At a glance.
- Chinese threat actor's exploitation of Barracuda ESGs.
- Name collision as a DNS risk.
- Lazarus Group fields new malware.
- Abhubllka ransomware's targeting and low extortion demands.
- Spawn of LockBit.
- Trends in brand impersonation.
- Recent trends in malware delivery.
Chinese threat actor's exploitation of Barracuda ESGs.
Mandiant has published a blog post outlining the exploitation of CVE-2023-2868 in Barracuda ESGs by the China-aligned threat actor UNC4841. The researchers state, "UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance." The threat actor began deploying new strains of malware in May 2023 immediately after Barracuda disclosed the vulnerability and remediation efforts began: "UNC4841’s deployment [of] select backdoors suggests this threat actor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value targets, should the campaign be compromised."
Nearly a third of the targets of the cyberespionage campaign were government entities, most of them at the national level. In North America, however, the threat actor exhibited a particular interest in local government:
"Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns. While overall local government targeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly seventeen percent when compared to U.S.-based targeting alone. In some instances, targeted entities had populations below 10,000 individuals."
Erich Kron, Security Awareness Advocate at KnowBe4, commented:
"Espionage continues to be a significant focus for many threat actors, especially those that are nation-state sanctioned. In this case, a more disturbing part is that even devices that were patched remained vulnerable and were still being compromised. The ability to drop malware, especially Remote Access Trojans (RATs), which will allow the bad actors to maintain persistence even after the initial entry point is fixed, should be especially worrying for organizations impacted by this or using these appliances. Trying to find and remediate potential back doors scattered across systems can be a very challenging issue for organizations. The fact that this zero-day had been exploited for seven months, makes chasing these things down even more challenging as many logs have rolled over or been deleted by now, making rogue installs of software harder to spot. For organizations potentially impacted by this issue, special attention should be placed on monitoring traffic within, and exiting their networks with the focus on trying to identify potential command and control channels."
Name collision as a DNS risk.
Cisco Talos describes risks posed by DNS name collision, which occurs when the name of an internal network resource overlaps with one used by a public top-level domain (TLD).
One technique the Name Collision Occurrence Management Framework recommends to avoid these collisions is “controlled interruption,” in which a TLD publishes DNS records at the root level to provide information about the domain. If a network uses an internal name that overlaps with one of these TLDs, it will receive a DNS reply stating “your-dns-needs-immediate-attention.<TLD>.”
Talos found that the .kids TLD used a flawed implementation of controlled interruption:
“One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids.
“Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s ‘System Center Configuration Manager’....Because Talos registered the domain name ‘your-dns-needs-immediate-attention.kids’, we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.”
Talos contacted the administrators of the .kids TLD, and the issue has since been fixed.
Lazarus Group fields new malware.
Cisco Talos has also discovered a new remote access Trojan, “CollectionRAT,” that’s being used by North Korea’s Lazarus Group: “CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors.”
The researchers also observed that “Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.”
In a separate report, Talos says the Lazarus Group has exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target “an internet backbone infrastructure provider in Europe” and healthcare entities in the US and Europe. The threat actor used the vulnerability to deploy the recently discovered QuiteRAT malware, which the researchers note “has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller.” The researchers add, “This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework.”
Abhubllka ransomware's targeting and low extortion demands.
Netenrich is tracking a new variant of malware belonging to the ADHUBLLKA ransomware family, active since August 1st, 2023. The ransomware targets individuals and small businesses, and tells victims to visit a TOR-based portal to open a ticket for negotiations. The attackers demand between $800 and $1600 for the decryption key.
The researchers note, “[T]he ransomware operator appears unwilling to negotiate, holding firm on the initial demand for decryption keys. The operator would not provide a decrypted sample screenshot to the victim directly, but instead, provided one on ImgBB, an image hosting service. This confirms there is a working decryptor present with the group.”
Spawn of LockBit.
Kaspersky has published an analysis of the Lockbit ransomware builder that was leaked in September 2022. The leaked builder allowed many different threat actors to create their own flavors of ransomware based on Lockbit. The researchers present the following findings:
- “The builder contains no protection mechanisms as it will be used by the actors and should not be exposed: no anti-debugging (at least in the builder itself), no anti-reversing, no code obfuscation, sample templates embedded as resource (decrypter, EXE, DLL, reflective DLL).
- “We learned how the configuration parameters are embedded within the payload without requiring reverse engineering of the final binary.”
Various gangs have used their versions of the builder to develop or at least propose new ransomware strains.
Trends in brand impersonation.
Abnormal Security has found that Microsoft is by far the most commonly spoofed brand used in phishing attacks. Microsoft-branded attacks have accounted for 4.31% of all phishing attempts in 2023. Attackers frequently target Microsoft credentials in order to compromise an organization’s Microsoft 365 environment.
Abnormal has also observed an increase in grammatically correct phishing emails, suggesting that attackers are using generative AI tools to write their phishing templates. The researchers add, “Unfortunately, the use of generative AI goes beyond emails. Cybercriminals can produce whole websites—complete with logos, brand copy, and images—then link those to their phishing messages. This deepens the impression that these emails really are from the impersonated brand and makes it more likely that the victim will enter their credentials.”
Recent trends in malware delivery.
HP Wolf Security has released its quarterly Security Threat Insights Report, finding that QakBot spam activity spiked in Q2 2023: “[C]reative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analyzed by HP in Q2 were unique.”
The researchers also observed a “multilingual” malware campaign using several programming languages to avoid detection: “Firstly, it encrypts its payload using a crypter written in Go, disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.”