut down OpenAI accounts used by multiple state-backed threat actors, including two China-affiliated threat actors known as Charcoal Typhoon and Salmon Typhoon, the Iran-affiliated threat actor known as Crimson Sandstorm, the North Korea-linked Emerald Sleet, and the Russia-associated hacker group tracked as Forest Blizzard.

The threat actors used OpenAI services for querying open-source information, translating, finding coding errors, and running basic coding tasks.

Threat actors compromised a US govt org via a former employee account

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory disclosing a security breach in an unidentified state government organization.

The breach occurred through a former employee's administrator account, which was exploited by a threat actor to gain access to the organization's internal network via a virtual private network (VPN). The attackers aimed to blend in with legitimate traffic to avoid detection. It's suspected that the threat actor obtained the credentials from a separate data breach, as the credentials were found in publicly available channels containing leaked account information. The attackers accessed host and user information and posted it on the dark web for potential financial gain. As a response, the organization reset passwords for all users, disabled the compromised administrator account, and removed elevated privileges for another account.

North Korea hacked into an email account of South Korea president’s staffer

South Korea's President Yoon Suk Yeol's administration revealed that they suspect North Korean hackers gained unauthorized access to the personal email account of one of the presidential staff members prior to President Yoon's visit to Europe in November.

The breach targeted the personal email account of an unnamed staffer, who used commercial email services for official matters. While details about the specific data accessed from the staff member's personal emails were not disclosed, authorities emphasized that the incident did not compromise the integrity of the office's broader security infrastructure.

Cyber operations by Iran and Hezbollah-linked groups have become more focused, Google says

Google’s TAG team and Mandiant released a joint threat intelligence report highlighting new findings on Iranian-government backed phishing campaigns, hack-and-leak and information operations (IO), as well as disruptive attacks targeting Iran and Hamas-linked cyber operations.

The Glupteba botnet uses an undocumented UEFI bootkit to evade detection

The Glupteba botnet, a sophisticated malware, has been discovered to integrate a previously unknown UEFI bootkit feature. This bootkit can manipulate the operating system boot process, allowing Glupteba to conceal itself and establish a persistent presence that is exceptionally challenging to detect and eradicate. Glupteba is a multifunctional threat capable of stealing information, serving as a backdoor, facilitating unauthorized cryptocurrency mining, and deploying proxy components on compromised systems. Additionally, it employs the Bitcoin blockchain as a backup command-and-control system, enhancing its resilience against takedown attempts.

Ubuntu's 'command-not-found' tool can be abused to install malicious packages

A weakness in Ubuntu's 'command-not-found' tool has been identified, potentially allowing attackers to deceive users into installing malicious packages. The issue stems from the tool's capability to suggest snap packages for installation without verifying their authenticity. Attackers could exploit this to recommend malicious snap packages, posing a significant threat due to the widespread use of the utility and the potential to mimic numerous commands from popular packages.

Bumblebee malware returns after a 4-month hiatus

The Bumblebee malware re-emerged in the cyber threat landscape in February, following a four-month hiatus, according to Proofpoint. This sophisticated downloader, favored by various cybercriminal groups, reemerged with a new phishing campaign after being inactive since October 2023. Proofpoint said that the Bumblebee loader serves as an initial access tool, enabling the delivery of subsequent payloads, including ransomware.

TicTacToe dropper distributes RATs, info-stealers and other malware

Fortinet’s FortiGuard team uncovered a series of malware droppers responsible for delivering various final-stage payloads. Collectively named ‘TicTacToe dropper,’ the droppers are designed to discreetly install and execute additional malware on targeted systems, complicating detection and analysis. The identified droppers utilize sophisticated techniques, including multiple stages of obfuscated payload loading directly into system memory. Among the final-stage payloads discovered are Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos.

Ransomhouse ransomware operation uses a new tool to support automated attacks

RansomHouse, a ransomware-as-a-service (RaaS) operation, known for its double extortion tactics, has been observed using a new tool called 'MrAgent' designed to support automated deployment of ransomware at scale. This tool streamlines the deployment of its data encrypter across multiple VMware ESXi hypervisors.

Active since December 2021, the group employs a unique ransomware variant named Mario ESXi and MrAgent to target Windows and Linux systems. Analysis suggests a code similarity with the Babuk ransomware.

The US offers up to $15 million for tips on ALPHV/Blackcat gang top figures

The US Department of State announced a reward of up to $15 million for information leading to the identification, arrest, and/or conviction of key leaders of ALPHV/Blackcat ransomware or individuals participating in ALPHV/Blackcat ransomware activities.

Dozens of hospitals in Romania impacted by a ransomware attack on IT provider

100 hospitals across Romania have been forced to shut down their systems due to a ransomware attack on the Hipocrate Information System (HIS), a vital tool used by medical facilities to manage patient data and medical activities.

The assault, which occurred over the weekend, encrypted the database of the HIS, rendering it inaccessible and bringing operations to a standstill in numerous hospitals. As a result of the attack, 25 hospitals had their systems encrypted, and an additional 75 facilities have been disconnected from the internet as a precautionary measure while investigators assess the extent of the breach.

Among the affected institutions are regional hospitals and specialized centers, including those dedicated to cancer treatment.

France discovers pro-Russian propaganda network targeting Western Europe

The French government's technical and operational agency for countering digital manipulation Viginum has uncovered a sophisticated propaganda and disinformation network operating out of Moscow and targeting Western Europe. The network, dubbed “Portal Kombat,” involves at least 193 sites spreading pro-Russian content, aiming to influence public opinion in countries such as France by disseminating misleading narratives and polarizing the digital public debate. The primary objective appears to be shaping perceptions of the Russian-Ukrainian conflict by presenting Russia's actions positively while disparaging Ukraine and its leadership.

Zeus, IcedID malware gang leader pleads guilty

Vyacheslav Penchukov, a Ukrainian national also known as Vyacheslav Andreev or Tank, has pleaded guilty to his involvement in two extensive malware operations, facing a potential 40-year prison sentence.

Operating since May 2009, Penchukov was a key figure in a racketeering enterprise responsible for disseminating the “Zeus” malware, infecting thousands of business computers. The malware was used to extract sensitive banking information, such as account details and passwords. Penchukov and his accomplices then deceived banks by posing as victims' employees, authorizing fraudulent transfers of funds, resulting in millions of dollars in losses. The scheme utilized money mules in the US and elsewhere to receive and transfer funds overseas to accounts controlled by Penchukov's associates.

In related news, Milomir Desnica, a national of Serbia and Croatia, was sentenced to 168 months in prison for operating the Monopoly Market, an underground marketplace for the sale of illicit narcotics. Monopoly was dismantled in December 2021 in a joint operation involving law enforcement from the US, Germany and Finland. Desnica was arrested in Austria in November 2022 and extradited to the United States in June 2023.


Back to the list

Latest Posts

Cyber Security Week in Review: November 1, 2024

Cyber Security Week in Review: November 1, 2024

In brief: Hackers are exploiting critical zero-day flaw in PTZ cameras, the Dstat.cc DDoS service disrupted by law enforcement, and more.
1 November 2024
North Korean hackers caught collaborating with Play ransomware

North Korean hackers caught collaborating with Play ransomware

The theory is that Andariel is either working as an affiliate of Play ransomware or serving as an initial access broker.
31 October 2024
Large-scale phishing campaign targeting Ukraine's taxpayers

Large-scale phishing campaign targeting Ukraine's taxpayers

The attack deploys the Litemanager RMT, which provides unauthorized access to the infected computer.
30 October 2024