At a glance.
- Bronze Starlight hits the gambling sector.
- Building a proxy botnet.
- PlayCrypt ransomware described.
- The Cuba ransomware group adopts new tools.
- Phishing for Zimbra credentials.
- Active flaws in PowerShell Gallery.
Bronze Starlight hits the gambling sector.
The China-aligned threat actor Bronze Starlight is targeting the gambling sector in Southeast Asia, according to researchers at SentinelOne. The researchers note, “This is a suspected Chinese ‘ransomware’ group whose main goal appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.” The threat actor is using malicious DLLs crafted from components of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan.
SentinelOne explains, “Thriving after China’s crackdown on its Macao-based gambling industry, the Southeast Asian gambling sector has become a focal point for the country’s interests in the region, particularly data collection for monitoring and countering related activities in China.”
Eric Mizell, Field CTO & VP Field Engineering, Keyfactor, offered some reflections on the peculiar vulnerability of the gaming sector to cybercrime. “Today’s world runs on code. Software is everywhere, from our workplace, to our homes, to our cars, to our online gambling and gaming. To establish trust within our software, developers use a practice called code signing, which digitally signs a piece of software to ensure that end users can identify its source (the author of the software) and verify that the code hasn’t been altered since it was published. This creates a chain of trust for a smooth digital transaction," Mizell wrote. "However, these digital certificates are lucrative targets from attackers who seek to compromise them to sign and distribute malicious code masked as legitimate software or firmware. For years, gambling and gaming companies have been a common target for cyberattacks because the industry generates billions of dollars in revenue and has a vast user base with a horde of personal information that can be exploited for further financial gain. In cases like the Bronze Starlight, attackers will leverage trusted code signing keys to sign malicious code. The benefit in using a valid certificate is that security measures are easier to bypass. Because it blends with other legitimate software and traffic, it avoids raising suspicion."
Code-signing keys are especially valuable to criminals, and, Mizell says, need to be protected accordingly. "Signing code is a critical step in protecting your software supply chain. These recent attacks are a stark reminder that code signing keys are highly valuable, and the security they provide is only as strong as the security used to both issue and store that certificate. To provide the greatest security, it’s essential to ensure only the right keys are used by the right developer to sign the right code and at the right time and place. To do this, organizations need greater visibility into and control over signing processes. Introducing technology that can centralize visibility and control can allow security teams to maintain an irrefutable audit trail of who accessed code signing keys, what they were used to sign, when, and where. Storing and generating code signing keys in a trusted hardware security module (HSM) also goes a long way in safeguarding access and use of keys. Failure to implement security best practices like these can open the door to malware, breaches, and supply chain attacks.”
Building a proxy botnet.
AT&T Alien Labs has discovered a botnet comprising more than 400,000 proxy exit nodes. The attackers are using a seemingly legitimate company to host the proxies: “Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.”
The malware is distributed via social engineering, often posing as cracked software or games. BleepingComputer wisely notes that users should “avoid downloading pirated software and running executables sourced from dubious locations like peer-to-peer networks or sites offering premium software free of charge.”
PlayCrypt ransomware described.
Researchers at Adlumin outline a “concentrated global campaign” involving the Play ransomware (also known as “PlayCrypt”). The campaign is targeting managed service providers used by “mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the US, Australia, UK, and Italy.” The threat actors usually gain initial access by abusing Remote Monitoring and Management (RMM) software.
The researchers note, “PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.”
The Cuba ransomware group adopts new tools.
BlackBerry has published an analysis of new tools used by the Cuba ransomware gang. The threat actor conducted attacks in June 2023 against a critical infrastructure organization in the US and an IT integrator in Latin America. BlackBerry says the gang “deployed a set of malicious tools that overlapped with previous campaigns associated with this attacker, as well as introducing new ones — including the first observed use of an exploit for the Veeam vulnerability CVE-2023-27532.”
It’s also worth noting that despite the gang’s Cuban branding, the threat actors appear to be based in Russia. The group seems to be a privateer, making its money by hitting Western, anglophone, democratic targets–that is, targets in countries Russia has framed as adversaries.
Phishing for Zimbra credentials.
ESET is tracking a major phishing campaign that’s targeting Zimbra account credentials. Most of the targets are located in Poland, Italy, and Ecuador, but the attackers don’t seem to be focused on any particular sector. The campaign has been running since at least April 2023, targeting “a variety of small and medium businesses and governmental entities.”
The phishing emails are tailored to each targeted organization, and inform users that they need to log in to Zimbra to resolve an issue. The researchers note, “[O]n several occasions we observed subsequent waves of phishing emails sent from Zimbra accounts of previously targeted, legitimate companies, such as donotreply[redacted]@[redacted].com. It is likely that the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets.”
Deep Instinct describes a privilege escalation technique that abuses the Windows Filtering Platform (WFP). The researchers built a tool for mapping Remote Procedure Calls (RPCs), which allowed them to find ways to “manipulate benign services to perform malicious actions, such as code injection or file encryption.” The researchers explain, “All the RPC servers on the system were mapped and methods were marked if the parameters that will be sent to the WinAPI are controlled by the RPC client. The WinAPI could be called directly by the RPC method, or after several internal calls. RPC methods were also marked if specific keywords appear in their name”
Deep Instinct found that access token duplication can be performed in the kernel using WFP, which makes the attack extremely stealthy.
Active flaws in PowerShell Gallery.
Aqua Security warns that threat actors can spoof package names in the PowerShell Gallery package repository: “PowerShell Gallery modules are commonly used as part of the cloud deployment process, especially popular around AWS and Azure, to interact with and manage cloud resources. Therefore, the installation of a malicious module could be fatal to organizations. Moreover, attackers can exploit another flaw, allowing them to discover unlisted packages and uncover deleted secrets within the registry, which users attempt to hide by unlisting their packages.”
The researchers reported the flaws to the Microsoft Security Response Center, and Microsoft says it’s working on fixes. As of August 2023, however, the flaws remain exploitable.