Sophisticated botnet targets CMS vulnerabilities. Bulletproof hosting provider launches phishing attacks on the side. Financially motivated inauthentic behavior.

Summary

By the CyberWire staff

At a glance.

Sophisticated botnet targets CMS vulnerabilities.
Bulletproof hosting provider launches phishing attacks on the side.
Financially motivated inauthentic behavior.
Cross-site scripting used in tech support scam.
Disruption efforts against Trickbot continue.
Ransomware trends.

Sophisticated botnet targets CMS vulnerabilities.

Researchers at Imperva describe KashmirBlack, a well-designed botnet that exploits known vulnerabilities in popular CMS platforms. Imperva believes the botnet has been active since November 2019, and it's used for at least five purposes: "crypto mining, spamming, defacement, spreading and, pending bot." The defacement element led the researchers to suspect that the botnet is controlled by a member of the Indonesian hacking group "PhantomGhost."

Imperva emphasizes that KashmirBlack's developers and operators appear to be more sophisticated than most botnet groups. In a second blog post, the researchers outline the technical aspects of the botnet's infrastructure that make it complex, resilient, and easily expandable.

Bulletproof hosting provider launches phishing attacks on the side.

PhishLabs says an Indonesia-based cybercriminal group dubbed "Planetary Reef" is acting as a bulletproof hosting provider using leased IP space from a large, legitimate reseller. The threat actor uses some of these domains to launch its own phishing attacks, and also sells access to other known criminal groups. Planetary Reef advertises its hosting services on social media sites, and many of the group's administrators appear to have publicly available Facebook profiles, which seem brazen, to say the least.

Financially motivated inauthentic behavior.

Facebook published a report on financially motivated inauthentic behavior (IB) on the platform, which the company distinguishes from politically motivated coordinated inauthentic behavior (CIB) designed to manipulate people's opinions. Financially motivated inauthenticity often takes the form of spam and clickbait designed to amplify content and drive people to ad-ridden websites. Political topics serve as effective clickbait lures, and Facebook notes, "These activities can be mistaken for politically-motivated influence operations at first glance, when in fact they are using political themes globally as another form of clickbait, similarly to celeb-bait or puppy memes."

Graphika offers a closer look at one of the larger inauthentic networks that was taken down. This operation was based in Myanmar and involved six-hundred-fifty-five Pages and twelve Groups. Graphika says sixty-four of these pages had more than a million followers, and four-hundred-thirty-eight had more than one-hundred-thousand followers. While a small portion of the content posted by these accounts centered on local politics (including pro-army and anti-Muslim posts), Facebook believes these were meant to be clickbait rather than intended to manipulate opinions. Graphika calls this "an illustration of the porous border between commercial spam and politically-oriented operations, blends of 'lifestyle' clickbait with political content have been observed historically both in commercial spam operations, and in influence operations that were attributed to the Myanmar military in 2018 and 2019."

Cross-site scripting used in tech support scam.

Malwarebytes warns that a tech support scam campaign is abusing a cross-site scripting vulnerability in a popular and legitimate Peruvian news website to redirect users to malicious sites. The attacker appears to be using Bit.ly shortened URLs distributed via apps and games on Facebook.

Disruption efforts against Trickbot continue.

CrowdStrike and others noted last week that the Trickbot botnet has proved resilient to government and industry efforts to disrupt it, but Microsoft issued an update last week asserting that it was seeing success in its ongoing efforts against the botnet. Microsoft noted that these are temporary measures designed to impede ransomware attacks ahead of the US election:

"As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure. We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world. To be clear, these numbers will change regularly as we expect action we’ve already taken will continue to impact the remaining infrastructure and as we and others continue to take new action between now and the election."

Microsoft added that it obtained more court orders to disable Trickbot's new infrastructure, and that it will continue to do so until election day. The company also notes, "What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help." Microsoft concludes that "it will be important to focus on the collective impact to Trickbot’s capabilities between now and the election, rather than to focus on potentially misleading simplified snapshots from any single moment in time."

Ransomware trends.

Digital Shadows has released a report on ransomware trends in Q3 2020, finding that more ransomware groups are incorporating data theft and subsequent extortion into their attacks. Seven new data dump sites sprang up during the third quarter, and the researchers believe this tactic "may pave the way for new or less well-known groups that are looking to get into the ransomware business." NetWalker and Conti ransomware, both relative newcomers to the scene, were responsible for 29% of activity related to data dumping. Conti's leaking site was only established in August 2020, yet it accounted for 17% of leaking activity. Maze, one of the first to adopt this form of extortion in late 2019, still leads the pack with 32% of leaking activity. REvil's Happy Blog came in third, at 13%. More than 80% of leaking activity was attributed to just five groups: Maze, Conti, REvil/Sodinokibi, NetWalker, and DoppelPaymer.

Emsisoft has also published its observations on ransomware in the third quarter, noting that the "Maze ransomware group in particular was a constant threat to educational institutions" at the start of the school year. Emsisoft's findings related to data theft were consistent with Digital Shadows, with the researchers noting that the operators of Avaddon, Conti, DarkSide, SunCrypt, LockBit, and others have all set up new leak sites.

Selected Reading

Tales From The Pot: Solr powered Kinsing (Akamai) Additional research and support provided by Chad Seaman. Introduction Akamai SIRT has been working on the development, and deployment, of custom multipurpose honeypots that attempt to mimic a wide array of services and devices. One of these honeypots shows the...

CrimeOps of the KashmirBlack Botnet - Part II (Imperva) The previous blog – “CrimeOps of the KasmirBlack Botnet – Part I” – described the DevOps behind the botnet. It showed how its well-designed infrastructure makes it easy to expand and add new exploits or payloads without much effort,and explained the evolution and version deployment of the botnet. The blog mentioned the delivery process […]

CrimeOps of the KashmirBlack Botnet - Part I (Imperva) Being in a research team exposes us to a variety of attacks on different platforms, of different types, scope, and volume. It also gives us the opportunity to select particularly interesting attacks that target our customers and to analyze them. This blog will give you a taste of the CrimeOps (criminal operations) behind one […]

Ransomware statistics for 2020: Q3 report (Emsisoft) Q3 2020 ransomware statistics. This report shows the most common ransomware strains and countries most affected by ransomware from July 1st to September 30th of 2020.

XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability (Malwarebytes Labs) This tech support scam is being spread via Facebook links and uses several redirection mechanisms to avoid detection.

On the trail of the XMRig miner (Securelist) As protection methods improve, the developers of miners have had to enhance their own creations, often turning to non-trivial solutions. Several such solutions (previously unseen by us) were detected during our analysis of the open source miner XMRig. How it

Planetary Reef: Cybercriminal Hosting and Phishing-as-a-Service Threat Actor (PhishLabs) PhishLabs is monitoring a threat actor group that has set up fraudulent hosting companies with leased IP space from a legitimate reseller. They are using this infrastructure for bulletproof hosting services as well as to carry out their own phishing attacks. The group, which is based in Indonesia, has been dubbed Planetary Reef.

Catch Me if You Can - JavaScript Obfuscation (Akamai) While conducting threat research on phishing evasion techniques, Akamai came across threat actors using obfuscation and encryption, making the malicious page harder to detect. The criminals were using JavaScript to pull this off....

Microsoft is Most Imitated Brand for Phishing Attempts in Q3 2020 (Check Point Software) Check Point Research issues Q3 Brand Phishing Report, highlighting the brands that hackers imitated the most to lure people into giving up personal data

GravityRAT: The spy returns (Securelist) In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered (the document is currently not available at this link, but is