CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 59: June 05 2023

Links

https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html
https://thehackernews.com/2023/06/camaro-dragon-strikes-with-new-tinynote.html
https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34362

New Backdoor Malware for Intelligence Gathering

  • Camaro Dragon
    • Chinese nation-state group
    • another backdoor application
      • intelligence-gathering
    • overlaps with a threat actor.
      • Mustang Panda
        • state-sponsored group
        • from China
        • known to be active since at least 2012.
      • TinyNote
        • Go-based malware.
        • functions as a first-stage payload
          • basic machine enumeration
          • command execution via PowerShell or Goroutines.
        • multiple persistency tasks
          • establishing redundant methods
            • retain access to the compromised host.
          • distributed using names related to foreign affairs.
            • PDF_ Contacts List Of Invitated Deplomatic Members
          • target Southeast and East Asian embassies.
          • specifically bypass an Indonesian antivirus solution called Smadav

New Ransomware Exhibit Striking Similarities with an older name

  • Trend Micro
    • Researchers have discovered a new ransomware family.
      • BlackSuit
        • targets Windows and Linux users
      • similarities it shares with the notorious Royal ransomware.
    • Royal ransomware
      • first observed in early 2022
      • Dev-0569
        • gang that operates Royal
      • highly sophisticated and quickly evolving malware strain.
      • November 2022
        • 43 new victims
          • demanding between $250,000 and $2 million per compromise
        • financial gain
          • extortion
            • large enterprise
          • comparisons to other ransomware gangs
            • Conti and Ryuk
            • indicating that they may have splintered away.
          • Rather than selling Royal as a ransomware-as-a-service (RaaS)
            • purchases direct access to corporate networks from underground Initial Access Brokers (IABs)
            • manages the attack campaigns internally.
            • employs double extortion tactics.
              • extorting victims for deleting stolen data
              • threatening to make it public.
                • in addition to ransom demands for the decryption of infected files.
              • BlackSuit
                • Windows 32-bit version
                • ESXi 64-bit version
                • appends the file extension .blacksuit to encrypted files.
                • leaves a ransom note.
                  • information about the attack
                  • a unique ID for the victim
                  • TOR Chat site link for communication
                  • data leak site to post leaked data in case a victim does not pay the ransom.
                    • only one victim currently
  • Similarities
    • BlackSuit supports the use of several command-line arguments.
      • like those used by Royal.
      • includes some additional arguments do not present in Royal.
    • Both malwares use comparative intermittent encryption techniques, including OpenSSL’s AES encryption algorithm and similar formulas and numbers when comparing file size.
    • When comparing the source code used in the 64-bit samples of the two malwares, there is a 98% similarity in used functions, 98.9% in BinDiff-based jump statements, and 99.5% in blocks.
    • Similarly, a comparison of the code used in 32-bit samples exhibits 99.3% resemblance in basic blocks, 93.2% in used functions, and 98.4% in jumps based on BinDiff.

Discord Admins hit with malicious Bookmark.

  • Discord Communities Hit
    • Focused on Crypto discord communities.
    • Administrators Tricked
      • running malicious JavaScript code
        • disguised as a Web browser bookmark.
      • contacted by a “reporter” for interview.
        • Crypto Focused new outlet
        • Sent a link to the news orgs “official discord.”
          • complete a verification step to validate their identity.
            • involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser.
              • How does this verify?
            • instructed to go back to discord.com and then click the new bookmark to complete the verification process.
          • Bookmark
            • snippet of JavaScript
              • grabs the user’s Discord token.
              • sends it to the scammer’s website.
                • They take the token and use it.
                • after a little bit
              • Attack
                • Now as Admin
                  • change the server’s access controls.
                  • remove all core team members from the server.
                  • posts an announcement.
                    • an exclusive “airdrop,” “NFT mint event” or some other potential money-making opportunity for the Discord members.
                  • Have access if Admin doesn’t log out and back in, or else change their credentials.
                • Discord members click the link provided.
                  • asked to connect their crypto wallet to the scammer’s site.
                  • asks for unlimited spending approvals.
                  • drains the balance of any valuable accounts.

MOVEit Transfer zero-day mass-exploited in data theft attacks.

  • MOVEit Transfer
    • file transfer software
    • developed by Ipswitch.
      • subsidiary of US-based Progress Software Corporation
    • securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.
    • offered as an on-premises solution managed by the customer.
    • cloud SaaS platform managed by the developer.
  • CVE-2023-34362
    • Version Impacted
o   Affected Version o   Fixed Version o   Documentation
o   MOVEit Transfer 2023.0.0 o   MOVEit Transfer 2023.0.1 o   MOVEit 2023 Upgrade Documentation
o   MOVEit Transfer 2022.1.x o   MOVEit Transfer 2022.1.5 o   MOVEit 2022 Upgrade Documentation
o   MOVEit Transfer 2022.0.x o   MOVEit Transfer 2022.0.4
o   MOVEit Transfer 2021.1.x o   MOVEit Transfer 2021.1.4 o   MOVEit 2021 Upgrade Documentation
o   MOVEit Transfer 2021.0.x o   MOVEit Transfer 2021.0.6
  • Danger
    • SQL injection vulnerability
      • could allow an unauthenticated attacker to gain access to MOVEit database.
      • an attacker may be able to infer information about the structure and contents of the database.
      • Execute SQL statements that alter or delete database elements.
        • perform mass downloading of data.
      • exploitation of unpatched systems can occur via HTTP or HTTPS.
    • Who/How Long
      • Not attributed to any group
      • Not sure how long
    • Fix?
      • developers warn admins to block external traffic to ports 80 and 443 on the MOVEit Transfer server.
        • prevent external access to the web UI.
        • prevent some MOVEit Automation tasks from working.
        • block APIs
        • prevent the Outlook MOVEit Transfer plugin from working.
      • check the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files, including backups or large file downloads.
        • indicators that the threat actors have stolen data.
        • in the process of doing so.
      • Until a patch is released for your version
        • it is strongly advised that organizations shut down any MOVEit Transfers
        • perform a thorough investigation for compromise before applying the patch.