Links

https://www.hackread.com/diicot-hackers-ssh-servers-brute-force-malware/
https://www.securityweek.com/barracuda-zero-day-attacks-attributed-to-chinese-cyberespionage-group/
https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/
https://cyware.com/news/third-bug-in-moveit-transfer-found-d35a9335
https://www.helpnetsecurity.com/2023/06/19/cve-2023-35708/
https://www.bleepingcomputer.com/news/security/moveit-transfer-customers-warned-of-new-flaw-as-poc-info-surfaces/
https://cyberscoop.com/energy-department-cl0p-moveit-cisa/

New Threat Group Targets SSH Servers

• Cado Labs Researchers
  • Diicot
    • emerging Romanian threat actor
    • AKA Mexals
    • extensive technical knowledge
    • active since 2020
• new campaign
  • Cayosin botnet
    • Mirai-based botnet agent
  • target routers running the Linux-based OS OpenWRT
  • targets are the internet exposed SSH servers with password authentication enabled.
  • username and password list is pretty restrictive
    • including only default or easy-to-guess credentials.
• Tactics
  • Shell Script Compiler
    • make loader scripts difficult to analyze.
  • UPX (unpacker)
    • Ultimate Packer for Executables
    • modified header with the byte sequence 0x59545399.
    • UPX header prevents unpacking through the standard command.
      • Making to harder to detect
      • upx dex utility created by Akamai’s Larry Cashdollar, and the sequence can be identified by detection tools.
    • Discord
      • For C2
        • supports HTTP POST requests to a webhook URL.
      • Snowflake timestamps in the links
        • allowing for data exfiltration and viewing campaign statistics
        • creation dates within a given channel.

Barracuda Zero-Day Attacks

• Barracuda Network
  • Founded 2003
  • security, networking, and storage products based on network appliances and cloud services.
• Attacks
  • CVE-2023-2868
    • Barracuda Email Security Gateway (ESG)
      • module designed for the initial screening of email attachments.
  • the targeted entity an email containing a specially crafted TAR file as an attachment.
    • likely crafted the body and subject of the message to appear as generic spam.
      • flagged by spam filters.
      • dissuade security analysts from performing a full investigation.
  • Discovered by Barracuda
  • May 18
  • Engaged Mandiant (owned by Google Cloud)
  • Exploited since at least October 2022
  • execute a reverse shell, after which they downloaded custom backdoor malware.
    • SeaSpy, SaltWater and SeaSide
    • C&C communications, downloading and executing files, executing commands, and providing proxying capabilities.
• Attribution
  • UNC4841
  • high confidence
    • on behalf of Chinese government
• Protection
  • Barracuda urged customers to immediately replace compromised appliances.
    • Hinting that the patch may not fully protect devices.
    • attackers started modifying their malware and deploying additional persistence mechanisms.

GravityRAT goes after WhatsApp backups.

• ESET researchers
  • updated version of Android GravityRAT spyware
  • distributed as the messaging apps BingeChat (on going) and Chatico (no longer active)
• GravityRAT
  • Used since 2015
  • RAT = Remote Access Tool
  • used in targeted attacks against India.
  • Windows, Android, and macOS versions
  • exfiltrate WhatsApp backups and receive commands to delete files.
  • provide legitimate chat functionality.
• Attack
  • bingechat[.]net
    • login required.
    • registration closed.
      • possibly only open as needed (or another factor)
  • made available in the Google Play store.

Third MOVEit Bug Discovered

• Story
• First Bug
  • CVE-2023-34362
  • Utilized by Cl0p cyber extortion gang.
• Second Bug
  • CVE-2023-35036
  • Huntress researchers partnering with Progress.
    • Code review
• Third Bug
  • CVE-2023-35708
  • No evidence to be exploited yet.
  • escalated privileges and unauthorized access
  • crafted payload to a MOVEit Transfer application endpoint result in modification and disclosure of MOVEit database content
• Cl0p ransomware group
  • The Cl0p ransomware gang has claimed responsibility for launching multiple attacks involving the first MOVEit Transfer vulnerability.
  • According to a representative from the group, it began exploiting the vulnerability on May 27.
  • Following the deadline of June 14, the Cl0p ransomware group publicly disclosed the names of over two dozen organizations affected by the attacks.
    • Victims
      • The list includes
        • multinational oil and gas company Shell
        • several banks
        • media companies
        • universities
        • two entities of the US Department of Energy
          • Oak Ridge Associated Universities
          • contractor at Oak Ridge National Laboratory
        • the Oregon Department of Transportation
    • “CLOP did state that government data will be deleted and not retained or shared.
      • To avoid being a target of any governemtn
    • Rewards for Justice program
      • US State Department
        • offered a considerable monetary reward for individuals who “have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.”
• Protect Yourself
  • A patch for the latest vulnerability is currently being tested and will be released soon.
  • MOVEit Transfer customers are advised to disable HTTP and HTTPs traffic until patched.
  • temporary measure, modifying firewall rules to block traffic on ports 80 and 443.
    • web UI login will be unavailable.

file transfers can still be conducted using SFTP and FTP/s protocols