An analysis of ransomware attacks claimed to have been perpetrated by cybercriminal syndicates that was published today by NCC Group, a provider of managed security services, finds LockBit 3.0 has reemerged to claim the top spot amongst the most prominent threat actors. Previously dormant following the groups’ takedown by law enforcement officials earlier this year,..

The post Report Details Reemergence of Lockbit 3.0 Ransomware Syndicate appeared first on Security Boulevard.

After unearthing a malware campaign targeting ESXi hypervisors two years ago, researchers have now revealed extensive details into their investigation of UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations. In January 2023, Google-owned cybersecurity firm Mandiant identified that UNC3886 had exploited a now-patched FortiOS vulnerability. In March 2023, further analysis revealed a custom malware ecosystem affecting Fortinet devices with compromised VMware technologies facilitating access to guest virtual machines.

Persistent and Evasive Techniques of UNC3886 Group

UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group's strategies include:

• Using publicly available rootkits like REPTILE and MEDUSA for long-term persistence.
• Deploying malware that leverages trusted third-party services for command and control (C2) communications.
• Installing Secure Shell (SSH) backdoors to subvert access and collect credentials.
• Extracting credentials from TACACS+ authentication using custom malware.

[caption id="attachment_77918" align="aligncenter" width="1024"] UNC3886 Attack Lifecycle (Source: Mandiant)[/caption]

Initial Access through Zero-Days

Mandiant's earlier findings detailed UNC3886's exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware's vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers. Additional zero-day vulnerabilities exploited included:

• CVE-2022-41328 in FortiOS for executing backdoors on FortiGate devices. CVE-2022-22948 in VMware vCenter to access encrypted credentials in vCenter's postgres DB. CVE-2023-20867 in VMware Tools for unauthenticated guest operations from ESXi host to virtual machines.

Rootkits and Malware

The deeper investigation into UNC3886's operations also revealed their expansive malware arsenal that includes customized open-source variants.

REPTILE Rootkit

REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include:

• REPTILE.CMD: A user-mode component for hiding files, processes, and network connections. REPTILE.SHELL: A reverse shell backdoor activated by specific network packets. Kernel-Level Component: A loadable kernel module (LKM) for achieving rootkit functionality. LKM Launcher: A custom launcher for loading the kernel module into memory.

UNC3886 modified REPTILE for persistence and stealth using unique keywords and customized scripts to evade detection.

MEDUSA Rootkit

MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886’s strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installer  called "SEAELF" and modified configuration files.

Malware Leveraging Trusted Third-Party Services

MOPSLED is a modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers. RIFLESPINE is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on "systemd" for persistence but was less favored due to its detectable nature.

Network Reconnaissance and Lateral Movement

UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging.

VMCI Backdoors

UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included:

• VIRTUALSHINE: Provided access to a bash shell via VMCI sockets. VIRTUALPIE: A Python-based backdoor supporting file transfer, command execution and reverse shell capabilities.

Mandiant observed UNC3886 using valid credentials for lateral movement between guest VMs on compromised VMware ESXi. The threat actor deployed backdoored SSH clients and daemons to intercept and collect credentials stored in XOR-encrypted files.

Backdoored SSH Executables

The threat group modified SSH client (/usr/bin/ssh) and daemon (/usr/sbin/sshd) to harvest and store credentials. The SSH client stored credentials in "/var/log/ldapd<unique_keyword>.2.gz," while the SSH daemon stores them in "/var/log/ldapd<unique_keyword>.1.gz." To persist the malicious SSH components, the threat actor used yum-versionlock to prevent OpenSSH package upgrades.

Custom SSH Server

UNC3886 also used the MEDUSA rootkit to deploy a custom SSH server. They employed executables (/usr/sbin/libvird and /usr/bin/NetworkManage) to hijack SSH connections and redirect them to a Unix socket for credential collection. SELinux contexts ensured socket accessibility. Additional tools (sentry and sshdng-venter-7.0) were used on another endpoint for similar injection and redirection operations.

Indicators of Compromise (IOCs)

Mandiant has published IOCs to aid in detecting UNC3886 activities. These IOCs, along with detection and hardening guidelines, help organizations protect against sophisticated threats posed by UNC3886.

Cybersecurity researchers are tracking a novel Linux malware campaign that makes use of Discord emojis for command and control (C2) communication with attackers. The campaign’s unusual combination of Linux malware and phishing lures suggests an attack aimed at Linux desktop users, the researchers from Volexity said. “Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop,” they wrote.

Threat Actor ‘UTA0137’ Linked to Campaign

Volexity researchers connected the campaign to a Pakistan-based threat actor they call UTA0137. The researchers said they have “high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.” The researchers say they have “moderate confidence” that UTA0137 is a Pakistan-based threat actor because of the group’s targets and a few other reasons:

• The Pakistani time zone was hardcoded in one malware sample.
• There are weak infrastructure links to SideCopy, a known Pakistan-based threat actor.
• The Punjabi language was used in the malware.

The malware used by the threat group uses a modified version of the discord-c2 GitHub project for its Discord command and control (C2) communication. The malware, dubbed DISGOMOJI by the researchers, is written in Golang and compiled for Linux systems. The threat actors also use the DirtyPipe (CVE-2022-0847) privilege escalation exploit against “BOSS 9” systems, which remain vulnerable to the exploit.

Attack Starts With DSOP PDF

The malware is delivered via a DSOP.pdf lure, which claims to be a beneficiary document of India’s Defence Service Officer Provident Fund (screenshot below). [caption id="attachment_77503" align="alignnone" width="750"] The DSOP lure that downloads the malware[/caption] The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.]in. The payload is an instance of the DISGOMOJI malware and is dropped in a hidden folder named .x86_64-linux-gnu in the user’s home directory. DISGOMOJI, a UPX-packed ELF written in Golang, uses Discord for C2. “An authentication token and server ID are hardcoded inside the ELF, which are used to access the Discord server,”  they wrote. “The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels.” On startup, DISGOMOJI sends a check-in message in the channel that contains information like the internal IP, the user name, host name, OS and current working directory. The malware can survive reboots through the addition of a @reboot entry to the crontab, and it also downloads a script named uevent_seqnum.sh to copy files from any attached USB devices.

Discord Emojis Used for C2 Communication

C2 communication uses an emoji-based protocol, “where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.” A Clock emoji in the command message lets the attacker know a command is being processed, while a Check Mark emoji confirms that the command was executed. The researchers summarized the emoji commands in a table: [caption id="attachment_77505" align="alignnone" width="750"] The Discord emojis used to communicate with attackers (source: Volexity)[/caption] Post-exploitation activities include use of the Zenity utility to display malicious dialog boxes to socially engineer users into giving up their passwords. Open source tools such as Nmap, Chisel and Ligolo are also used, and the DirtyPipe exploit suggests increasing sophistication of the atacker's methods, the researchers said. Indicators of compromise (IoCs) can be downloaded from the Volexity GitHub page:

• YARA rules
• Single value indicators

The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

Microsoft’s cybersecurity efforts have been roundly criticized in recent months, and despite pledges to do better, the company has compounded the problem with missteps like the Copilot+ Recall rollout. Microsoft security controls came under scrutiny in April with the release of a U.S. Cyber Safety Review Board (CSRB) report that detailed “a cascade of security failures at Microsoft” that allowed threat actors linked to China to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” in a July 2023 attack. Rather than make good on pledges to make cybersecurity a top priority, Microsoft followed with the cybersecurity equivalent of an own goal when it pushed ahead with the new Windows Recall screen recording feature despite the concerns of security and privacy advocates that the company belatedly tried to address. Late today, Microsoft announced that it will delay the Recall feature for further testing. The House Committee on Homeland Security held a hearing today to address the CSRB report and Microsoft security in general, with Microsoft President Brad Smith the sole witness. The hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security,” came on the same day that Pro Publica published a report detailing years of Microsoft security failings that led up to the massive 2021 SolarWinds breach.

Congressional Leaders Call for ‘Responsibility’ and ‘Accountability’

In his opening remarks, House Homeland Security Chairman Mark Green (R-TN) called the CSRB report “extremely concerning,” and spoke of the need of “restoring the public trust” in the security of Microsoft products. “China and Russia, Beijing and Moscow, are watching us right now,” he cautioned, underscoring the stakes of the hearing while offering to move any sensitive questions to a secure environment. Ranking member Bennie Thompson (D-MS) stressed that “It is not the committee’s goal to shame or discredit” Smith and Microsoft, but to improve security and accountability at the vendor that supplies 85% of federal government productivity tools. Thompson noted the Recall rollout and Pro Publica article in his comments, calling “even more troubling” Smith’s 2021 claim before Congress that no Microsoft vulnerability was exploited in the SolarWinds attack. Green and Thompson weren’t the only committee members taking a firm tone with Microsoft, as almost every member did the same in their allotted time for questioning. Lou Correa (D-CA), for example, said he was “beyond shocked” at the security revelations in the CSRB report and elsewhere.

Microsoft President Smith Pledges Action

Perhaps anticipating a rough reception from lawmakers, Smith struck a conciliatory tone in his written and spoken testimony to the committee. “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said. “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.” Smith said the company is making cybersecurity part of senior executive bonus calculations and employee reviews as part of the its goal of “empowering and rewarding every employee to find security issues, report them, help fix them, and encourage broader learning from the process and the results. This requires that we incorporate this security work as an indispensable and integrated element in every aspect of the company’s engineering processes.” [caption id="attachment_77142" align="alignnone" width="750"] Microsoft President Brad Smith testifying before House Homeland Security Committee[/caption] To that end, Smith said the company has added 1,600 more security engineers this fiscal year, “and we will add another 800 new security positions in our next fiscal year.” Senior-level Deputy CISOs at Microsoft have been tasked with expanding “oversight of the various engineering teams to assess and ensure that security is ‘baked into’ engineering decision-making and processes.” Smith said cyberattacks in general have become a massive problem: “the pace of attacks has increased to the point where there is now constant combat in cyberspace,” he said. “Not just every day, but literally every second. Microsoft alone detects almost 4,000 password-based attacks against our customers every second of every day.”

Microsoft Security Plans

Smith said Microsoft has mapped all 16 of the CSRB recommendations applicable to Microsoft “to ensure that we are addressing them” as part of the company’s Secure Future Initiative. The company is “actively in the process of transitioning both our consumer and enterprise identity systems to a new hardened key management system that leverages hardware security modules for the storage and generation of keys. We are rolling out proprietary data and corresponding detection signals at all places where tokens are validated. And we have made significant progress on Automated and Frequent Key Rotation, Common Auth Libraries, and Proprietary Data used in our token generation algorithm.” Smith’s written testimony outlined six “pillars” for improving security: Protect Identities and Secrets: Microsoft plans to implement and enforce “best-in-class standards across our infrastructure that manages identities and sensitive information such as passwords ('secrets'), to ensure that only the right people and applications access the right resources.” Protect Tenants and Isolate Production Systems: The company pledges to “continuously validate isolation of production systems – including those upon which we operate the Microsoft Cloud.” Protect Networks: Microsoft will “Continuously improve and implement best-in-class practices to protect Microsoft production networks.” Protect Engineering Systems: The company said it will work to “Continuously improve our software supply chain and the systems that enable Microsoft engineers to develop, build, test, and release software, thereby protecting software assets and improving code security.” Monitor and Detect Threats: This initiative calls for Microsoft to improve “coverage and automatic detection of ever evolving threats to Microsoft production infrastructure and services, accelerating actioning against those threats.” Accelerate Response and Remediation: Speeding incident response and remediation is the final pillar, so “when we learn of vulnerabilities in our offerings or our infrastructure, to be even more comprehensive and timely and better prevent exploitation of those vulnerabilities.” Updated to reflect the delay in the Recall rollout.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation." The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors. In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."

Monti Ransomware Group and Change in Ownership

[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption] This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors. While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students. The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.

A Deeper Dive into Monti Ransomware Group

A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

Threat actors linked to Chinese state interests have been targeting an unnamed high-profile Southeast Asian government organization since at least March 2022, according to new research from Sophos. The Chinese espionage threat, dubbed “Crimson Palace” by the researchers, was first observed in May 2023 by Sophos MDR’s Mark Parsons, who uncovered “a complex, long-running Chinese state-sponsored cyberespionage operation” during a threat hunt across Sophos Managed Detection and Response telemetry. The threat actors appear to remain active.

VMware DLL Sideloading Discovery Launched Investigation

MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component, the Sophos researchers wrote in a report published today. The investigation uncovered “at least three clusters of intrusion activity” between March 2023 and December 2023. The threat hunt uncovered previously unreported malware associated with the threat clusters, as well as a new improved variant of the EAGERBEE malware. Sophos is tracking the clusters as Cluster Alpha (STAC1248), Cluster Bravo (STAC1807), and Cluster Charlie (STAC1305). “While our visibility into the targeted network was limited due to the extent to which Sophos endpoint protection had been deployed within the organization, our investigations also found evidence of related earlier intrusion activity dating back to early 2022,” the researchers wrote. “This led us to suspect the threat actors had long-standing access to unmanaged assets within the network.”

Chinese Espionage Threat Uses Familiar Tools and Infrastructure

The Crimson Palace clusters were found to use tools and infrastructure connected to Chinese threat actors BackdoorDiplomacy, REF5961, Worok, TA428, Unfading Sea Haze and the APT41 subgroup Earth Longzhi. Sophos “has observed the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea,” the report said. “Though we are currently unable to perform high-confidence attribution or confirm the nature of the relationship between these clusters, our current investigation suggests that the clusters reflect the work of separate actors tasked by a central authority with parallel objectives in pursuit of Chinese state interests,” the researchers wrote. Cluster Bravo appears to have been short lived, observed operating only in March 2023. Cluster Alpha’s last active known implant ceased C2 communications in August 2023, “and we have not seen the cluster of activity re-emerge in the victim network. However, the same cannot be said for Cluster Charlie.” Cluster Charlie has been active at least through April 2024. “After a few weeks of dormancy, we observed the actors in Cluster Charlie re-penetrate the network via a web shell and resume their activity at a higher tempo and in a more evasive manner,” the researchers said. Activities included exfiltration efforts, and “instead of leaving their implants on disks for long periods of time, the actors used different instances of their web shell to re-penetrate the network for their sessions and began to modulate different C2 channels and methods of deploying implants on target systems.” While the clusters had their own patterns of behavior, “the timing of operations and overlaps in compromised infrastructure and objectives suggest at least some level of awareness and/or coordination between the clusters in the environment,” they wrote. The researchers detailed differences and overlaps between the clusters in a Venn diagram republished below. [caption id="attachment_75161" align="aligncenter" width="300"] Tactics and overlap of the Crimson Palace threat clusters (source: Sophos)[/caption]

Chinese Espionage Threat Uses Novel Malware, DLL, Evasion

Tactics of the Chinese espionage threat actors include accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and control (C2) communications. Sophos researchers noted three key findings on the threat actors’ tools and tactics. Novel malware variants: Researchers identified the use of previously unreported malware they call CCoreDoor that was concurrently discovered by BitDefender, and PocoProxy, and an updated variant of EAGERBEE malware with the ability to “blackhole communications to antivirus (AV) vendor domains in the targeted organization’s network.” Other malware variants they noted include NUPAKAGE, Merlin C2 Agent, Cobalt Strike, PhantomNet backdoor, RUDEBIRD malware, and the PowHeartBeat backdoor. Extensive dynamic link library (DLL): Researchers observed more than 15 distinct DLL sideloading scenarios, most of which abused Windows Services, legitimate Microsoft binaries, and AV vendor software. Prioritization of evasive tactics and tools: The researchers noted “many novel evasion techniques, such as overwriting dll in memory to unhook the Sophos AV agent process from the kernel, abusing AV software for sideloading, and using various techniques to test the most efficient and evasive methods of executing their payloads.” Sophos cited 10 researchers for their work investigating the threat: Colin Cowie, Jordon Olness, Hunter Neal, Andrew Jaeger, Pavle Culum, Kostas Tsialemis, and Daniel Souter of Sophos Managed Detection and Response, and Gabor Szappanos, Andrew Ludgate, and Steeve Gaudreault of SophosLabs.