Top 10s in Cybersecurity for July’23: 365° Security
Welcome to the July’23 edition of “365° Security”! As the digital landscape continues to evolve, so does the realm of cybersecurity. This month, we delve deep into the most significant developments that have shaped the cybersecurity world. From emerging threat actors and groundbreaking malware to innovative techniques and procedures, our “Top 10s in Cybersecurity” list provides a comprehensive overview of the latest trends and challenges. Whether you’re a seasoned professional or just starting your journey in the cybersecurity domain, this compilation is tailored to keep you informed and ahead of potential threats. Dive in and discover the pivotal moments that have defined cybersecurity in July’23.
What Happened on the Dark Web in July’23?
New Ransomware that Emerged in July’23
Ransomware with Numbers in July’23
Top 10 Ransomware Groups in July’23
Top 10 Threat Actors in July’23
Top 10 Cyber Incidents in July’23
Key Findings:
➡️ An unknown threat actor has been using a variant of the Yashma ransomware to target entities in English-speaking countries, Bulgaria, China, and Vietnam since June 4, 2023.
➡️ Cisco Talos attributes the operation, with moderate confidence, to an adversary likely of Vietnamese origin.
➡️ The ransomware uses an uncommon technique to deliver its ransom note. Instead of embedding the note in the binary, it downloads the note from a GitHub repository controlled by the actor.
➡️ Yashma is a rebranded version of another ransomware called Chaos. Before Yashma’s emergence, the Chaos ransomware builder was leaked.
➡️ The ransom note resembles the WannaCry ransomware, possibly to obscure the threat actor’s identity. The note provides a wallet address for payment but doesn’t specify the amount.
➡️ The cybersecurity industry has observed that leaks of ransomware source code and builders are leading to the creation of new ransomware variants, resulting in more attacks.
➡️ Ransomware builders allow users to customize ransomware without exposing the source code.
➡️ There has been a significant increase in ransomware attacks, with Malwarebytes recording 1,900 incidents in countries like the U.S., Germany, France, and the U.K. This surge is mainly due to the Cl0p group’s activities, which exploit zero-day vulnerabilities.
➡️ Akamai reported a 143% increase in ransomware victims in Q1 2023 compared to the same period in the previous year. The Cl0p group has seen a 9x growth in its victims year over year.
➡️ Trend Micro detailed a ransomware attack by TargetCompany (also known as Mallox or Xollam) that used a fully undetectable obfuscator engine called BatCloak. This engine helps infect systems with trojans like Remcos RAT and maintains a stealthy presence on targeted networks.
2. Cybercriminals are increasingly using the EvilProxy Phishing Kit to Target Executives
Key Findings:
➡️ Threat actors are leveraging the EvilProxy Phishing-as-a-Service (PhaaS) toolkit to execute account takeover attacks, specifically targeting high-ranking executives in major companies.
➡️ Proofpoint reports that between March and June 2023, this hybrid campaign targeted thousands of Microsoft 365 user accounts, dispatching around 120,000 phishing emails to numerous organizations globally.
➡️ Of the compromised users, 39% are C-level executives, with CEOs making up 9% and CFOs 17%. The attacks have particularly focused on individuals with access to financial resources or confidential data. Remarkably, 35% of these compromised users had extra account security measures in place.
➡️ These campaigns are a reaction to the growing adoption of multi-factor authentication (MFA) in businesses. To bypass these security measures, attackers are using adversary-in-the-middle (AitM) phishing kits to extract credentials, session cookies, and one-time passwords.
➡️ EvilProxy, first identified by Resecurity in September 2022, can compromise user accounts linked to various platforms, including Apple iCloud, Facebook, Google, Microsoft, and more. The toolkit is available for subscription, ranging from $400 to $600 monthly.
➡️ PhaaS toolkits simplify the process for less tech-savvy criminals to conduct large-scale, sophisticated phishing attacks cost-effectively.
➡️ The latest attacks involve phishing emails impersonating trusted services like Adobe and DocuSign. These emails contain malicious URLs that lead victims to a fake Microsoft 365 login page, which acts as a reverse proxy to discreetly capture the entered information.
➡️ Interestingly, the attacks intentionally avoid user traffic from Turkish IP addresses, suggesting the campaign operators might be located in Turkey.
➡️ Once an account is successfully taken over, the attacker implements measures to solidify their presence within the organization’s cloud environment. This includes adding their MFA method, ensuring continuous remote access, and facilitating lateral movement and malware distribution.
➡️ The primary objective of these attacks is to compromise and exploit valuable cloud user accounts, assets, and data.
➡️ Additionally, Imperva disclosed an ongoing Russian-origin phishing campaign since May 2022, which aims to deceive potential victims and steal their credit card and bank details through malicious links shared via WhatsApp.
➡️ Another attack method observed by eSentire involves malicious actors reaching out to marketing professionals on LinkedIn to distribute malware named HawkEyes, which subsequently launches Ducktail, an information stealer focusing on collecting Facebook Business account data.
3. Hackers use the Open-Source Merlin Post-exploitation Toolkit in Attacks
Key Findings:
➡️ Merlin is a Go-based cross-platform post-exploitation toolkit freely available on GitHub. It is designed for red team exercises and provides a comprehensive set of features to gain a foothold in compromised networks.
➡️ The toolkit supports various communication and encryption protocols, including HTTP/1.1 over TLS, HTTP/3, PBES2, and AES Key Wrap. It also offers features like domain fronting, integrated Donut, sRDI, and SharpGen support, and dynamic changes in the agent’s JA3 hash for evading detection.
➡️ Threat actors are now misusing Merlin, similar to another tool called Sliver, to conduct their attacks and propagate within compromised networks.
➡️ CERT-UA, the Computer Emergency Response Team of Ukraine, detected the use of Merlin in attacks initiated by phishing emails that impersonated the agency. These emails contained a CHM file attachment, which, when opened, executed a series of scripts leading to the deployment of the “ctlhost.exe” executable. Running this executable infects the system with MerlinAgent, granting attackers access to the victim’s machine and network.
➡️ The first of these attacks was observed on July 10, 2023, using a “UAV training” bait in the phishing emails.
4. New Threat Profile: Rhysida Ransomware
Key Findings:
➡️ The Rhysida Ransomware Group emerged in May 2023 and presents itself as a “cybersecurity team.” They target systems, highlight potential security issues, and threaten victims by publicly distributing stolen data.
➡️ Rhysida operates as a Ransomware-as-a-Service (RaaS) group. Their first significant attack was against the Chilean Army, emphasizing a trend of ransomware groups targeting Latin American government institutions. On June 15, 2023, they leaked files from the Chilean Army, confirming their claims.
➡️ Rhysida’s primary attack methods include deployment via Cobalt Strike and phishing campaigns. Their ransom notes are in PDF format, placed in affected folders on targeted drives. They threaten victims with public data distribution, aligning with the double-extortion strategy.
➡️ The ransomware is a 64-bit Portable Executable (PE) Windows application using a 4096-bit RSA key with the ChaCha20 algorithm for encryption. The ransom note is embedded in the binary in clear text.
➡️ Rhysida’s TOR page showcases its logo, current auctions, and a total number of victims. Victims can communicate with Rhysida using a token provided in the ransom note.
➡️ The primary targets of Rhysida are organizations in the Education and Manufacturing sectors. They are mainly active in North America, Europe, and Australia, with the U.S., Italy, Spain, and the U.K. being the most targeted countries.
➡️ Recent attacks show a focus on the education sector, with the University of West Scotland being a notable victim.
➡️ There are speculations of a relationship between Rhysida and Vice Society, as both groups predominantly target the education sector.
➡️ To defend against Rhysida, organizations are advised to use virtual patching, phishing awareness training, endpoint security solutions, immutable backups, network segmentation, firewalls, intrusion detection systems, and a clear incident response plan. It’s also crucial to follow the least privilege principle.
5. RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Key Findings:
➡️ RedHotel, previously known as TAG-22, is a prominent Chinese state-sponsored threat group.
➡️ The group’s operations spanned 17 countries across Asia, Europe, and North America from 2021 to 2023. They have targeted various sectors, including academia, aerospace, government, media, telecommunications, and research.
➡️ RedHotel has a particular focus on Southeast Asian governments and private companies in specific sectors. The infrastructure used by the group for malware command-and-control, reconnaissance, and exploitation is believed to be administered from Chengdu, China.
➡️ The group’s activities align with other contractor groups associated with China’s Ministry of State Security (MSS), suggesting a concentration of cyber talent and operations in Chengdu.
➡️ RedHotel’s missions encompass both intelligence gathering and economic espionage. They target government entities for traditional intelligence purposes and organizations involved in COVID-19 research and technology R&D.
➡️ In 2022, RedHotel notably compromised a US state legislature, showcasing its expanding operational reach. The group employs a multi-tiered infrastructure, focusing on reconnaissance and maintaining long-term access to networks via command-and-control servers.
➡️ Since 2019, RedHotel has maintained a high operational tempo, targeting both public and private sector organizations worldwide. They utilize a combination of offensive security tools, shared capabilities, and custom tooling.
➡️ Despite being publicly exposed, the group’s bold approach indicates that they are likely to continue their cyber-espionage activities in the future.
6. Survallianceware: WyrmSpy and DragonEgg: Lookout Attributes Android Spyware to China’s APT41
Key Findings:
➡️ Lookout has attributed the advanced Android surveillanceware, WyrmSpy, and DragonEgg, to the infamous Chinese espionage group APT41. This group has continued its activities despite recent indictments by the U.S. government.
➡️ APT41 targets a diverse range of public and private sector organizations. This includes nation-state governments, software development companies, computer hardware manufacturers, telecommunications providers, social media companies, and video game companies.
➡️ The shift of a well-established threat actor like APT41 towards mobile devices indicates the high value of data on these endpoints. Both WyrmSpy and DragonEgg employ modules to conceal their malicious activities and evade detection.
➡️ WyrmSpy and DragonEgg were first reported in October 2020 and January 2021, respectively. They both have advanced data collection and exfiltration capabilities, hiding these functions in additional modules that are downloaded post-installation.
➡️ APT41, also known as Double Dragon, BARIUM, and Winnti, has been active since 2012. Unlike many state-sponsored APT groups, APT41 engages in both espionage and financial gain activities. They have compromised over 100 organizations globally, including in the U.S., Australia, Japan, India, South Korea, Singapore, and Taiwan.
➡️ The U.S. Department of Justice’s indictment named five individuals associated with APT41, with three of them publicly listed in leadership roles at the Chinese company Chengdu 404 Network Technology Co., Ltd.
➡️ WyrmSpy and DragonEgg are connected through overlapping Android signing certificates. Lookout was able to link the two malware to APT41 due to a connection between the command-and-control (C2) infrastructure embedded in the malware’s source code and Chengdu 404.
➡️ WyrmSpy primarily disguises itself as a default Android system app, while DragonEgg often masquerades as a third-party keyboard or messaging app like Telegram. The distribution method is believed to involve social engineering campaigns, and no apps containing this malware have been found on Google Play.
➡️ Both malware request extensive device permissions and rely on modules downloaded after installation for data exfiltration. WyrmSpy uses rooting tools to gain escalated privileges on the device, while DragonEgg seems to rely on a secondary payload for its surveillance functions.
7. Space Pirates: A Look into the Group’s Unconventional Techniques, New Attack Vectors, and Tools
Key Findings:
➡️ The Space Pirates group has been active since at least 2019. They primarily target organizations in the financial sector, especially in the Asia-Pacific region. The group uses a combination of custom and publicly available tools.
➡️ The group employs spear-phishing emails with malicious attachments to gain initial access. They use a multi-stage infection process, starting with a lightweight downloader, followed by a more complex payload. The group’s malware is designed to evade detection by security solutions.
➡️ During the time, the group developed many cyber tools, including “StarLoader,” “StarC2”, and “StarStealer.” These tools have evolved over time, with newer versions having enhanced capabilities.
➡️ The Space Pirates use a network of compromised websites for command and control (C2) communication. They also employ domain fronting techniques to hide their C2 traffic. Conclusion:
➡️ The group’s activities highlight the importance of continuous monitoring and updating of security solutions. Organizations are advised to be vigilant and adopt a proactive approach to cybersecurity.
8. Dangerous Password Attacks on Windows, macOS, and Linux
Attacks in a Windows environment originating from Python malware. The attacker prepares a file called builder.py of the Python module ( https://github.com/mnooner256/pyqrcode ) for handling QR codes and inserts malicious code into it, and distributes it to the target in some way. The target is then unaware of the malicious code and can download and infect additional malware by executing that file. Figure 1 shows the attack flow in a Windows environment when Python malware is executed. Python malware is a simple downloader malware that downloads and executes MSI files from an external source.
In macOS and Linux environments, this string is decoded, saved as a file called log.tmp, and then executed as a Python file. The user ID and OS environment information generated based on random values are sent to the C2 server every minute. After that, it decodes the data received from the C2 server with BASE64, saves it as a file named tmp.py, and executes it as a Python file. It is characterized by the fact that there are git-related things in the request and response strings.
Key Findings:
➡️ Chinese threat actors have been identified as targeting European entities in a cyber espionage campaign dubbed “SMUGX.”
➡️ The attackers use advanced techniques to bypass security measures, including the use of zero-day vulnerabilities.
➡️ The primary targets of the SMUGX campaign include government institutions, defense contractors, and technology companies in Europe.
➡️ The campaign deploys a new strain of malware, which is capable of stealing sensitive information and establishing a persistent presence on compromised systems.
➡️ The tactics, techniques, and procedures (TTPs) observed in the SMUGX campaign are consistent with those of known Chinese Advanced Persistent Threat (APT) groups.
➡️ The campaign’s objectives appear to be related to gathering intelligence on European defense capabilities, technological advancements, and political strategies.
➡️ Organizations are advised to keep their systems updated, employ advanced threat detection solutions, and educate employees about the risks of phishing attacks.
➡️ The SMUGX campaign highlights the ongoing cyber threats posed by nation-state actors and underscores the need for international cooperation in cybersecurity.
10. Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
Key Findings:
➡️ Malvertising Technique: Malware distributors hijack keywords on advertising platforms like Google Ads to display malicious ads, luring users into downloading malware.
➡️ Attack Chain: Users searching for “WinSCP Download” on Bing encounter a malicious ad leading to a suspicious website. The website redirects users to a cloned WinSCP download page, from which an ISO file is downloaded. The ISO contains two files: setup.exe (a renamed msiexec.exe executable) and msi.dll (a delayed-loaded DLL acting as a dropper for the real WinSCP installer and a malicious Python execution environment).
➡️ Threat Actor Activities: The actors stole top-level administrator privileges and conducted unauthorized activities. They attempted to establish persistence using remote management tools like AnyDesk and tried to access backup servers.
➡️ Tools and Techniques: The actors used AdFind for Active Directory enumeration, AccessChk64 to check security permissions, and findstr to search for specific strings in files. PowerShell scripts, including PowerView, were executed for AD reconnaissance and enumeration. The actors also used PsExec, BitsAdmin, and curl for lateral movement and tool downloads.
➡️ Defense Tampering: A detailed KillAV BAT script was used in an attempt to tamper with Trend protections, but the attempt was unsuccessful due to the agent’s self-protection features. Efforts were also made to stop Windows Defender using a different KillAV BAT script.
➡️ Persistence: The threat actor installed the AnyDesk remote management tool (renamed as install.exe) to maintain persistence in the environment.
➡️ Recommendations: Attackers are becoming more adept at exploiting vulnerabilities, emphasizing the importance of early detection and response. Recommendations include educating employees about phishing, monitoring and logging activities, defining normal network traffic, improving incident response, and engaging with cybersecurity professionals.
➡️ Related Threats: In another investigation, the same TTPs led to a BlackCat infection. The actors used the SpyBoy terminator and the PuTTY Secure Copy client (PSCP) for data exfiltration. A possible related Cl0p ransomware file was also discovered.
