Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Remote Desktop Protocol. Show all posts

Scarab Ransomware Toolkit: Unveiling the Ingenious Weaponry

 


In a recent report, cybersecurity researchers from the ESET cybersecurity company highlighted that malware of the Scarab ransomware family has been deployed to spread its variants across global victim organizations using a malicious toolset named Spacecolon. 

ESET has issued an advisory about the vulnerability of the toolset that may allow targeted attackers to penetrate victim organizations by exploiting commonly vulnerable web servers or using brute-force attacks against Remote Desktop Protocol (RDP) credentials to gain entry into victim organizations. As a result of ESET's investigation, it was also discovered that certain Spacecolon versions include Turkish strings, which suggests that a Turkish-speaking developer was involved in the development of these versions.  

According to a detailed technical report released on August 22, 2023, by ESET security researcher Jakub Souek, the Spacecolon malicious toolkit is being used by a cyber campaign that is targeting organizations all over the world to spread various variants of the Scarab ransomware, and it is targeting anti-torture organizations in particular. 

As of May 20, 2023, the most recent build of Spacecolon has been carried out, and the roots of the project can be traced back to as early as May 2020. Despite extensive tracking and analysis, ESET does not yet have an explanation as to what threat actor group is likely to be using the toolset to exploit the system. This has led to the name "CosmicBeetle" being used by the firm for the operators behind Spacecolon due to the similarity of their names. 

The threat actor CosmicBeetle is reported to have infiltrated some companies through misconfigured web servers, and they attempt to brute-force login information for Remote Desktop Protocol (RDP) by accessing misconfigured web servers. There have been victims across several countries who have been identified as having been infected by the Spacecolon virus since May 2020. This includes France, Mexico, Poland, Slovakia, Spain, and Turkey.

An American school in Mexico was attacked by a group of hackers, who chose a hospital and tourist resort in Thailand as their targets, an insurance company in Israel, a Polish government organization, an entertainment company in Brazil, and a Turkish environmental company based in Turkey. Further, Cosmic Beetle may also target unpatched servers that have not yet been updated with security patches, attempting to infiltrate networks by exploiting these vulnerabilities. 

The CosmicBeetle botnet deploys the main Spacecolon component used by CosmicBeetle to compromise vulnerable web servers after CosmicBeetle compromises the target web server. It is called ScHackTool. This type of attack relies heavily on the operating system's GUI and the active participation of operators; the GUI enables operators to orchestrate attacks and download and execute additional tools on demand, according to their requirements, on compromised machines. 

A CosmicBeetle can deploy ScInstaller over the local network and use it to further secure the target. For example, it can use ScInstaller to install ScService, which provides even further remote access to the target. Ultimately, CosmicBeetle deploys the Scarab ransomware variant as its final payload as a part of its campaign. 

A clipboard monitoring software known as ClipBanker is deployed in this variant, which monitors the contents of the clipboard and changes any suspicious contents, e.g. cryptocurrency wallet addresses, into a controlled address that is controlled by the attacker. Additionally, samples of a new ransomware family are being uploaded to VirusTotal from Turkey, suggesting that this family is being developed. 

As a result of the research conducted by ESET, the company is convinced that this malware has been written by the same developers that wrote Spacecolon, a virus that has been named ScRansom by ESET. In addition to it encrypting all hard drives, removable drives, and remote drives, ScRansom also encrypts e-mail. 

The ransomware has not yet been seen in the wild, and the development stage of this ransomware is still at a pre-release stage. First discovered in February 2023, it is most likely that the attacks have changed intact as a result of the discovery of Spacecolon variants released by Zaufana Trzecia Strona. 

Spacecolon is primarily composed of ScHackTool, an orchestrator based on Delphi that deploys an installer that, just as the name implies, installs ScService, a backdoor that can run customized commands, download and execute payloads, and extract information from compromised systems to obtain system information. It is also responsible for incorporating several third-party tools that are retrieved from a remote server, IP address 193.149.185.23, which can be accessed using ScHackTool. They are aimed at exploiting the access provided by ScService to introduce a ransomware variant called Scarab that has the goal of obtaining ransom money from the user. 

The threat actors using Impacket to deliver ScService in place of ScHackTool is also another alternative infection chain identified by ESET, indicating that the threats are experimenting with different techniques to deploy ScService instead of ScHackTool. 

The motives of CosmicBeetle have been financial, as the ransomware payload includes clipper malware that monitors the system clipboard and replaces cryptocurrency wallet addresses with ones the attacker controls through the use of file-sharing programs. 

There is also evidence that suggests that there may be active development of another strain of ransomware known as ScRansom that is actively being developed. AES-128 can be used to encrypt hard drives, removable drives, and networked drives; the encryption key can be derived from a hard-coded string, making the variant suitable for cases when the encryption key must be derived from multiple sources. 

A second issue with CosmicBeetle's malware is the lack of effort to conceal its presence, as well as the fact that their toolset leaves several artifacts behind when compromised machines are compromised, as well as a lack of robust anti-analysis and anti-emulation defenses.

Rapid Ransomware Dwell Time and Persistent RDP Vulnerabilities

The dwell period of ransomware hackers has decreased to just 5 days, a noteworthy trend in the constantly changing world of cyber dangers that demands prompt response. The urgent necessity for stronger cybersecurity measures is highlighted by the quick infiltration and encryption timeframe as well as the ongoing use of Remote Desktop Protocol (RDP).

The dwell time, which measures how long an unauthorized actor stays within a hacked system before launching a cyberattack, has substantially lowered to just 5 days, according to a report by BleepingComputer. This is a considerable decrease from the prior average of 18 days, indicating that threat actors are getting better at quickly entering target networks and deploying their destructive payloads.

The report also highlights the persistent use of Remote Desktop Protocol (RDP) as a primary entry point for ransomware attacks. Despite numerous warnings and documented vulnerabilities, RDP remains widely used due to its convenience in enabling remote access. Security experts have long cautioned against RDP's risks, emphasizing its susceptibility to brute force attacks and the potential for unauthorized entry.

A study by Sophos echoes these concerns, revealing that RDP-related attacks remain a prevalent threat vector. Cybercriminals exploit misconfigured RDP services and weak passwords to gain unauthorized access to systems, making them ripe targets for ransomware deployment. The consequences of such attacks can be devastating, leading to data breaches, operational disruptions, and substantial financial losses.

The widespread reliance on RDP is concerning, given the increasing sophistication of ransomware attacks. Attackers are employing various tactics, such as double extortion, where they not only encrypt sensitive data but also threaten to leak it unless a ransom is paid. This creates a multifaceted dilemma for organizations, forcing them to not only recover their systems but also mitigate potential reputational damage.

The security community has also discovered new RDP-related vulnerabilities, according to The Hacker News. These flaws include things like unreliable encryption, a lack of two-factor authentication, and vulnerability to 'pass-the-hash' attacks. The critical need for businesses to review their remote access policies and make investments in safer substitutes is further highlighted by these fundamental shortcomings.

Organizations must take a multifaceted approach to improve their cybersecurity defenses in order to counter these expanding threats. This entails putting in place tight access controls, enforcing strict password guidelines, and routinely patching and updating systems. Ransomware attacks can be considerably reduced with the use of more secure remote access technologies in place of RDP and thorough employee training.

‘Karakurt’ Extortion Back with an Upswing

 

As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.

Cyber Attack Alert! Microsoft Gives Inside Revelations About RDP Brute Force Attacks


Microsoft conducted a long-term study, which majorly focused on RDP brute-force attacks, their success and the duration they last for.

Per sources, according to the reports of the study, over 0.8% of the RDP brute force attacks on an average last for about “2-3 days”. The study also revolved around the effect of such attacks on various business organizations.

Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.

According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.

Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.


Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.

Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.

Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.

Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.

Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.

According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.

This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.

Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.

Per sources it’s imperative to look for the following things in a sign-in attempt:
 Event ID 4625 login type
 number of other devices with RDP inbound connections from one or more of the same IP
 number of failed sign-ins
 Event ID 4625 failure reason
 The number count of a username and the times it failed to log in
 number of RDP inbound external IP
 an hour and the day of the failed sign-in
 RDP connections
 Timing of successful sign-in attempts

To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.


A Micropatch Fix Issued For the Remote Desktop Services RCE Vulnerability Bluekeep in the Form of a 22 Instructions



BlueKeep, the Remote Desktop Service RCE vulnerability was recently issued a fix by the 0patch platform, as a 22 instructions micropatch which can be additionally used to ensure protection for always-on servers against many exploitation attempts.

After the vulnerability was unveiled, the critical software flaw known and tracked as as CVE-2019-0708 was at that point fixed by Microsoft on May 14. Be that as it may, 0patch's micropatch does not require rebooting and it focuses on a quite specific gathering of people, not at all like the Microsoft's security fix, enabling administrators to fix frameworks that either can't be restarted or don't consider for Microsoft security fixes to be installed for different reasons.

Mitja Kolsek, the co-founder of 0patch says that, “This is often due to always-on requirements, but another common reason is that restarting a fleet of remote machines (e.g., ATMs) brings a risk of having to physically visit all these machines in case something goes wrong (e.g., they don't wake up for some reason, or lose/corrupt in-memory data when they restart),"



The fix is known to fix the vulnerability influencing the 32-bit Windows XP SP3 only, yet the company is likewise said to port it to Server 2003 and different versions dependent on "user requests" to help legacy systems.

While the 0patch fixes are generally intended to be a substitute arrangement until Microsoft issues its very own official patches, for this situation, they will most likely be a lasting solution for servers that can't be restarted — except if their administrators figure out how to sidestep the issues keeping them from rebooting the machines.


Another conceivable arrangement would be to pursue Microsoft's recommendations and switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on frameworks affected by the BlueKeep vulnerability.

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.