Internet threat news

The recent Exchange Server vulnerability and news that the flaws were being used to spread ransomware dominated many InfoSec headlines. However, Kaspersky’s recent discovery of the Cring ransomware strain using an old VPN vulnerability as the initial attack vector reminds us that ransomware operators can always dig into the old bag of tricks to pull off a successful attack.

On January 26, 2021, Swisscom CSIRT tweeted,

Since April 3, 2021, several reports emerged of a trove of data belonging to Facebook users that had been leaked online for free. The data included namely mobile phone numbers but also includes names, emails, gender information, occupations, as well as several location identifiers. The stolen data first emerged on the forum in July 2020, when one member began selling the information to other members of the underground hacking forum.

The sale of data on such forums is standard practice for those stealing sensitive data from other organizations. However, this instance was notable as a lot of the information could be scraped from the public-facing user-profiles and the mobile numbers associated with accounts were private. That means they should not have been accessible in the same manner information on the public profiles is. In total the sold data included 533,313,128 Facebook users. Researchers discovered that the large majority of the stolen data sets included a private mobile number as well as a Facebook ID, a name, and the member's gender.

2020 was seen by many as a bumper year for DDoS attacks. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020. 2021 promises to be no different and highly likely worse with the advent of Ransom Distributed Denial of Services attacks exceeding 800 Gbps.

Distributed Denial of Service, or DDoS, attacks are attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This is done by using botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.

Schools and Universities continue to be a favored target of ransomware operators. Previously, this publication covered how the US Federal Bureau of Investigation issued an alert warning the education sector that the operators of the Pysa ransomware, a variant of the Mespinoza, was actively being used in campaigns against schools and universities. Over the past weekend, another schooling organization was hit by a ransomware attack. This time across the Atlantic.

Reports began emerging that the Harris Federation, which runs some 50 schools in London and Essex in the United Kingdom, had to temporarily disable their email system, leaving nearly 40,000 students without the service during a time when many students are remotely attending certain classes given the current pandemic.

Initially discovered in 2018, Purple Fox, a trojan spread by phishing emails and RIG exploits has been seen in several active campaigns since its discovery. Now the malware has added another distribution method to its tool kit. The malware is now capable of being spread via what researchers call a worm-like capability, better described as “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.”

The new distribution method was discovered by researchers at Guardicore Labs, who announced the discovery recently via a report. The report is technical in nature but makes for interesting reading for those following Purple Fox’s development since its discovery. The discovery was made when Guardicore Global Sensors Network (GGSN) telemetry began picking up increased Purple Fox activity in mid-2020. Activity trailed off in November that same year till January 2021, followed by another surge in inactivity. Researchers determined activity has increased 600% with the total number of attacks being estimated at 90,000.

Security researchers have discovered a new piece of malware capable of compromising systems running macOS. In particular, the malware targets developers who make use of the Xcode projects integrated developer environment (IDE). Typically, developers developing apps for macOS or iOS make use of Xcode to better make use of features unique to those two platforms both developed and maintained by Apple. The malware was discovered by researchers working at Sentinel Labs, with details of the malware being published by the security firm recently.

The malware, named XcodeSpy, abuses the RunScript functionality found within Xcode. The malware is currently being distributed via an open-source Xcode project available on Github. The attackers are looking to take advantage of a community of developers who share tools and applications to better assist other developers. The malicious developer tool discovered by researchers is a ripped and modified version of TabBarInjection, which is a legitimate project that assists developers in creating interactive tab and navigation bars. It is important to note that the legitimate TabBarInjection has not been compromised.

Researchers at Proofpoint have published a report detailing a newly discovered piece of malware that attempts to steal account information about popular service providers, including Google, Facebook, Amazon, and Apple. Not only does the malware can steal account passwords and cookies but can also drop other malware onto the infected device. Called CopperStealer, the malware is being used by threat actors to push other strains of malware through malvertising campaigns.

The malware was discovered on 29 January 2021, when a Twitter user, TheAnalyst shared a malware sample with Proofpoint that triggered their malware detection systems. Following an investigation, the malware was discovered to have password and cookie stealing capabilities along with a downloader that could be used to drop other malware strains onto infected devices. The investigation also uncovered malware samples dating back to July 2019, possibly indicating that the malware has been in development for some time. According to researchers, one sample analyzed showed that the malware targeted Facebook and Instagram advertisers. However, previous samples showed versions capable of targeting users of other major service providers including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter.

The US Federal Bureau of Investigation’s Cyber Division published an alert on March 16, 2021, warning readers that those behind the Pysa ransomware were actively targeting institution in the education sector. Institutions targeted include higher education, K-12 schools, and seminaries in 12 US states and the United Kingdom. The warning further stated, “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors,”

Activity dating back to March 2020, is in line with known campaigns involving the ransomware strain. In the same month, this publication covered similar warnings issued by France’s Computer Emergency Response Team (CERT). In this instance, the warnings centered around French government departments been targeted by threat actors. Pysa named so because of the extension .PYSA added to the end of encrypted files, is seen by security researchers as a variant of Mespinoza ransomware and was first spotted in late 2019. The discovery came as several companies began reporting that they had suffered a ransomware incident from a yet unknown strain.

When news broke that the state-sponsored threat group Hafnium was actively exploiting four Microsoft Exchange zero-days the InfoSec community waited with bated breath to see when other groups would begin to target the same flaws. This would only take a few days till news that the fear of other threat actors exploiting the flaws arrived. This was then followed by the fear that ransomware may be dropped onto vulnerable machines accessed by attackers using the flaws. That day has seemingly arrived.

In summary, Microsoft disclosed that they and other security firms had discovered Hafnium exploiting four previously unknown vulnerabilities within Microsoft’s Exchange package. Patches have been released, and Microsoft even released patches for versions of Exchange that had reached end-of-life status. Hafnium is described as a Chines state-sponsored group that targets the US, and global, organizations via creating a web shell once access is granted.

Security researchers at Proofpoint have discovered a new initial access granting piece of malware written in a programming language rarely used for compiling malicious code. The language used in Nim and is possibly best described as a language being as “fast as C, as expressive as Python, and as extensible as Lisp.” Use of the language is incredibly rare, with only a few malware variants discovered and only really being posted to Twitter. NimzaLoader may be the first Nim written piece of malware to be analyzed thoroughly with such details being released to the public, at least to the best of the writer’s knowledge. However, when detections of the malware were initially been discovered by researchers it looked as if it was just another campaign of a well-known trojan, BazarLoader. This provided researchers with yet another conundrum to solve in an area of expertise known for dealing with conundrums.

Last week this publication covered how the threat group named Hafnium had been seen actively exploiting four separate zero-day flaws found within Microsoft’s Exchange Server packages. A week on and more hackers and threat groups have been seen targeting these flaws to gain access to Exchange Servers where they can steal emails and other vital information. Alternatively, the access granted via the compromise can be used to drop other malicious payloads. Out-of-band patches were rolled out by Microsoft, and it is strongly recommended that patches be installed if not done so already.

Following Microsoft’s several announcements regarding the discovery and the group believed to be behind the attacks, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), issued an emergency directive instructing government departments and agencies to apply the patches as a matter of priority. The directive went so far as to instruct relevant organizations to either patch their Exchange Servers or to cut the often-vital communication tool. This is in response to CISA seeing active exploitation of the four vulnerabilities in question.

The Ryuk ransomware has long been both a thorn in the side of victims and an unmitigated success for its developers. In a sample of the malware discovered by the French National Agency for the Security of Information Systems (ANSSI), the offending ransomware has gone through yet another evolution to include worm-like capabilities that allow the malware to infect other devices across a network automatically.

In a white paper published by ANSSI details of the new variant have been illuminated upon. First observed in 2018, the code that forms the basis of the ransomware is believed to have been derived from the Hermes 2.1 ransomware. Since then Ryuk has struck several hospitals and healthcare providers, partnered with other cybercriminal organizations, and weathered numerous storms that threatened to sink operations.

Late on Tuesday, March 2, 2021, Microsoft warned of a Chinese state-sponsored group actively exploiting four zero-day vulnerabilities in targeted campaigns. Along with the warning Microsoft has also released out-of-band patches to help prevent further exploitation by the state-sponsored hacking group believed to be behind the campaign. The vulnerabilities were used to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to guarantee the long-term presence of the attackers on the target's network.

The Microsoft Threat Intelligence Center (MSTIC) has attributed the attack to HAFNIUM which is described by researchers as a new state-sponsored group that operates in China and believed to have links to the Chinese government. In a subsequent blog post, written by Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust, Burt noted that this is the first time the Redmond tech giant is discussing the group and believes the group to be both highly skilled and sophisticated. Summarizing the group's tactics and methods Burt noted,

The threat posed to critical infrastructure via cyber-attacks has long been a major concern for security researchers. Recent developments have seen ransomware gangs actively targeting critical infrastructure. The HelloKitty ransomware variant might be best known for its attack upon CD Projekt Red, but the ransomware’s operators have proved equally capable of going after power plants. The bad news for organizations within the critical infrastructure sector does not end with HelloKitty.

In a report published by Dragos, researchers uncovered the activities of four new and distinct hacking groups targeting critical infrastructure. The discovery of these four groups seemingly accounted for a 36% increase in known groups tracked by the security firm that specializes in targeting industrial control systems (ICS). Dragos previously released details of 11 other groups known for targeting the US power grid. Further, the security firm noted that issues making targeting critical infrastructure such fertile ground include, not having enough visibility with the Operation Technology (OT) network and the unsafe sharing of OT credentials across the network. What follows is a brief look at each of the four new groups identified by Dragos.