Apr 09, 2024NewsroomBotnet / Crypto Mining

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.

RUBYCARP’s arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.

While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.

“These threat actors are also involved in the development and sale of cyber weapons, which isn’t very common,” Sysdig said. “They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.

Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Mar 14, 2024NewsroomRansomware / Cyber Crime

A 34-year-old Russian-Canadian national has been sentenced to nearly four years in jail in Canada for his participation in the LockBit global ransomware operation.

Mikhail Vasiliev, an Ontario resident, was originally arrested in November 2022 and charged by the U.S. Department of Justice (DoJ) with “conspiring with others to intentionally damage protected computers and to transmit ransom demands in connection with doing so.”

News of Vasiliev’s jail term was first reported by CTV News.

The defendant, who had his home searched by Canadian law enforcement authorities in August and October 2022, is said to have kept a list of “prospective or historical” victims and screenshots of communications exchanged with “LockBitSupp” on the Tox messaging platform.

The raid also uncovered a text file with instructions to deploy LockBit ransomware, the ransomware source code, and a control panel used by the e-crime group to deliver the file-locking malware.

Vasiliev, according to CTV News, pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges last month. During the sentencing, he was characterized by Justice Michelle Fuerst as a “cyber terrorist” who was “motivated by his own greed.”

He is believed to have become a cyber criminal while at home during the COVID-19 pandemic, attempting to seek ransom payments from three Canadian companies between 2021 and 2022 by stealing their data and holding it hostage.

Vasiliev, who has consented to being extradited to the U.S., has also been ordered to pay back more than $860,000 in restitution.

One of the most prolific ransomware groups in history, LockBit suffered a huge blow in February 2024, when its infrastructure was seized in a coordinated law enforcement operation. The disruption was accompanied by arrests of three LockBit affiliates in Poland and Ukraine.

Although the group reemerged with a new data leak site, there is evidence to suggest that the new victims being listed are either old or fake, designed to give an impression that the group is back up and running.

The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material.

Ilya Lichtenstein, who pleaded guilty in August 2023 to the theft of about 120,000 bitcoin in connection to the hack of the Bitfinex cryptocurrency exchange, testified last month how he had used Bitcoin Fog 10 times to launder the virtual assets, Bloomberg reported.

“Bitcoin Fog was the longest-running cryptocurrency ‘mixer,’ gaining notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement,” the DoJ said.

“Over the course of its decade-long operation, Bitcoin Fog moved over 1.2 million bitcoin, which was valued at approximately $400 million at the time of the transactions.”

Mar 11, 2024NewsroomZero-Day / Endpoint Security

A financially motivated threat actor called Magnet Goblin is swiftly adopting one-day security vulnerabilities into its arsenal in order to opportunistically breach edge devices and public-facing services and deploy malware on compromised hosts.

“Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices,” Check Point said.

“In some cases, the deployment of the exploits is within 1 day after a [proof-of-concept] is published, significantly increasing the threat level posed by this actor.”

Attacks mounted by the adversary have leveraged unpatched Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ servers as an initial infection vector to gain unauthorized access. The group is said to be active since at least January 2022.

A successful exploitation is followed by the deployment of a cross-platform remote access trojan (RAT) dubbed Nerbian RAT, which was first disclosed by Proofpoint in May 2022, as well as its simplified variant called MiniNerbian. The use of the Linux version of Nerbian RAT was previously highlighted by Darktrace.

Both the strains allow for execution of arbitrary commands received from a command-and-control (C2) server and exfiltrating the results backed to it.

Some of the other tools used by Magnet Goblin include the WARPWIRE JavaScript credential stealer, the Go-based tunneling software known as Ligolo, and legitimate remote desktop offerings such as AnyDesk and ScreenConnect.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, Nerbian RAT and MiniNerbian,” the company said.

“Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Mar 02, 2024NewsroomCybercrime / Social Engineering

The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year cyber-enabled campaign designed to compromise U.S. governmental and private entities.

More than a dozen entities are said to have been targeted, including the U.S. Departments of the Treasury and State, defense contractors that support U.S. Department of Defense programs, and an accounting firm and a hospitality company, both based in New York.

Alireza Shafie Nasab, 39, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz while participating in a persistent campaign targeting the U.S. from at least in or about 2016 through or about April 2021.

“As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said U.S. Attorney Damian Williams for the Southern District of New York.

The spear-phishing campaigns were managed via a custom application that made it possible for Nasab and his co-conspirators to organize and deploy their attacks.

In one instance, the threat actors breached an administrator email account belonging to an unnamed defense contractor, subsequently leveraging the access to create rogue accounts and send out spear-phishing emails to employees of a different defense contractor and a consulting firm.

Outside of spear-phishing attacks, the conspirators have masqueraded as other people, typically women, to obtain the confidence of victims and deploy malware onto victim computers.

Nasab, while working for the front company, is believed to be responsible for procuring infrastructure utilized in the campaign by using the stolen identity of a real person in order to register a server and email accounts.

He has been charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud, and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.

While Nasab remains at large, the U.S. State Department has announced monetary rewards of up to $10 million for information leading to the identification or location of Nasab.

Mahak Rayan Afraz (MRA) was first outed by Meta in July 2021 as a Tehran-based firm with ties to the Islamic Revolutionary Guard Corps (IRGC), Iran’s armed force charged with defending the country’s revolutionary regime.

The activity cluster, which also overlaps with Tortoiseshell, has been previously linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware.

The development comes as German law enforcement announced the takedown of Crimemarket, a German-speaking illicit trading platform with over 180,000 users that specialized in the sale of narcotics, weapons, money laundering, and other criminal services.

Six people have been arrested in connection with the operation, counting a 23-year-old considered the main suspect, with authorities also seizing mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash.

Jan 24, 2024NewsroomCryptocurrency / Cybercrime

Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable Information (PII) belonging to the Australian company.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health and drug use. Some of these records were leaked on the dark web.

As part of the trilateral action, the sanctions make it a criminal offense to provide assets to Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

The offense is punishable by up to 10 years’ imprisonment. In addition, the Australian government has also imposed a travel ban on Ermakov.

The U.K. government said the penalty is their latest effort “to counter malicious cybercriminal activity emanating from Russia that seeks to undermine integrity and prosperity” of the country and its allies.

Besides criticizing Russia for providing a safe haven to malicious cyber actors, the U.S. Department of the Treasury called out the East European nation for enabling ransomware attacks by cultivating and co-opting criminal groups.

It further called on Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson.

“This action demonstrates that the United States stands with our partners to disrupt ransomware actors who victimize the backbone of our economies and critical infrastructure,” the Treasury Department noted.

Jan 06, 2024NewsroomMalware / Cyber Attack

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware “crashes the operating system in a way that it cannot be rebooted.”

The intrusions have been attributed to an Iranian “psychological operation group” known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it’s “back to destroy supporters of terrorists,” describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People’s Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that’s designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

“Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks,” Check Point disclosed last month.

“By opportunistically targeting U.S. entities using Israeli technology, these hacktivist proxies try to achieve a dual retaliation strategy – claiming to target both Israel and the U.S. in a single, orchestrated cyber assault.”

Cyber Toufan, in particular, has been linked to a deluge of hack-and-leak operations targeting over 100 organizations, wiping infected hosts and releasing stolen data on their Telegram channel.

“They’ve caused so much damage that many of the orgs – almost a third, in fact, haven’t been able to recover,” security researcher Kevin Beaumont said. “Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities.”

Last month, the Israel National Cyber Directorate (INCD) said it’s currently tracking roughly 15 hacker groups associated with Iran, Hamas, and Hezbollah that are maliciously operating in Israeli cyberspace since the onset of the Israel-Hamas war in October 2023.

The agency further noted that the techniques and tactics employed share similarities with those used in the Ukraine-Russia war, leveraging psychological warfare and wiper malware to destroy sensitive information.

Dec 14, 2023NewsroomVulnerability / Data Breach

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.

“GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.

The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.

Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group’s origins are far from clear.

The attack chains entail the abuse of victims’ public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.

The SQL injections are accomplished by means of sqlmap, a popular open-source pentesting tool that’s designed to automate the process of identifying database servers vulnerable to SQL injections and weaponizing them to take over the systems.

In such attacks, the threat actors inject malicious SQL code into a public facing web page of the targeted website, allowing them to get around default authentication protections and access sensitive data, such as hashed and plaintext user credentials.

It’s currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary’s command-and-control (C2) server and notified the identified victims.

“Web injections are among the oldest and most popular attack vectors,” Nikita Rostovcev, senior threat analyst at Group-IB, said.

“And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”