At a glance.
- New ransomware from Evil Corp.
- Ripple20 vulnerabilities in IoT supply chains.
- Lazarus Group suspected in LinkedIn phishing campaign.
- GuLoader is being sold by an Italian front company.
New ransomware from Evil Corp.
Fox-IT has been tracking a new ransomware strain called "WastedLocker" that's been active since May 2020. The researchers say the malware was developed by Evil Corp, a criminal group best known for creating the Dridex banking Trojan and the BitPaymer ransomware. WastedLocker's emergence appears to be part of Evil Corp's efforts to switch out its TTPs following the indictment of two of the group's leaders by the US Justice Department in December 2019.
WastedLocker is distributed via SocGholish, a JavaScript malware that poses as a fake browser update on a phishing page. In this case, SocGholish is being used to deliver a custom Cobalt Strike loader, which in turn delivers the ransomware. Fox-IT notes that Evil Corp doesn't seem to engage in the type of data theft and extortion that's become a common feature of other targeted ransomware operations. The researchers suspect this is due to the group's desire to avoid attracting undue attention to itself.
Ripple20 vulnerabilities in IoT supply chains.
Researchers at Israeli cybersecurity firm JSOF have discovered nineteen vulnerabilities in a low-level TCP/IP software library used by at least "hundreds of millions" of IoT devices. The code was developed by the Ohio-based company Treck and has been integrated into the IoT supply chain since its release in the late '90s. The set of flaws, dubbed "Ripple20," includes four remote code execution vulnerabilities, two of which received CVSS scores of 10. Treck has developed patches for the flaws and urges its customers to contact them for more information, noting that the level of exposure to the vulnerabilities varies greatly from product to product.
The real challenge, however, is the fact that many IoT vendors likely don't know if their products contain the vulnerable code. JSOF collaborated with CERT/CC and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to track down "as many affected vendors as possible before the vulnerabilities became public," but there are many others whose status is still unknown. The researchers explain, "As we traced through the distribution trail of Treck's TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly."
Complicating matters further is the fact that the vulnerable library was originally developed in collaboration with a Japanese company, Elmic Systems (now called "Zuken Elmic"). Elmic later parted ways with Treck and continued selling the software across Asia under the name "Kasago." JSOF realized this resulted in an entirely separate supply chain managed by a different company throughout another part of the world. Japan's CERT (JPCERT/CC) is currently trying to determine the extent of this side of the issue, but JSOF says "Initial research shows Kasago to be in widespread use."
JSOF gives an idea of the scope of the problem, saying, "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries." JSOF's report includes links to advisories issued by some of these vendors.
CISA and CERT/CC lay out mitigations to minimize the risk of exploitation, and JSOF is offering a script that can help in some cases to determine whether a device is vulnerable. But despite these efforts, ZDNet concludes that the vulnerabilities "will haunt the IoT landscape for years to come."
Lazarus Group suspected in LinkedIn phishing campaign.
ESET discovered an espionage campaign that targeted aerospace and military companies in Europe and the Middle East between September and December 2019. The researchers call the campaign "Operation In(ter)ception," and they found several hints suggesting the possible involvement of North Korea's Lazarus Group (although they refrain from making a confident attribution).
The attackers sent LinkedIn messages with fake job offers to employees at the targeted organizations to trick them into opening malicious files. These files were RAR archives containing LNK files, which, when opened, would run a command prompt to open a PDF file in the victim's browser. The PDF was a decoy to avoid making the victim suspicious, while custom-made malware was installed in the background. The attackers used a modified version of an open-source command-line client for Dropbox in order to exfiltrate data.
While the primary objective of the campaign was espionage, in one notable incident the attackers opportunistically tried to carry out a business email compromise scam after coming across an email conversation about a pending invoice. The attackers used a spoofed email address in an attempt to trick the customer into sending the money to a different bank account, but the attack failed when the customer contacted the organization's correct email address.
GuLoader is being sold by an Italian front company.
Researchers at Check Point have determined that Italian security firm CloudEyE is actually a front company that's been selling the popular GuLoader network dropper to malware operators. GuLoader is used by a wide variety of threat actors to deliver malware hosted on cloud services like Google Drive or Dropbox. Check Point says "up to 25% of all packed samples are GuLoaders."
Check Point followed clues contained in some GuLoader samples and ended up at the website of CloudEyE, a company that claims to sell security software to protect Windows applications from "cracking, tampering, debugging, disassembling, [and] dumping." The researchers purchased the company's product and used it to encrypt a sample file. They then ran the output through Check Point's threat detection tool, which flagged it as GuLoader with high confidence. The researchers also manually confirmed this by comparing their file to a real GuLoader sample observed in the wild. If CloudEyE's website is to be believed, the company makes more than $500,000 per month through this scheme.