Supply-chain attack's effects spread. CISA makes new KEV entries. Bumblebee malware loader describes. Decoy Dog toolset discovered. Discord Papers were shared earlier and more widely.
3CX is not the only victim in the recent supply chain attack. The PaperCut critical vulnerability is under active exploitation. The Bumblebee malware loader is buzzing around in the wild. A new unique malware toolkit called Decoy Dog. Our guest Theresa Lanowitz from AT&T Cybersecurity shares insights on Securing the Edge. And the alleged Discord Papers leaker shared earlier and more widely than previously known.
From the RSA Conference in San Francisco, I’m Dave Bittner with your CyberWire summary for Monday, April 24th, 2023.
3CX is not the only victim in the recent supply chain attack.
The supply chain attack that affected 3CX didn’t end at the telecommunications company. The Trojanized X_Trader software which led to the 3CX attack was available for download in 2022, and it seems to have been downloaded by at least two critical infrastructure organizations. Symantec reported Friday that “The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe.” Symantec adds “The process for payload installation is almost identical as that seen with the Trojanized 3CX app.” Given the nature of the initially infected software (X_Trader is a financial trading program), it seems that this could be a financially motivated attack. Symantec explained that there are probably more victims as this breach is indicative of a complex and “successful template for software supply chain attack.”
PaperCut critical vulnerability under active exploitation, as are Google and MinIO vulnerabilities.
On Friday CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2023-27350 PaperCut MF/NG Improper Access Control Vulnerability, CVE-2023-28432 MinIO Information Disclosure Vulnerability, and CVE-2023-2136 Google Chrome Skia Integer Overflow Vulnerability.
PaperCut blogged details of a critical level vulnerability (9.8 out of 10 CVSS score) CVE-2023-27350 affecting servers running the software. The company explained, “The PaperCut application is popular with the State, Local, and Education (SLED) type organizations, where just education makes up 450 of those results.” PaperCut released a security patch on 8 March 2023 to address this vulnerability, and updated its patch bulletin today advising its users to urgently update their servers with the most recent patch as they believe some servers are actively being exploited. PaperCut also said “If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.” Experts continue to recommend that users should update their software in accordance with developer recommendations as this would lessen your organization's exposure to fixed vulnerabilities.
Bumblebee malware loader used by ransomware gangs.
Bleeping Computer reports that the Bumblebee malware loader, originally developed by the Conti gang, has been observed in use once again. The loader is distributed through fake Google Ads for legitimate companies such as Zoom, Citrix, and ChatGPT. The original malware was observed in April of last year, with stealth updates seen in September. Secureworks reports finding a fake Cisco AnyConnect Secure Mobility Client v4.x Google Ad, which would send the user to a compromised WordPress site to “download” the client. If the user downloaded the fake client, they’d end up with the Bumblebee malware on their device. Secureworks advises utilizing the legitimate sites of these clients in order to download and update them. The Record notes the Google Threat Analysis Group’s discovery of the Bumblebee loader in 2021, with links to a range of threat actors.
Decoy Dog, a new unique malware toolkit.
Infoblox explained that scanning some 70 billion IP addresses daily has led to its discovery of a new malware toolkit, “Decoy Dog.” "The domains we describe are all related to a single tool kit we call Decoy Dog, which is identified using a DNS fingerprint matching 0.0000027% of domains currently active in the world.” Infoblox adds, “When we analyzed the queries in external global DNS data, the C2 communication originated almost exclusively from hosts in Russia. Because global DNS traffic is polluted with retransmitted queries from multiple sources, and because at least one of the C2 servers was located in Russia, we cannot assume that this was authentic communication from a compromised host.”
One of Decoy Dog’s tools is a remote access Trojan (RAT) “Pupy RAT.” Infoblox describes this as “a dangerous and powerful RAT due to its fileless nature and slow, encrypted C2 communications. It is hard to detect by EDR solutions, and can stay hidden for a long time in an afflicted network. Pupy is one of the few RATs that offers broad multi-platform capabilities, uses an old version of Python, and therefore is able to infect a majority of Linux and mobile devices.” This unusual feature makes Decoy Dog easy to identify. Infobox says it hasn’t yet discovered the purpose of Decoy Dog, and that it plans to release more findings as they become available. “In writing this paper, we have found that the mysteries surrounding Decoy Dog and its presence in our networks are complex and unresolved. We expect to release further reporting as we are able to explain the activity.”
Report: the alleged Discord Papers leaker shared earlier and more widely than previously known.
The New York Times reports that it’s found signs that Airman Jack Teixeira, who faces US Federal charges in the Discord Papers case, began sharing highly classified intelligence about Russia's war against Ukraine earlier than had hitherto been reported, and that he appears to have done so in a second Discord channel that was larger than the Thug Shaker Central group he's been associated with. "In February 2022, soon after the invasion of Ukraine," the Times writes, "a user profile matching that of Airman Jack Teixeira began posting secret intelligence on the Russian war effort on a previously undisclosed chat group on Discord, a social media platform popular among gamers. The chat group contained about 600 members." The Times also reports that the Airman also direct-messaged foreign members of the group offering to tell them more about the information he had available: “DM me and I can tell you what I have.” The evidence connecting Airman Teixeira with the recently discovered Discord group is circumstantial but suggestive. Neither his defense attorney nor the FBI and the US Justice Department were willing to comment to the Times on its story.
Cyberattack against Eurocontrol.
And finally, in one of the sidelights of Russia’s hybrid war, the effects of the cyberattack against Eurocontrol, the European air traffic control organization, continued into the weekend. The disruptions, claimed by Russia's KillNet, did not disrupt flight operations, the Wall Street Journal reports. But KillNet continues to crow large over the nuisance value of its attack.
And that's the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
3CX Hackers Also Compromised Critical Infrastructure Firms (Infosecurity Magazine)
Even more victims found in complex 3CX supply chain attack (CybersecurityConnect)
X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe (Symantec Enterprise Blogs)
CISA KEV Breakdown | April 21, 2023 (Nucleus Security)
CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA)
Google ads push BumbleBee malware used by ransomware gangs (BleepingComputer)
Decoy Dog malware toolkit found after analyzing 70 billion DNS queries (BleepingComputer)
Analyzing DNS Traffic for Anomalous Domains and Threat Detection (Infoblox Blog)
FBI leak investigators home in on members of private Discord server (Washington Post)
Europe’s Planes Keep Flying Despite Cyberattack (Wall Street Journal)