At a Glance.
- BlackCat ransomware group uses signed kernel driver to evade detection.
- AhRat exfiltrates files and records audio on Android devices.
- ChatGPT-themed fleeceware.
- Trends and threats in API protection.
- Lemon Group's pre-infected devices.
- An update on RedStinger (a.k.a. CloudWizard).
- Python Package Index temporarily suspended new user and new project registration due to a spike in malicious activity.
- UNC3944 uses SIM swapping to gain access to Azure admin accounts.
- CISA adds three Apple vulnerabilities to its Known Exploited Vulnerabilities Catalog.
BlackCat ransomware group uses signed kernel driver to evade detection.
Trend Micro reports that the BlackCat ransomware gang is using a new signed kernel driver to evade detection. The researchers assess that this new kernel driver could be an updated version of signed code Mandiant, Sophos, and SentinelOne discovered in December. That coordinated disclosure by the three cyber security firms showed attackers abusing Microsoft developer accounts certified by Microsoft’s Hardware Developer Program, to create malicious kernel drivers and use them in ransomware attacks. Trend Micro writes, “We believe that this new kernel driver is an updated version that inherited the main functionality from the samples disclosed in previous research. The driver was used with a separate user client executable in an attempt to control, pause, and kill various processes on the target endpoints related to the security agents deployed on the protected machines.” They further explain that these kernel drivers are mostly used in the evasion phases of an attack. Trend Micro assesses that this new signed kernel driver is still being developed because “it is not structured well and some of its functions currently cannot be used.”
Trend Micro determined that threat actors can obtain code signing certificates by purchasing leaked certs on the darkweb, abusing Microsoft’s portal, or impersonating legitimate entities. “For organizations, compromised keys present not only a security risk, but can also lead to a loss of reputation and trust in the original signed software. Businesses should aim to protect their certificates by implementing best practices such as reducing access to private keys, which reduces the risk of unauthorized access to the certificate. Employing strong passwords and other authentication methods for private keys can also help protect them from being stolen or compromised by malicious actors. Furthermore, using separate test signing certificates (for prerelease code used in test environments) minimizes the chances that the actual release signing certificates are abused in an attack.”
AhRat exfiltrates files and records audio on Android devices.
ESET reports finding a Trojanized Android app, iRecorder – Screen Recorder, that's afflicting Android devices with AhRat malware. iRecorder – Screen Recorder began its career on Google Play as an innocent application in 2021, but by August of last year had been turned malicious. ESET explains, "As a Google App Defense Alliance partner, we detected a trojanized app available on the Google Play Store; we named the AhMyth-based malware it contained AhRat. Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign." The malicious version received some fifty-thousand downloads. Google has purged it from the store, and ESET has found no evidence of the malware anywhere else in the wild.
AhRat is based on AhMyth, and its functionality--"extracting microphone recordings and stealing files with specific extensions"--suggests that it originated as an espionage tool. AhMyth itself has an intelligence service heritage. It was used by APT36 (Transparent Tribe), a group probably based in Pakistan that deployed AhMyth against government and military targets in South Asia. But ESET is careful to avoid attribution in its report. There's considerable crossover between criminal and espionage tools, and who was responsible for AhRat remains unknown.
Interest in AI is prompting scammers to turn to AI-themed fleeceware, which they're posting in both the Apple and Google stores. Fleeceware, which enrolls the victim in a free trial that subsequently converts, quietly, into an unwanted continuing subscription, tends to fly under the online stores' security radar as it occupies a grey area between direct fraud and an offer that's nothing more than a bad deal. They typically don't, for example, collect personal data, nor do they make an overt attempt to subvert the platforms' security measures. Sophos researchers detail the ways in which the scam is playing out. They follow five distinct fleeceware operations, all of which promise ChatGPT-live AI functionality. One of them even trades on ChatGPT's name, calling itself Chat GBT, hoping thereby to gull careless readers eager to get in on the AI. One of the marks of fleeceware is that it charges for products or services that are legitimately offered for free. The current scams are no different: OpenAI offers basic ChatGPT functionality for free on its website.
Trends and threats in API protection.
Cequence Security this week released its API Protection Report for the second half of 2022. The report highlights the tactics, techniques, and procedures (TTPs) of malicious actors targeting APIs. Shadow APIs, defined by the researchers as “unmanaged, unknown, and unprotected APIs,” saw a 900% increase from the first half of 2022 to the second. Unique TTPs saw a 550% increase over the holidays. Additionally, researchers observed a 220% increase in API security tactics over traditional application security tactics in the same period.
Also this week, Traceable AI released a report on the State of API Security, prepared for this year’s RSA Conference. API security remains a major point of concern, as researchers say they determined that “though 69% of organizations claim to factor APIs into their cybersecurity strategy, 40% of companies do not have dedicated professionals or teams for API security, while 23% of respondents do not know if there is dedicated API security in their organization.” 36% of the study’s respondents reported being unsure if they had experienced an API attack within the last year, and 29% of the surveyed cybersecurity professionals were unsure if there’s anything implemented within their organizations to secure APIs. Many respondents (66%) report struggles with API sprawl, or in some cases, don’t know if their company is adequately managing it.
Lemon Group's pre-infected devices.
A cybercriminal gang called “Lemon Group” has been leveraging pre-infected Android devices for malicious activities. Trend Micro reports “No fewer than 8.9 million” devices, primarily budget phones, have been affected. According to the Hacker News, the gang has also been seen branching out to Android-based IoT devices, including “smart TVs, Android TV boxes, entertainment systems, and even children's watches.” Bleeping Computer reports that the pre-installed malware, “Guerilla,” allows the hackers to load additional payloads, intercept texts, and hijack WhatsApp. The infected devices were reportedly re-flashed (which the researchers explain as “reprogramming and/or replacing the existing firmware of a device with a new one”) with new ROMs, although it was not determined how the devices were initially infected. The highest rates of infestation have been found in the US, Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina.
An update on RedStinger (a.k.a. CloudWizard).
Malwarebytes has recently reported on a cyberespionage group of uncertain provenance, RedStinger, which appears to have selected targets on both sides of Russia's war against Ukraine. On May 19th Kaspersky researchers released a report on a group they call CloudWizard, and which they explicitly identify not only with RedStinger, but also with the groups responsible for earlier operations in the region going back as far as 2008. Kaspersky as a matter of policy doesn't attribute cyber operations to nation-states. Who's behind RedStinger (or CloudWizard) remains an open question. Whoever it turns out to be, WIRED points out, the ability to quietly mount offensive cyber campaigns over a fifteen-year period is remarkable.
Python Package Index temporarily suspended new user and new project registration due to a spike in malicious activity.
Python Package Index (PyPI) temporarily disabled new user sign-up and new uploading on its platform writing, “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave. While we re-group over the weekend, new user and new project registration is temporarily suspended.” These types of third party supply chain attack vectors are becoming more common among malware campaigns as they give threat actors access to more victims with less work. By attacking a third party site and embedding malicious software in seemingly legitimate code, the actors are able to disseminate malware to would-be victims with less need to launch a full scale campaign. PyPI have not released any specific details regarding this spike in malicious activity, but Computing reported this morning that the organization had restored access to its platform.
UNC3944 uses SIM swapping to gain access to Azure admin accounts.
Researchers at Mandiant have discovered that threat actors gained access to a Microsoft Azure administrator account through an SMS phishing and SIM swapping campaign. The researchers write, “UNC3944 is a financially motivated threat actor which Mandiant has been tracking since May of 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts…This threat group heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases.” SIM swapping, as explained by Mozilla’s dist;//ed, is a social engineering technique in which attackers pose as service providers requesting identity verification for sim card activation to gain pin numbers, the last four digits of a social security number, or other sensitive information for identity verification.
CISA adds three Apple vulnerabilities to its Known Exploited Vulnerabilities Catalog.
CISA, the US Cybersecurity and Infrastructure Security Agency, yesterday added three entries to its Known Exploited Vulnerabilities Catalog. As usual, inclusion in the Catalog is "based on evidence of active exploitation." The three vulnerabilities, all in Apple products, are:
- CVE-2023-32409 Apple Multiple Products WebKit Sandbox Escape Vulnerability
- CVE-2023-28204 Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability
- CVE-2023-32373 Apple Multiple Products WebKit Use-After-Free Vulnerability
Under Binding Operational Directive (BOD) 22-01, US Federal Executive civilian agencies have until June 12th to check their systems and, as usual,"apply updates per vendor instructions." CRN reports that the affected systems include versions of iPhone back to the iPhone 6S, Macs that running macOS Big Sur, Monterey, and Ventura; and several iPad models. Apple, which patched the products last Thursday, has a complete rundown of the products susceptible to exploitation.