Malware Activity
New Private Industry Notification by the FBI Details Recent Cyber Trends Regarding Ransomware Attacks and Data Destruction Tactics
The Federal Bureau of Investigation (FBI) released a Private Industry Notification on September 27, 2023, detailing the emerging trends of "multiple ransomware attacks on the same victim in close date proximity and new data destruction tactics in ransomware attacks." The FBI specified that as of July 2023, the agency observed threat actors deploying two (2) different ransomware variants in various combinations from the following list: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. This tactic is said to have resulted in data encryption, exfiltration, and financial loss from ransom payments as well as heightened harm to the victim organization if a second ransomware attack occurs shortly after, as the organization would not have time to effectively prepare. In response to this trend, security researchers have been reporting that this is not "a new phenomenon" and has been tracked as "double extortion attacks" since 2021. Ransomware experts stated that ransomware actors will sometimes "encrypt data with one ransomware strain and then re-encrypt that data with the second strain" and have also been observed encrypting "some data with one strain and the rest with another." One (1) cybersecurity company is known to have observed REvil, Netwalker, GlobeImposter, and MedusaLocker strains being used in this attack type. The FBI also explained that various ransomware groups were observed in early 2022 having an increased use of custom data theft, wiper tools, and malware. The agency noted that "in some cases, new code was added to known data theft tools to prevent detection" as well as "malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals." The FBI's notification concludes with a list of mitigations including preparing for cyber incidents, identity and access management, protective controls and architecture, and vulnerability and configuration management. CTIX analysts urge organizations to review and implement the noted mitigations to help reduce the risk of falling victim to attacks following these trends.
Threat Actor Activity
Lazarus Spear Phishing Campaign Targets Aerospace Company in Spain
A new campaign was discovered last week by researchers linking back to threat actors connected to the North Korean government's Lazarus group. Lazarus has been around since as far back as 2009, launching sophisticated attacks aligned with the interests of North Korea and spanning across the three (3) pillars of cybercriminal activities, including cyberespionage, cyber sabotage, and the pursuit of financial gains. The majority of cyberattacks conducted by North Korean-aligned threat actors are in pursuit of the country's developing nuclear weapons program, either in the form of stealing monetary assets to fund the program or hacking into companies and acquiring the data or technical knowledge to support their efforts. This attack against a Spanish aerospace company is therefore not an unusual target for a North Korean-aligned APT group like this. The hackers were able to access the aerospace company's corporate network utilizing tactics from their ongoing "Operation Dreamjob" campaign, which entails using targeted job recruitment lures that impersonate fake employees to engage the target via LinkedIn to begin a recruitment process that at some point requires the victim to download a malicious file. The attack on the Spanish aerospace company began with a message by the Lazarus actor pretending to be a Meta (Facebook) recruiter on LinkedIn. Later in the conversation, the threat actor provided the victim with coding quizzes to prove their programming proficiency. After the quiz is downloaded by the victim (shared as executables within ISO files), malicious files infect the victim's device with a backdoor that allows for espionage to be conducted. A worrisome discovery was the existence of a new type of payload called "LightlessCan", a more complex and sophisticated evolution of its predecessor, "BlindingCan". LightlessCan's payload was also encrypted, with only a key dependent on the target's environment being available to decrypt it, effectively preventing outside access to the victim's computer by security researchers or analysts. The heightened malicious capabilities of this new payload and the expansion of Lazarus' Operation Dreamjob campaign to focus on espionage goals beyond the financial objectives are a concerning development for organizations likely to be targeted by the group.
Vulnerabilities
Makers of MOVEit Vulnerable to New Critical Vulnerabilities in WS_FTP Server
Progress Software, the makers of the popular MOVEit enterprise managed file transfer program, have confirmed the presence of multiple new critical vulnerabilities in their WS_FTP file transfer tool that could be exploited by threat actors. In May 2023, organizations using the MOVEit file transfer solution were attacked by Cl0p Ransomware actors who exploited three (3) zero-day and N-day vulnerabilities in MOVEit to compromise over 2,100 organizations and 62 million individuals. Cl0p's apparent mission for the compromise was to exfiltrate large datasets of sensitive information from organizations who depend on MOVEit transfer, and then extort the affected entities by freely posting the information on their dark web leak site until the companies agree to pay the demanded ransom. Although the initially exploited vulnerabilities have been patched, there are still hundreds of datasets available on Cl0p Leaks, and many organizations are still dealing with the aftermath months later. On September 27, 2023, Progress Software reported that there are several new flaws affecting their WS_FTP Server Ad hoc Transfer Module, and WS_FTP Server manager interface, with the two (2) most severe vulnerabilities receiving CVSS scores of 10/10 and 9.9/10. The first and most severe flaw, tracked as CVE-2023-40044, is a .NET deserialization vulnerability which if successfully exploited, could allow an attacker with access to the target network to conduct remote code execution (RCE). The second most severe flaw, tracked as CVE-2023-42657, is a directory traversal vulnerability which could allow attackers to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder paths. Several other issues received severity scores ranging from 5.3 to 8.3, and their details can be found in the Progress Software advisory linked below. These flaws have been classified as "low-complexity attacks", meaning that even unsophisticated actors could successfully exploit the vulnerabilities. According to Progress Software, at this time there is no evidence that these vulnerabilities are being actively exploited. The flaws affect all versions of WS_FTP Server and can be mitigated by applying version-specific hotfixes. CTIX analysts recommend that all entities leveraging WS_FTP for their file transfer needs ensure that they are running the most secure version of their software. For a comprehensive review of the MOVEit cyberattack, read CTIX MOVEit Transfer Attack Campaign: Analysis.
- The Record: WS_FTP Vulnerabilities Article
- Bleeping Computer: WS_FTP Vulnerabilities Article
- Progress Software: WS_FTP Vulnerabilities Advisory
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
