At a glance.
- PaperCut vulnerability detection methods can be bypassed and Iranian threat actors have joined the fray.
- CACTUS, a new ransomware leveraging VPNs to infiltrate its target.
- A new Akira ransomware campaign spreads.
- Meta observes and disrupts new NodeStealer malware campaign.
- ReconShark, a new reconnaissance tool deployed in DPRK spearphishing attacks.
- APT41 subgroup Earth Longzhi uses new techniques to bypass security products.
- Phishing reports increased by 34% in one year as did phishing with man-in-the-middle attacks.
PaperCut vulnerability detection methods can be bypassed, and Iranian threat actors have joined the fray.
Researchers at VulnCheck have released a new attack method for exploiting the PaperCut vulnerability (CVE-2023-27350) discovered in March. It bypasses detection methods like Sysmon-based indicators, log file analysis, and network signatures. Exploitation of the original vulnerability imitates a normal admin login, which is ignored by file log analysis detections. BleepingComputer explains, “As for network signature detection methods, those can be trivially bypassed if the attacker modifies the malicious HTTP request by adding an extra slash or an arbitrary parameter into it.” BleepingComputer adds, “While VulnCheck did not provide alternate detection methods that work for all PoCs, they warned that hackers closely monitor what detection methods are employed by defenders and adjust their attacks to make them undetectable anyway.”
Microsoft has also reported that the PaperCut NG/MF vulnerabilities are currently being exploited by Iranian state-backed threat actors. “More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (aka PHOSPHORUS or APT35) & Mango Sandstorm (aka MERCURY or Muddywater) exploiting CVE-2023-27350.” Experts recommend users update their PaperCut NG/MF versions to 20.1.17, 21.2.11, or 22.0.9 or later as it seems detections are not a feasible option for this exploit. PaperCut has posted details about the vulnerability here.
CACTUS, a new ransomware leveraging VPNs to infiltrate its target.
Researchers at Kroll have discovered a new ransomware family, “CACTUS,” BleepingComputer reports. “CACTUS has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access,” Kroll wrote in a report emailed to the CyberWire. The ransomware uses a novel encryptor requiring a key to decrypt it for implementation, which likely allows it to remain undetected until the threat actors implement the ransomware attack. CACTUS is a new ransomware, and as of yet hasn’t been used enough to gather metrics regarding ransom prices or the consequences of not paying ransom. Kroll said, “As of the writing of this bulletin, Kroll had not yet identified a ‘shaming site’ or victim identification-related blog authored by CACTUS for purposes of sharing victim data if a ransom was not paid. In terms of ransom, there is not currently enough data to provide an average starting price. It is also yet to be seen what would happen if a ransom were not paid and how successful any threat actor provided decryptor may be.” Researchers recommend updating all VPN services and implementing password managers to minimize threat exposure. Kroll also recommends using multifactor authentication to prevent lateral movement in the infected networks.
A new Akira ransomware campaign spreads.
BleepingComputer reports that Akira ransomware has been observed slowly spreading worldwide, and its demands have reached six figures. Akira claims to have conducted attacks against at least sixteen companies, but doesn’t seem to be targeting a particular sector. Akira has leaked the information of four of its victims, presumably for not paying the ransom. “From negotiations seen by BleepingComputer,” the outlet writes, “the ransomware gang demands ransoms ranging from $200,000 to millions of dollars. They are also willing to lower ransom demands for companies who do not need a decryptor, and just want to prevent the leaking of stolen data. The ransomware is currently being analyzed for weaknesses, and BleepingComputer does not advise victims to pay the ransom until it’s determined if a free decryptor can recover files for free.”
Meta observes and disrupts new NodeStealer malware campaign.
Meta yesterday detailed a new malware campaign that targets social media accounts by advertising ChatGPT services. NodeStealer, first identified in January, has been targeting several platforms, including DropBox, Google Drive, Mega, MediaFire, Discord, Atlassian’s Trello, Microsoft OneDrive, and ICloud in addition to Meta platforms. Meta claims to have blocked over 1,000 unique ChatGPT-themed malicious URLs on its platforms. “These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity,” Meta wrote. NodeStealer favors disguising its malware (which arrives as an executable) as Microsoft Office files or PDFs, both very commonly used formats. Meta explains that, “When executed, the malware first establishes persistence to ensure that it continues to operate after the victim restarts the machine. The malware uses the auto-launch module on Node.js to do so.” The malware is designed to steal browser data like passwords and cookies, and it works against users of Chrome, Opera, Microsoft Edge, and Brave browsers. Meta has also shared indicators of compromise and other information about NodeStealer’s operation to promote a stronger collective defense.
ReconShark, a new reconnaissance tool deployed in DPRK spearphishing attacks.
SentinelLabs reports that Kimsuki, a North Korean state-sponsored cyber espionage activity, has incorporated a new reconnaissance tool into its repertoire. ReconShark accompanies specially crafted emails in spearphishing attacks. The group crafts spearphishing emails tailored to the individual target by using real names and–especially–information directly pertinent to the target's work to lure the prospect into downloading a malicious file. Recently the group has been favoring password protected Microsoft OneDrive documents.
ReconShark, a new version of the similar malware BabyShark, then gathers system information to allow for precision crafted exploitation of the target’s computer. “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses.” SentinelLabs concludes that this campaign is probably part of a larger campaign and underscores the need for industry collaboration and communication to thwart further malicious activity.
James McQuiggan, Security Awareness Advocate at KnowBe4, noted that social engineering remains an important tool for threat actors. "The group’s adoption of advanced spear phishing tactics demonstrates that social engineering is still the standard tool for gaining access to organizations through users and relying on old fashioned human psychology, misdirection and manipulation to access sensitive information," McQuiggan says. "While technology helps protect networks, servers, endpoints and data, the human remains a fundamental vulnerability that cybercriminals will consistently exploit. Organizations should continue to educate their users as a priority. Monthly security awareness sessions and frequent simulated phishing exercises can help users identify and respond to potential spear phishing attacks more effectively. In the unfortunate event of a successful phishing attack, organizations should also establish robust incident response plans to ensure they can promptly detect, contain and remediate threats when they occur."
APT41 subgroup Earth Longzhi uses new techniques to bypass security products.
Researchers at Trend Micro have discovered a new campaign by the Earth Longzhi subgroup of APT41. The attacks use a relatively novel technique the researchers call “stack rumbling.” Stack rumbling uses Image File Execution Options (IFEO)–typically a denial-of-service method–to disable security products. “In addition, we’ve noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure Call (RPC) instead of using general Windows application programming interfaces (APIs). This is a stealthy way to evade typical API monitoring,” the researchers write. Trend Micro notes that the campaign tends to exploit public-facing applications, Internet information services, and Microsoft Exchange servers. Earth Longzhi is also using forged Windows Defender binaries to launch a new variant of Croxloader and “SPHijacker” which can disable security products. Earth Longzhi has been seen targeting government, healthcare, technology, and manufacturing organizations in the Philippines, Thailand, Taiwan, and Fiji. The researchers assess that Vietnam and Indonesia are probably the next countries Earth Longzhi will target.
Phishing reports increased by 34% in one year as did phishing with man-in-the-middle attacks.
Cofense released its Q1 2023 phishing intelligence trends review today. They report a 20% increase in active threat reports in Q1 when compared to last quarter, and a 34% increase when compared to Q1 2022. Threat actors are updating their delivery systems: they are, for example, now including OneNote files. YouTube has become a surprising target of abuse by threat actors. Threat actors will use redirects to point to phishing pages. “The top malware families and types remained mostly consistent to that of Q4. However, the most significant change in malware types was a 38% increase in the use of keyloggers.” Researchers explain that “Qakbot remained the most successful malware family reaching inboxes, 185% more often than Emotet, despite Emotet’s extremely high dissemination volume.” Telegram bot usage for exfiltration increased very sharply, by 397%, during Q12023. CoFense states “Further, Telegram bot API usage continued to rise tremendously in Q1, already surpassing all of 2022 by 310%. The use of Telegram bots has already reached new highs this quarter compared to all of last year and is expected to hold these levels or even go beyond.” Cofense expects an increase in phishing attempts as we enter the summer months.
Threat actors are also incorporating man-in-the-middle (MitM) attacks to support phishing schemes. In a report released this morning, Researchers at Cofense Intelligence explained that MitM attacks have increased by 35% between Q1 2022 and Q1 2023. Threat actors are combining MitM attacks with credential phishing with the intention of stealing usernames and passwords and session cookies to bypass multi-factor authentication. 95% of the MitM phishing attacks they observed targets Microsoft Office 365 authentication. Researchers write, ”The significant majority of man-in-the-middle landing pages we have identified attempt to intercept Office 365 credentials (94%), with Outlook (4%) and Amazon (1%) following as a distant second and third.” They also tend to use URL redirection: “89% of campaigns used at least one URL redirect, and 55% used two or more.” These MitM phishing attacks evade standard secure connection processes used in most websites by setting up two secure connections between the attacker and the victim and the attacker and the desired website. The attackers then use a proxy login page to harvest credentials from the victim. Cofense recommends the following defensive measures:
- Users should be reminded of which online portals are approved for company use.
- Emails containing URLs or attachments that bring users to a website which looks legitimate but does not match the company-approved ones should be considered suspicious and reported for further analysis.
HTML attacks double in one year.
Barracuda released a study this morning indicating that HTML attacks have doubled since last year. The researchers note that not only is the total number of attacks increasing, but the number of unique attacks seems to be increasing as well. “On March 23, almost nine in ten (405,438 — 85%) of the total 475,938 malicious HTML artefacts were unique ― which means that almost every single attack was different.” HTML attacks are commonly seen in phishing campaigns when users download HTML attachments from emails. Barracuda recommends that organizations adopt email protections to spot and block malicious HTML attachments, that they train their personnel to spot phishing emails, that they implement MFA and consider a zero trust security model, and that they prepare an incident response plan that includes ways of disrupting a campaign should it penetrate your organization.