Jan 31, 2024NewsroomCryptocurrency / Cybersecurity

A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

“UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader,” the company said in a Tuesday report.

“During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain.”

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It’s currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that’s responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.

Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

“The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign,” Mandiant researchers said. “Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised.”

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

“The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset,” Mandiant said.

“The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors’ side.”

Jan 20, 2024NewsroomZero Day / Cyber Espionage

An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.

“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” Google-owned Mandiant said in a Friday report.

The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server. It was fixed by the Broadcom-owned company on October 24, 2023.

The virtualization services provider, earlier this week, updated its advisory to acknowledge that “exploitation of CVE-2023-34048 has occurred in the wild.”

UNC3886 first came to light in September 2022 when it was found to leverage previously unknown security flaws in VMware to backdoor Windows and Linux systems, deploying malware families like VIRTUALPITA and VIRTUALPIE.

The latest findings from Mandiant show that the zero-day weaponized by the nation-state actor targeting VMware was none other than CVE-2023-34048, allowing it to gain privileged access to the vCenter system, and enumerate all ESXi hosts and their respective guest virtual machines attached to the system.

The next phase of the attack involves retrieving cleartext “vpxuser” credentials for the hosts and connecting to them in order to install the VIRTUALPITA and VIRTUALPIE malware, thereby enabling the adversary to directly connect to the hosts.

This ultimately paves for the exploitation of another VMware flaw, (CVE-2023-20867, CVSS score: 3.9), to execute arbitrary commands and transfer files to and from guest VMs from a compromised ESXi host, as revealed by Mandiant in June 2023.

VMware vCenter Server users are recommended to update to the latest version to mitigate any potential threats.

In recent years, UNC3886 has also taken advantage of CVE-2022-41328 (CVSS score: 6.5), a path traversal flaw in Fortinet FortiOS software, to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

These attacks specifically single out firewall and virtualization technologies owing to the fact that they lack support for endpoint detection and response (EDR) solutions in order to persist within target environments for extended periods of time.