Iran-linked threat actor Tortoiseshell targeted shipping, logistics, and financial services companies in Israel with watering hole attacks.

ClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping, logistics, and financial services companies and attributed them with low confidence to the Iran-linked APT group Tortoiseshell (aka TA456 or Imperial Kitten).

The threat actors used a script on the compromised websites to collect preliminary user information.

The malicious JavaScript employed in the watering hole attacks collects data from visitors, including the user’s OS language, IP address, screen resolution, as well as the URL from which the website was visited.

The activity of the APT group was first detailed by Symantec in 2019, the experts analyzed a series of attacks against IT providers in Saudi Arabia and US entities. The expert spotted the Iranian group in 2018, but they speculate that it has been active for a longer time.

Five out of eight compromised websites were hosted by the uPress hosting service, which was hit by a cyber attack carried out by the Iranian group Emennet Pasargad5, “Hackers of Savior”, in 2020.

“uPress”, a hosting service, was attacked in 2020 by the Iranian group Emennet Pasargad5 , “Hackers of Savior”, who defaced thousands of Israeli sites hosted by it.

The collected data were transferred into a JSON file via a POST request to a website under the control of the threat actor.

The experts noticed that the first malicious JavaScript they spotted contains a unique string of text which includes grammatical errors. Looking for this unique string, the researchers were able to find another JavaScript that contains the same code but is used on a different domain.

“The script is downloaded from the malicious website cdnpakage[.]com. Our team discovered that cdnpakage[.]com previously had another SSL certificate related to another domain – globalpneuservices[.]com.” reads the report published by ClearSky. “Using the domain cdnpakage[.]com, additional infected domains were found: tel-bar.co[.]il, aviram.co[.]il.”

The attribution to an Iran-linked APT is based on the following evidence:

• C2 Attribution – The domain jquery-stack[.]online is attributed to TA456 (Tortoiseshell).
• Attackers employed four domains impersonating the legitimate JavaScript framework jQuery
  by using “jQuery” in their domain names. The trick to use domain names impersonating jQuery was observed in a previous Iranian campaign from 2017.
• Watering holes have been part of the initial access stage used by Iran-linked APT since at
  least 2017.
• Iranian threat actors target Israeli websites and attempt to collect data on logistics companies
  associated with shipping and healthcare.
• Re-use of open-source penetration testing tools that focus on web browsers was seen both in
  an Iranian campaign in 2017 and in this current campaign.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Tortoiseshell)

The post Iran-linked Tortoiseshell APT behind watering hole attacks on shipping and logistics Israeli websites appeared first on Security Affairs.

North Korea-linked APT group Lazarus actor has been targeting vulnerable Microsoft IIS servers to deploy malware.

AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft IIS servers in a recent wave of malware-based attacks.

Once discovered a vulnerable ISS server, the attackers leverage the DLL side-loading (T1574.002) technique to execute a malicious DLL (msvcr100.dll) that they have placed in the same folder path as a normal application (Wordconv.exe). Then the library is executed via the Windows IIS web server process.

The msvcr100.dll is contained within the import DLL list of Wordconv.exe, this means that the first DLL is loaded in the memory of the Wordconv.exe process when it is executed.

“the functionality of msvcr100.dll involves decrypting an encoded PE file (msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq) that is transmitted as a command-line argument during the execution of Wordconv.exe by utilizing the Salsa20 algorithm.” reads the analysis published by ASEC. “The decrypted PE file is then executed in the memory. It then performs the function of clearing the malicious DLL module that was loaded through the FreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100.dll).”

The researchers noticed important similarities between the msvcr100.dll and the cylvc.dll previously detailed by ASEC and related to another Lazarus campaign.

The threat actor exploited an open-source Notepad++ plugin called Quick Color Picker (a discontinued project) to establish a foothold in the target network before creating additional malware (diagn.dll).

The diagn.dll received the PE file encoded with the RC6 algorithm as an execution argument value, then uses an internally hard-coded key to decrypt the data file and execute the PE file directly in the memory.

The researchers were not able to determine the malicious behavior of the PE file because the PE data file that was encoded during the attack could not be collected, but the analysis of the log suggests threat the attackers had executed a credential theft tool such as Mimikatz.

Once obtained the system credentials, the threat actor performed internal reconnaissance and used remote access (port 3389) to perform lateral movement into the internal network.

“The Lazarus group used a variety of attack vectors to perform their initial breach, including Log4Shell,  public certificate vulnerability, 3CX supply chain attack, etc.” concludes the report that also provides Indicators of Compromise (IoCs). “since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”

This week, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DPRK)

The post North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware appeared first on Security Affairs.

A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected.

China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S. and Guam without being detected. The group managed to maintain access without being detected for as long as possible.

According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively  living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In order to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and stay under the radar.

Volt Typhoon targets internet-facing Fortinet FortiGuard devices to achieve initial access to targeted organizations. Then the attackers attempt to extract credentials to an Active Directory account used by the compromised device and use them for lateral movement by authenticating to other devices.

Upon gaining access to a target environment, the group conducts hands-on-keyboard activity via the command line. The researchers pointed out that the group rarely uses malware in the post-compromise phase.

“If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.” continues the report. “Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.”

Microsoft observed the Volt Typhoon dumping information from local web browser applications, then the attackers staged collected data in password-protected archives.

The experts concluded by warning organizations to be vigilant on successful sign-ins from unusual IP addresses that could represent C2 accesses.

Today, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor. 

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Volt Typhoon)

The post China-linked APT Volt Typhoon targets critical infrastructure organizations appeared first on Security Affairs.

Zyxel fixed two critical flaws in multiple firewall and VPN products that can lead to remote code execution or cause a DoS condition.

Zyxel addressed two critical buffer overflow vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, that affect several of its firewall and VPN products.

A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.

Below are the description for both issues provided by the vendor in a security advisory:

• CVE-2023-33009 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

• CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device

Users are recommended to install security updates provided by the company to address the issues.

1. CVE-2023-33009: A buffer overflow vulnerability in the notification function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
2. CVE-2023-33010: A buffer overflow vulnerability in the ID processing function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)

The following table includes vulnerable devices:

At the end April, Zyxel fixed a critical RCE flaw, tracked as CVE-2023-28771 (CVSS score 9.8), in its firewall devices and urged customers to install the patches.

The company also fixed a high-severity post-authentication command injection issue (CVE-2023-27991, CVSS score: 8.8) affecting some specific firewall versions.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel)

The post Zyxel firewall and VPN devices affected by critical flaws appeared first on Security Affairs.

D-Link fixed two critical flaws in its D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution.

D-Link has addressed two critical vulnerabilities (CVSS score: 9.8) in its D-View 8 network management suite that could be exploited by remote attackers to bypass authentication and execute arbitrary code.

The D-View network management suite allows customers to monitor performance, configure devices, and manage the network in an efficient way.

The vulnerabilities were reported to the company on December 23, 2022 through Trend Micro’s Zero Day Initiative (ZDI).

The first vulnerability, tracked as CVE-2023-32165, is a D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution flaw.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI. “The specific flaw exists within the TftpReceiveFileHandler class.”

The vulnerability is caused by the lack of proper validation of a user-supplied path prior to using it in file operations. An unauthenticated attacker can exploit the flaw to execute code in the context of SYSTEM.

The vulnerability was reported by Andrea Micalizzi (aka rgod)

The second flaw, tracked as CVE-2023-32169, is an authentication bypass issue caused by the use of hard-coded cryptographic key authentication in the TokenUtils class.

An attacker can exploit this vulnerability to bypass authentication on the target system.

“This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory. “The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key.”

The vulnerability was discovered by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative.

The company pointed out that the released patch is “beta software or hot-fix release,” which is still undergoing final testing.

“Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post D-Link fixes two critical flaws in D-View 8 network management suite appeared first on Security Affairs.

Experts detailed a new piece of malware, named CosmicEnergy, that is linked to Russia and targets industrial control systems (ICS). 

Researchers from Mandiant discovered a new malware, named CosmicEnergy, designed to target operational technology (OT) / industrial control system (ICS) systems. The malicious code was first uploaded to a public malware scanning service in December 2021 by a user in Russia. The malware is specifically designed to disrupt electric power by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs). These RTU are widely adopted n electric transmission and distribution operations in Europe, the Middle East, and Asia.

COSMICENERGY is one of the OT malware that were spotted over the years, but according to Mandiant, what makes this malware unique is that it has been developed by a contractor as part of a red teaming activity for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. The ICS malware supports capabilities that are comparable to those implemented in malware such as INDUSTROYER and INDUSTROYER2.

Both INDUSTROYER and INDUSTROYER2 malware strains were used by Russia-linked APT groups in attacks aimed at critical infrastructure in Ukraine targeting IEC-104.

“COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT.” reads the analysis published by Mandiant. “Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption.”

COSMICENERGY is composed of two components, respectively tracked as PIEHOP and LIGHTWORK:

• PIEHOP is a disruption Python tool packaged with PyInstaller that can connect to a user-supplied remote MSSQL server for uploading files and issuing remote commands to an RTU. PIEHOP relies on LIGHTWORK to issue the IEC-104 commands “ON” or “OFF” to the remote system and then deletes the executable after issuing the command. The researchers noticed that the sample of PIEHOP they analyzed was affected by programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, however, they can be quickly solved.
• LIGHTWORK is a C++ tools that implements the IEC-104 protocol to modify the state of RTUs over TCP. It

The researchers pointed out that the malware doesn’t support discovery capabilities, which implies that the operator would need to perform some internal reconnaissance to obtain environmental information (i.e. MSSQL server IP addresses, MSSQL credentials, and target IEC-104 device IP addresses).

The analysis of COSMICENERGY revealed the use of a module associated with a project named “Solar Polygon.” Searching for this unique string, the researchers identified a single match to a cyber range (aka polygon) developed by Rostelecom-Solar.

“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.” concludes the report. “OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY. “

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ICS malware)

The post New CosmicEnergy ICS malware threatens energy grid assets appeared first on Security Affairs.

Researchers spotted a new botnet dubbed Dark Frost that is used to launch distributed denial-of-service (DDoS) attacks against the gaming industry.

Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks.

The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot.

The Dark Frost botnet was used to target gaming companies, game server hosting providers, online streamers, and even other members of the gaming community who the threat actor interacted with directly.

The researchers first gathered a Dark Frost binary sample on February 28, 2023, that targeted one of its HTTP honeypots. The threat actors were attempting to exploit a remote code execution (RCE) in misconfigured Hadoop YARN servers. The experts highlight that the vulnerability exploited in the attacks has been in existence since 2014.

According to a screenshot taken by the malware author, the botnet was composed of at least 414 machines as of February 2023. Most of the infected machines are based on ARMv4 architectures, specifically MIPSEL and x86.

The botnet operators compiled the bot code specifically for ARMv4 and ARMv7 because ARMv4 is compatible with ARMv5 and ARMv6, this means that the malware can also target modern ARMv7 architecture. 

The analysis of the bot revealed that the malware supports eight total attacks, including UDP and TCP, and more curious ones, such as zgoflood.

Akamai researchers estimated that the botnet can launch DDoS attacks of approximately 629.28 Gbps through a UDP flood attack.

“To continue the benchmark correctly, we had to start launching these attacks at the loopback to avoid fragmentation and listen on the loopback interface to re-measure (Table 2).” reads the analysis published by Akamai.

“As you can see, the optimal size for maximum output becomes 2,048. After this point, the number of packets getting sent drops significantly. This is likely due to the fact that the UDP packets are getting padded with “U” characters to make it the desired length, and this operation likely slows things down at larger sizes. With 1.52 Gbps as our new single node benchmark, we can multiply this by the number of nodes in the botnet as of February 2023 (414) to come out with 629.28 Gbps.”

Threat actors behind this botnet are active since at least May 2022, they published live recordings of their attacks to demonstrate the capabilities of the botnet.

The attackers set up a website to track requests and a discord channel to manage their DDoS-for-hire service.

“The reach that these threat actors can have is staggering despite the lack of novelty in their techniques. Although not the most advanced or mind-bending adversary, the Dark Frost botnet has still managed to accumulate hundreds of compromised devices to do its bidding.” concludes the report.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Dark Frost Botnet targets the gaming sector with powerful DDoS appeared first on Security Affairs.

An alleged Iran-linked APT group targeted an organization linked to the United Arab Emirates (U.A.E.) with the new PowerExchange backdoor.

Researchers from the Fortinet FortiGuard Labs observed an attack targeting a government entity in the United Arab Emirates with a new PowerShell-based backdoor dubbed PowerExchange.

The experts speculate that the backdoor is likely linked to an Iran-linked APT group.

The backdoor uses emails for C2 communications, where the C2 is the victim’s Microsoft Exchange server. The investigation conducted by Fortinet revealed the presence of other implants on various servers, including a new web shell, dubbed ExchangeLeech, on Microsoft Exchange servers.

The infection chain commenced with spear phishing messages using a zip file named Brochure.zip in attachment. The archive contained a malicious .NET executable (Brochure.exe) which is an executable with an Adobe PDF icon. Upon running the executable, it displays an error message box while downloads and executes the final payload.

The malware relies on Exchange Web Services (EWS) API to connect to the victim’s Exchange Server and uses a mailbox on the server to send and receive encoded commands.

“The PowerShell script is a custom backdoor. Its name is derived from the nature of the C2 channel as it utilizes the Exchange Web Services (EWS) API to connect to the victim’s Exchange server and uses mailboxes on the server to send and receive commands from its operator.” reads the analysis published by Fortinet. “The Exchange server is accessible from the internet, saving C2 communication to external servers from the devices in the organizations. It also acts as a proxy for the attacker to mask himself.”

The backdoor connects to the Exchange server and sends the computer name, base64-encoded, to a mailbox to indicate it’s running. The mailbox and connection credentials are hardcoded in the code of the implant. The operator in turn can send to the backdoor additional mailboxes to beacon in the current session or the ID of a mail to use to receive commands.

The attribution to the Iran-linked APT group APT34 is based on similarities between PowerExchange and the TriFive backdoor deployed against government organizations in Kuwait by the state-sponsored hackers.

Experts also highlighted that APT34 is known to have tested communication via internet-facing Exchange servers in its campaigns (i.e. Karkoff)

“The PowerExchange backdoor is a simple yet effective tool. When writing this blog, it was unclear where the threat actor had obtained the domain credentials to connect to the Exchange server. Even though the targeting of Exchange servers by threat actors spiked in the past couple of years, ExchangeLeech wasn’t commonly used, unlike other webshells.” concludes the report. “Using the victim’s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization’s infrastructure.” the researchers said.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

The post New PowerExchange Backdoor linked to an Iranian APT group appeared first on Security Affairs.

The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants.

Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk variants to target Linux and Windows systems worldwide.

The ransomware operation hasn’t its own ransomware payload, however, it uses a custom information stealer to target specified file types.

The Buhti operation has been active since February 2023, it was initially spotted attacking Linux systems, but later Symantec’s Threat Hunter Team also identified attacks on Windows computers.

The group was observed quickly exploiting recently disclosed vulnerabilities, such as the recently patched PaperCut vulnerability.

In a recent attack against Windows systems, Buhti operators used a payload that is a modified version of the leaked LockBit 3.0 (aka LockBit Black) ransomware. The builder used by the operators was leaked in September 2022 by a disgruntled developer in response to Russian invasion of the Ukraine.

The ransomware appends the .buthi extension to the encrypted files.

The researchers also observed attacks against Linux systems with Golang-based variants of the Babuk ransomware, which was released on hacking forums in September 2021. This variant used in the attacks targets ESXi systems.

The information stealer used by the group is written in Golang, it allows operators to look for specific files (pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql, .svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx, .yaml. ) and then store them in a compressed .ZIP archive.

“The tool can be configured via command-line arguments to specify both the directory to search for files of interest in and the name of the output archive. The -o argument in the command line specifies the archive to be created. The -d argument specifies the directory to search for files of interest in.” reads the post published by Symantec.

The attackers exploited the vulnerability in PaperCut NG and MF (CVE-2023-27350) to install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise hacking tools.

In February, the group was observed exploiting a vulnerability in IBM’s Aspera Faspex file-exchange application (CVE-2022-47986).

“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post New Buhti ransomware operation uses rebranded LockBit and Babuk payloads appeared first on Security Affairs.