At a glance.
- C2-as-a-service (and APTs are the customers).
- Russian threat actor abuses OneDrive.
- WikiLoader malware discovered.
- Nozomi's OT IoT security report, H1 2023.
- Mirai botnet afflicts Tomcat.
C2-as-a-service (and APTs are the customers).
Researchers at Halcyon have published a report looking at command-and-control providers used by ransomware gangs. Specifically, the researchers point to the Cloudzy virtual private server (VPS) provider as "the common service provider supporting ransomware attacks and other cybercriminal endeavors.” Cloudzy is incorporated in the US, but the researchers believe the company “almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions." Halcyon estimates that between 40% and 60% of Cloudzy customers' activity is potentially malicious.
The researchers state, “Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.”
Halcyon also describes two newly discovered ransomware affiliates called "Ghost Clown" and "Space Kook." Both groups use Cloudzy to host their Cobalt Strike infrastructure. Ghost Clown deployed the Conti ransomware before switching to BlackBasta after Conti's shutdown last year, while Space Kook is currently using the Royal ransomware.
Russian threat actor abuses OneDrive.
Recorded Future's Insikt Group describes the activities of the BlueBravo threat actor (also known as "APT29" or "Cozy Bear," a threat actor attributed to Russia's Foreign Intelligence Service). BlueBravo is abusing Microsoft's OneDrive to host command-and-control communications for its GraphicalProton malware loader. The researchers note: "Although we do not have direct visibility into the targeted entities, we can infer from the lure themes and linguistic artifacts that the Russian government is likely prioritizing cyber-espionage efforts against government sector entities in Europe, at present. The need for information from these sectors and regions is likely driven by the Russian government’s need for strategic data to facilitate its long-term survival during and after the war in Ukraine. Based on observed trends associated with malware and infrastructure development throughout the first half of 2023, we assess that it is likely BlueBravo will adapt and iterate upon existing malware families to develop new variants and will continue to leverage third-party services as necessary to obfuscate C2 communications. The use of legitimate website compromise as one approach to malware delivery via HTML smuggling, as well as the use of PHP code for delivery, are recently observed approaches to the infection chain."
WikiLoader malware discovered.
Researchers at Proofpoint yesterday described a new strain of commodity malware they’ve dubbed “WikiLoader.” The malware has been active since at least December 2022: “WikiLoader is a sophisticated downloader with the objective of installing a second malware payload. The malware contains interesting evasion techniques and custom implementation of code designed to make detection and analysis challenging. WikiLoader was likely developed as a malware that can be rented out to select cybercriminal threat actors. Based on the observed use by multiple threat actors, Proofpoint anticipates this malware will likely be used by other threat actors, especially those operating as initial access brokers (IABs).”
Nozomi's OT IoT security report, H1 2023.
Nozomi Networks has published its OT/IoT Security Report for the first half of 2023, looking at "a high volume of network scanning indications in water treatment facilities, cleartext password alerts across the building materials industry, program transfer activity in industrial machinery, OT protocol packet injection attempts in oil and gas networks, and more.”
The researchers note, "There are three main categories of OT/IoT cyber incidents: opportunistic, targeted, and accidental. Over the past six months, opportunistic attacks remain the most prevalent and will continue to flood traffic via DDOS attempts, enumerate common weaknesses and vulnerabilities for initial access, and trial and error malware strains regardless of network domains and target systems."
Mirai botnet afflicts Tomcat.
Aqua has published an analysis of Mirai malware attacks observed in its Apache Tomcat honeypots. The researchers found that “threat actors are actively seeking misconfigurations on Tomcat servers. Specifically, misconfigurations in the Tomcat web application manager.” The researchers add, “In our case, the host was infected with [Mirai], and based on our analysis of previous attacks and research, it appears that the threat actor intends to use this malware as a base for further attacks. These attacks could range from relatively low-impact campaigns like cryptomining to more severe DDoS attacks. It is important to note that this campaign is still ongoing, and the attacks are continuously evolving and changing to avoid detection.”