Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TTPs. Show all posts

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Ransomware Makes Up 58% of Malware Families Sold as Services

 

Ransomware has emerged as the most pervasive Malware-as-a-Service (MaaS) during the past seven years, according to a new study from the Kaspersky Digital Footprint Intelligence team. Based on analysis of 97 malware families that were disseminated via the dark web and other sites, the study was undertaken. The researchers also discovered that hackers frequently rent infostealers, botnets, loaders, and backdoors to conduct their attacks.

An illegal business concept called malware-as-a-service (MaaS) involves renting out software to commit cyberattacks. Clients of these services are typically provided with a personal account via which they may manage the attack as well as technical support. 

Ransomware the most widely used malware-as-a-Service

In order to determine the popular types, Kaspersky's experts assessed the sale quantities of different malware families as well as mentions, debates, posts, and search advertising on the darknet and other sites regarding MaaS. The dominant force turned out to be ransomware, or malicious software that encrypts data and demands payment to decrypt it. Of all the families supplied under the MaaS model between 2015 and 2022, it accounted for 58%. Ransomware's appeal can be ascribed to its capacity to produce greater earnings than other forms of malware in a shorter amount of time.

Ransomware-as-a-service (RaaS) allows cybercriminals to "subscribe" for nothing. They start paying for the service after the attack occurs after they are partners in the programme. A portion of the victim's ransom payment, usually between 10% and 40% of each transaction, determines the payout amount. Entering the programme, meanwhile, is not an easy undertaking because there are strict qualifications. 

Infostealers made up 24% of malware families offered as a service throughout the analysed time frame. These are malicious software meant to steal information, including usernames, passwords, banking information, browsing history, data from cryptocurrency wallets, and more. 

Subscription-based payment methods are used for infostealer services. The cost per month ranges from 100 to 300 dollars in the United States. For instance, Raccoon Stealer, which was cancelled in the first few days of February 2023, could be purchased for 275 dollars per month or 150 dollars per week. According to information provided on the Darknet by its operators, RedLine's rival charges 150 dollars a month and also offers the chance to buy a lifetime licence for 900 dollars. 

Botnets, loaders, and backdoors were found to be present in 18% of malware families offered as services. Since many of these threats share the same objective—uploading and running further malware on the victim's device—they are grouped together as a single threat. 

Prevention tips

Kaspersky experts advise the following to safeguard your business from such threats: 

  • To stop hackers from breaking into your network by taking advantage of vulnerabilities, keep the software updated on all the devices you use.
  • Update your systems with fixes as soon as new vulnerabilities are discovered. Threat actors cannot exploit the vulnerability after it has been downloaded. 
  • To stay informed about the real TTPs employed by threat actors, use the most recent threat intelligence data. 
  • Investigate an adversary's perception of your company's resources with the aid of Kaspersky Digital Footprint Intelligence to quickly identify any potential attack vectors you may have. This also aids in spreading awareness of the threats that cybercriminals are currently posing so that you can timely alter your defences or implement countermeasures and elimination strategies.

Cybersecurity Must Adopt a New Approach to Combat Underground Cybercrime Activities

 

Threat researchers at Cybersixgill published their annual report, The State of the Cybercrime Underground, earlier this year. The study is based on an analysis of data that Cybersixgill gathered from the deep, dark, and clear web in 2022. The study looks at how threat actors' tactics, techniques, and procedures (TTPs) have evolved over time in the digital age and how organisations can adjust to lower risk and maintain operational resilience. 

This article provides an overview of some of The report's key findings are briefly summarised in this article, covering trends in credit card fraud, cryptocurrency observations, improvements in artificial intelligence and how they are lowering the entrance hurdles for cybercrime, and the emergence of cybercriminal "as-a-service" operations. The necessity for a new security strategy that combines attack surface management (ASM) and cyber threat intelligence (CTI) to counter threat actors' constantly evolving tactics is covered in more detail below. 

Decline in credit card scams

For many years, fraudsters operating underground have employed credit card fraud as a regular and recurrent danger. But a number of recent changes are halting the trend and sharply lowering the number of instances of credit card theft. In recent months, the number of compromised credit cards being sold on illegal underground markets has significantly decreased. For instance, in 2019 dark web shops offered for sale almost 140 million compromised cards. By 2020, the number had dropped to roughly 102 million, and by 2021, it had fallen again by another 60% to just under 42 million cards. The amount finally fell to just 9 million cards in 2022.

Clever use of cryptocurrency

The decentralised nature of cryptocurrencies gives users privacy and anonymity. Therefore, it should come as no surprise that cybercriminals prefer to pay using cryptocurrency to buy illegal goods and services, launder money obtained from cyberattacks, and get paid for ransomware. In addition to becoming more widely used for legitimate purposes, cryptocurrencies have also attracted the attention of threat actors, opening up new potential for "crypto-jacking," hacking of digital wallets, crypto-mining, and stealing of digital assets from cryptocurrency exchanges. 

Even in the wake of the 2022 crypto meltdown, attackers continue to place a high value on cryptocurrency. In 2022, we observed a 79% increase in crypto account takeover attacks, as stated in our study. (In the end, fraudsters utilise crypto to shift money rather than to generate revenue. Prices are indicated in dollars even if subterranean transactions are conducted in cryptocurrencies.) However, if investors continue to flee the market because of its turbulence, threat actors may eventually give up using cryptocurrencies as fewer users make it simpler for law enforcement to detect illegal transactions and for lawmakers to enact stronger regulation. 

Use of artificial intelligence

Less than a year after it first appeared on the scene, cybercriminals are still very excited about ChatGPT and other recently revealed AI tools because of their potential to be a force multiplier for online crime. Threat actors can automate the creation of malware code and even replicate human language for social engineering with the correct prompts and direction, streamlining the entire attack chain. ChatGPT enables less experienced and less skilled cybercriminals to quickly and relatively easily carry out destructive acts. As highlighted in the study, AI technology is decreasing the entrance barrier for cybercrime and cutting the time required for threat actors to build harmful code and carry out other "pre-ransomware" preparations. 

Mitigation tips

Within an organisation's vast attack surface, every connected system offers possible attack entry points for cybercriminals. Today, it is nearly impossible to safeguard the growing organisational attack surface using only cyber threat intelligence to assess vulnerability. The modern attack surface is becoming more and more external, encompassing a wide ecosystem of unidentified assets from cloud-based resources, connected IPs, SaaS apps, and third party supply chains in addition to the known network perimeter.

As a result, the majority of organisations struggle with the copious quantities of cyber threat intelligence data and experience significant blindspots into their whole attacker-exposed IT system. Security teams require complete visibility into their individual attack surface and real-time knowledge into their threat exposure in order to effectively fight against cyber threats. 

The Attack Surface Management (ASM) solution from Cybersixgill, which is embedded with native, market-leading Cyber Threat Intelligence (CTI), eliminates visibility blindspots by automatically locating the invisible. With this unified solution, security professionals can continuously find, map, scope, and classify unknown networked assets that can put your business at danger, while also keeping track of your whole asset inventory in real-time across the deep, dark, and clear web. 

To focus on each organization's unique attack surface and provide the earliest possible alerts of threats targeting their company, the integration of ASM refines industry-leading threat intelligence. Security teams are reliably equipped to focus their efforts and resources where they are most needed thanks to complete insight of organisational threat exposure. This significantly reduces Mean Time to Remediate (MTTR) and speeds up remediation time.

Evolution of Gootkit Malware Using Obfuscations

Mandiant Managed Defense has reliably resolved GOOTLOADER infections since January 2021. When spreading GOOTLOADER, malicious actors cast a wide net, affecting a variety of industrial verticals and geographical areas.

Gootkit Malware

The Gootkit Trojan is Javascript-based malware that carries out a number of malicious tasks, such as authorizing threat actors remote access, recording video, capturing keystrokes, stealing emails, stealing passwords, and having the ability to inject malicious files to steal online banking login details.

Gootkit previously spread malware in the disguise of freeware installers, but now it deceives users into downloading these files by presenting them as legal documents. A user enters a search query into a search engine to begin the attack chain. 

Mandiant Managed Defense believes that UNC2565, a group it tracks, is the sole group that the GOOTLOADER virus and infrastructure belong to at this time. Due to these breaches' rapid detection and mitigation, Mandiant's observation of post-compromise GOOTLOADER activities has mostly been restricted to internal surveillance.

If the GOOTLOADER file is successfully executed, other payloads like FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that are saved in the registry will be downloaded. Future phases include PowerShell being used to execute these payloads.

The. NET-based loader FONELAUNCH is intended to load an encoded payload into memory, while the downloader SNOWCONE is responsible for obtaining next-stage payloads, notably IcedID, through HTTP.

The primary aims of Gootkit have remained the same, however, the attack process has undergone substantial modifications. Currently, the JavaScript file contained in the ZIP archive is trojanized and contains a different JavaScript file that is obfuscated and then begins to execute the malware.

Furthermore, to avoid detection, the malware's creators allegedly used three distinct strategies to cloak Gootkit, including hiding the code inside modified versions of trustworthy JavaScript libraries like jQuery, Chroma.js, and Underscore.js. These modifications show how actively developing and expanding UNC2565's capabilities remain.


Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.




Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Malicious Actor Claims Targeting IBM & Stanford University

 

Jenkins was mentioned as one of the TTPs employed by spyware in a report on a British cybercrime forum found by CloudSEK's contextual AI digital risk platform XVigil. To boost ad clickthroughs, this module features stealth desktop takeover capabilities. Based on unofficial talks, CloudSEK experts anticipate that this harmful effort will increase attempts to infect bots. 

Evaluation of threats 

A malicious actor detailed how they hacked into a major organization by taking advantage of a flaw in the Jenkins dashboard in a post on a cybercrime site on May 7, 2022. 

Previously, the same threat actor was observed giving access to IBM. In addition, the actor provided evidence of a sample screenshot showing their alleged connection to a Jenkins dashboard. 

The malicious actors came upon a Jenkins dashboard bypass that had internal hosts, scripts, database logins, and credentials. They exploited the company's public asset port 9443 by using search engines like Shodan as per researchers. 

After receiving data, the actor employed a custom debugging script to find vulnerable targets for bypassing rproxy misconfiguration. 

Origin of the threat actor

The hacker claimed they previously targeted IBM Tech Company as well, in particular internal administrators' scripts and firewall configurations for internal networks, in other posts by the same person on the cybercrime site.

The actor also stated the following exploit narrative as to how to get into Stanford University in their future posts: 
  • The actor counted all the subdomains connected to the University using the Sudomy tool. 
  • The actor then applied a path, such as -path /wp-content/plugins/, to the domains using httpx. 
  • An attacker can execute RCE on the plugin by returning data from all of the subdomains that have a valid path with the susceptible zero-day vulnerability. 

According to CloudSEK, which reported the threats, other entities could execute similar exploits using the threat actor's TTP. "Modules like these can facilitate complex ransomware assaults and persistence," the security experts said while adding that threat actors "could migrate laterally, infecting the network, to retain persistence and steal credentials." 

Actors may utilize revealed credentials to access the user's other accounts because password reuse is standard practice. For reference, the malicious actors also took credit for hacking Stanford University and Jozef Safarik University in Slovakia. 

According to reports from XVigil, official access to the domains was reportedly found in several nations, including Ukraine, Pakistan, United Arab Emirates, and Nepal. 

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.

'Tropic Trooper' Makes a Comeback to Target Transportation Organizations

 

Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. 

Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.

According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.” 

The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said. 

According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data. 

The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

The FBI has Issued a Warning About the Hive Ransomware Gang

 

The Federal Bureau of Investigation (FBI) has issued a security alert regarding the Hive ransomware attacks, which provides technical data and indicators of compromise related to the gang's operations. The gang recently targeted Memorial Health System, which was compelled to shut down some of its activities.   

The new Hive ransomware, according to John Riggi, senior advisor for cybersecurity at the American Hospital Association, is of particular concern to healthcare organizations. Hive has targeted at least 28 companies so far, including Memorial Health System, which was infected by ransomware on August 15. Across Ohio and West Virginia, the non-profit operates a number of hospitals, clinics, and healthcare facilities.

The attack, led Memorial, which is situated in Ohio, to stop user access to IT applications. All urgent surgery cases and radiology exams were canceled for August 16th, but all general care visits went through as planned. While systems were restored, staff at Memorial's hospitals - Marietta Memorial, Selby, and Sistersville General Hospital – had to rely on paper records. 

Hive ransomware has been active since June 2021, and it uses a Ransomware-as-a-Service model with a wide range of tactics, techniques, and procedures (TTPs). According to government experts, the gang uses a variety of methods to infiltrate victims' networks, including phishing emails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to move around once on the network. 

"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained. "Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension."

Before directing victims to a link to the group's "sales department" that can be reached through a TOR browser, the alert explains how the ransomware corrupts systems and backups. The link connects victims to a live chat with the perpetrators, but the FBI reports that some victims have been called by the attackers demanding ransom. The majority of victims have a payment deadline of two to six days, however, some have been able to extend their deadlines through negotiation.

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

Unique TTPs Connect Hades Ransomware to New Threat Group

 

Researchers claim to have uncovered the origins of Hades ransomware's operators, as well as the unique tactics, methods, and procedures (TTPs) they use in their attacks. 

The Hades ransomware initially appeared in December 2020, following a series of attacks on a variety of institutions, but limited information about the culprits has been released to date. 

Gold Winter has been identified as the threat group behind the Hades ransomware, according to Secureworks' Counter Threat Unit (CTU). They also disclosed data about Gold Winter's actions that set it apart from other similar threat organizations, implying that it is a financially driven, most likely Russian-based "big game hunter" after high-value targets, primarily North American manufacture. 

The researchers stated, “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution.” 

“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite the use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication” 

According to the researchers, the investigation of Gold Winter showed TTPs that were not found in other ransomware families, with some showing resemblance but with uncommon characteristics added.

As per the researchers, GoldWinter: 

- It names and shames victims, but it doesn't employ a centralized leak site to make stolen information public. Instead, Tor-based Hades websites appear to be personalized for each victim, including a victim-specific Tox chat ID for conversation. Tox instant messaging is a technique CTU researchers haven't seen in other ransomware families. 

- Is renowned for copying ransom notes from other high-profile families like REvil and Conti, substituting webpages with contact email addresses, and adding unique victim identifiers.

- Replaces randomly generated five-character strings for the victim ID and encrypted file extension with words—e.g., cypherpunk. 

- SocGholish malware disguised as a phoney Chrome update and single-factor authentication VPN access is used as first access vectors. 

- Deletes volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command. 

Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, tells CSO, “Typically when we see a variety of playbooks used around particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods. We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she added.

It is also possible that Gold Winter has been organized by another threat group to throw law enforcement and researchers off their trail, Lee continues. 

For Hades, Lee suggests adopting common ransomware defense and mitigation strategies: Implement an endpoint detection and response solution, as well as multi-factor authentication for internet-facing devices and for user apps, as well as efficient asset management. She also suggests efficient patch management and membership to customized threat intelligence to raise awareness of emerging dangers and have a tested incident plan and team.