Ransomware/Malware Activity

New Malware Variant Used to Target Southern African Power Company

A new variant of the SystemBC malware called DroxiDat has been used in an attempted cyberattack against the electrical infrastructure of Southern Africa. In March 2023, the attack began by using DroxiDat to get profiles of the computer systems in use, and then proxying network traffic using the SOCKS5 protocol to place a command-and-control (C2) infrastructure between the network and outside traffic. SystemBC is a C/C++ based malware that first appeared in 2019 with the ability to set up SOCKS5 proxies on victim machines in order to tunnel malicious traffic and malware. This falls in line with previous uses of SystemBC, having been used in the past to initiate ransomware attacks. This is not the case for DroxiDat, however, which has had much of its original functionality removed in favor of a slimmer design that only exfiltrates system profiles to a remote server. The autonomous nature of the malware with lessened capabilities gives it the ability to target multiple victims at once. The goal of system profile exfiltration and system registry alterations leads researchers to believe this was used as an initial reconnaissance tool to find potential weaknesses in the system or used as a test run against other pieces of electrical infrastructure. Currently there is no known threat group associated with these attacks, although Kaspersky's Global Research and Analysis Team have said that the methodology is similar to that used by Russian ransomware groups who have historically used SystemBC, alongside Cobalt Strike Beacons, to deploy ransomware. CTIX will continue to monitor potential infrastructure vulnerabilities as well as developing cyber-attacks on electrical infrastructure worldwide.

Threat Actor Activity

MoustachedBouncer Hackers Use AitM Attacks on Embassies in Belarus

Foreign embassies in Belarus are being targeted by an undocumented threat actor codenamed "MoustachedBouncer" who has been operating for nearly a decade. The threat actor has been conducting cyber espionage attacks aimed at foreign embassies in Belarus dating back to at least 2014 and has two (2) signature malware frameworks named "Disco" and "NightClub". Disco was released more recently in 2020 with capabilities to support data theft, capture screenshots, record audio, capture keystrokes, and more. Both frameworks have additional plug-ins to support overlapping capabilities, but NightClub is used more in instances where traffic interception is not possible, such as when an embassy uses VPN services to route traffic outside of Belarus. Researchers have observed the threat actor using five (5) distinct campaigns over the years, shifting tactics in 2020 when it likely began to perform adversary-in-the-middle (AitM) attacks at the internet service provider (ISP) level. The skilled and advanced actor is believed to be exploiting local Belarusian ISPs to compromise its targets and steal data. Researchers believe the group to be aligned with Belarusian interests.

Vulnerabilities

Critical Dell Vulnerability Makes VMware Environments Susceptible to Compromise and Takeover

A critical vulnerability in Dell's Compellent Integration Tools for VMware (CITV) could allow threat actors to decrypt and exfiltrate administrator credentials in plaintext. Dell Compellent Storage Center is an enterprise storage solution for virtualized data centers and cloud infrastructure. The flaw, tracked as CVE-2023-39250, results from a hardcoded AES encryption key used to encrypt the CITV configuration file. The file contains the program's settings, which could be identified by an attacker who has gained access to the victim network. Once initial access has been achieved, the attacker can decode the private key associated with VMware's centralized management utility through Dell Compellent, enabling the full takeover of a VMware environment. To make matters worse, because AES is a symmetric cipher, the key is identical for every single Dell customer, so a compromise of one entity could easily lead to the compromise of many more entities. The vulnerability was exploited by Tom Pohl, the manager of the penetration testing team at LMG security, demonstrating his findings at the DEF CON 31 hacking convention this month after the standard 90-day vulnerability disclosure policy had expired. This flaw has not yet been patched and LMG Security researchers expect Dell will not be able to patch the vulnerability until Fall 2023. In the meantime, Dell has published mitigation instructions to defend against exploitation. The instructions can be found in the Dell advisory link below, and CTIX analysts recommend that any administrators responsible for these environments apply the manual workarounds as soon as possible.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.