At a glance.
- A third MOVEit vulnerability is patched.
- Microsoft tracks Russian GRU threat actor.
- Mystic Stealer malware: evasive, and with a feedback loop in the C2C market.
- RDStealer cyberespionage tool in the wild.
A third MOVEit vulnerability is patched.
Progress Software has disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw is a SQL injection vulnerability (CVE-2023-35708) that could allow an attacker to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” A proof-of-concept for the vulnerability was published on June 15th.
The company stated, “We have not seen any evidence that the vulnerability reported on June 15 has been exploited. Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity. Because the new vulnerability we reported on June 15 had been publicly posted online, it was important that we take immediate action out of an abundance of caution to quickly patch the vulnerability and disable MOVEit Cloud.
“Our product teams and third-party forensics partner have reviewed the vulnerability and associated patch and have deemed that the issue has been addressed. This fix has been applied to all MOVEit Cloud clusters and is available for MOVEit Transfer customers.”
Microsoft tracks Russian GRU threat actor.
Microsoft has published a report describing "Cadet Blizzard," a Russian state-sponsored threat actor associated with Moscow's General Staff Main Intelligence Directorate (GRU). The threat actor conducts "destructive attacks, espionage, and information operations," primarily targeting Ukraine:
"While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as "Free Civilian.'"
Russia's Shuckworm targets Ukraine.
Symantec outlines activities by Shuckworm, a threat actor that the Ukrainian government has attributed to Russia's FSB. The threat actor continues to conduct cyberespionage against Ukrainian entities:
"One of the most significant things about this campaign is the targets, which include Ukrainian military, security, research, and government organizations. The attackers were observed focusing on machines that contained what appeared from file names to be sensitive military information that may be abused to support Russian kinetic war efforts.
"The majority of these attacks began in February/March 2023, with the attackers maintaining a presence on some of the victim machines until May. The sectors and nature of the organizations and machines targeted may have given the attackers access to significant amounts of sensitive information. There were indications in some organizations that the attackers were on the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations was a priority for the attackers, among other things."
Mystic Stealer malware: evasive, and with a feedback loop in the C2C market.
Mystic Stealer is a new info stealer gaining traction in the cyber threat landscape. As researchers at Cyfirma explain, “The stealer was made available for testing to well-known veterans within the forum, who verified its effectiveness and provided valuable feedback for further enhancements. The threat actors diligently incorporated these recommendations into the stealer, resulting in ongoing updates and improvements. Consequently, Mystic Stealer has begun to establish a stronger foothold in the threat landscape, as evidenced by the rising number of command and control (C2) panels observed in the wild.”
Mystic Stealer’s developers assist with the installation process on the customer’s Linux server and then hand over complete control of the command-and-control panel. One of the more dangerous aspects of Mystic Stealer is the community feedback from customers. This allows the developers to make the tool more effective and efficient. Researchers at Zscaler report that, “Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications.”
RDStealer cyberespionage tool in the wild.
Bitdefender this morning shared their discovery of a new custom malware strain known as RDStealer, which used DLL sideloading for the purpose of cyberespionage. The researchers say that sideloading, or the practice of downloading an application or program via unofficial software distribution channels, allows the threat actor to monitor “incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled.” The Logutil backdoor then infects the victim’s device and lifts sensitive data.
Both RDStealer and Logutil are written in the Go programming language, which has the capability of infecting multiple operating systems; researchers have identified cases impacting both Linux and ESXi. The threat actor, active since at least 2020, is believed to be based in China, though that has yet to be confirmed. The use of custom malware by the hackers has been observed since late 2021 or early 2022. Credential theft and data exfiltration are believed to be this campaign’s primary goals.