Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target European government agencies.

ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European ministry of foreign affairs.

The two backdoors are designed to carry out a long-term compromise in the target network, data exfiltration, and maintaining control over compromised systems.

The two backdoors compromised a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. The experts speculate the Lunar toolset has been employed since at least 2020. ESET attributes the two backdoors to Russia-linked APT group Turla, with medium confidence.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The exact method of initial access in the compromises observed by ESET is still unclear. However, evidence suggests possible spear-phishing and exploitation of misconfigured Zabbix network and application monitoring software. The researchers noticed a LunarWeb component mimicking Zabbix logs and a backdoor command retrieving Zabbix agent configuration. The experts also spotted spear-phishing messages, including a weaponized Word document installing a LunarMail backdoor.

“LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications.” reads the report published by ESET.

LunarWeb uses multiple persistence methods, including creating Group Policy extensions, replacing System DLL, and deploying as part of legitimate software.

ESET reported that the execution chain starts with a loader they tracked as LunarLoader. It uses the RC4 symmetric key cipher to decrypt the payloads.

Once the Lunar backdoor has compromised a system, it waits for commands from the C2 server. The cyberspies also used stolen credentials for lateral movement.

LunarWeb can also execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form.

“Our current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an unidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb. Subsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications.” continues the report. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.”

LunarMail is deployed on workstations with Microsoft Outlook, using an email-based communication system (Outlook Messaging API (MAPI)) to evade detection in environments where HTTPS traffic is monitored. The backdoor communicates with the C2 server via email attachments, often hidden in .PNG images. LunarMail can create processes, take screenshots, write files, and execute Lua scripts, allowing it to run shell and PowerShell commands indirectly.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools.” concludes the report. “Although the described compromises are more recent, our findings show that these backdoors evaded detection for a more extended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turla APT)

The City of Wichita disclosed a data breach after the ransomware attack that hit the Kansas’s city earlier this month.

On May 5th, 2024, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat. The city immediately started its incident response procedure to prevent the threat from spreading and announced an investigation into the attack.

Wichita is the most populous city in the U.S. state of Kansas and the county seat of Sedgwick County. As of the 2020 census, the population of the city was 397,532

The investigation was conducted with the help of third-party security experts and the city also notified federal and local law enforcement authorities.

“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the initial security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”

The City warned that some services may be temporarily unavailable while systems are offline, it did not disclose the family of ransomware that infected its systems and the name of the extortion gang behind the attack.

However, the LockBit ransomware gang claimed responsibility for the cyberattack on the City of Wichita.

A new update provided by the City of Wichita revealed that threat actors copied certain files containing personal information from its network. Copied files included incident and traffic information.

Copied files included incident and traffic information.

“As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.” reads the Notice of Data Event updated on May 14, 2024.

“We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.”

The notice also revealed that threat actors exploited a recently disclosed vulnerability to gain access to the city’s network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)

Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party vendor.

MediSecure is a company that provides digital health solutions, particularly focusing on secure electronic prescription delivery services in Australia.

The company was forced to shut down its website and phone lines following a cyber attack, but it did not mention a ransomware attack.

Threat actors gained access to the personal and health information of an undisclosed number of individuals.

“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.” reads the statement published by the company. “While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.”

The company is still investigating the security breach with the help of the National Cyber Security Coordinator, however, it revealed that early indicators suggest the incident originated from one of its third-party vendors.

The electronic prescription provider also notified the Office of the Australian Information Commissioner and other relevant authorities.

The Australian broadcaster ABC reported that MediSecure “is the health organisation at the centre of the large-scale ransomware data breach announced by the national cyber security coordinator on Thursday.”

“MediSecure was one of two companies awarded contracts by the federal government to provide PBS e-script services until late last year, when the tender was granted exclusively to another company, eRx.” reported ABC. “In October last year, the ACCC granted authorisation for MediSecure to transfer all publicly- funded electronic prescriptions and data to eRx.”

In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed due to a ransomware attack that occurred in October 2022.

Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The Singing River Health System revealed that the ransomware attack that hit the organization in August 2023 impacted 895,204 people.

At the end of August 2023, the systems at three hospitals and other medical facilities operated by Singing River Health System (SRHS) were hit by a Rhysida ransomware attack.

The Singing River Health System runs 3 hospitals and 10 clinics and is the second largest employer on the Mississippi Gulf Coast.

“The Singing River Health System’s three hospitals – Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, as well as its dozen-plus medical clinics – are affected by the incident, which began over the weekend. The health system employs about 3,800 people.” reported BankInfoSecurity.

Several services at the impacted hospitals, including laboratory and radiology testing, suffered a significant IT systems outage. At the time, Singing River said it was working to process all paper-ordered lab tests and radiology exams as quickly as possible, based on priority.

On September 13, 2023, the healthcare organization disclosed a data breach and in December 2023, it announced that the incident impacted 252,890 individuals.

In a new update shared by the company with the Maine Attorney General, the organization declared that the total number of persons affected is 895,204.

Potentially compromised information includes name, date of birth, address, Social Security number, medical information, and health insurance information.

SRHS is offering impacted individuals access to credit monitoring services provided by IDX identity theft protection for twelve months at no cost. The company is also providing guidance on preventing identity theft and fraud, including steps to report suspicious incidents and placing fraud alerts or security freezes on credit files. Additionally, they are sharing information on safeguarding against tax fraud, contacting consumer reporting agencies, and obtaining free credit reports. Singing River Health System recommends the impacted individuals to be vigilant by reviewing account statements and monitoring credit reports. Individuals are encouraged to report any incidents of identity theft or fraud to relevant authorities, including the Federal Trade Commission, state Attorney General, and law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rhysida)

Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware.

New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.

The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past

In August 2021 the criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.

In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.

The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.

The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”

The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.

“Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”

To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:

1. Security Awareness Training: Engage in security awareness training to enhance defense mechanisms and recognize potential signs of malicious communications.
2. Password Management: Use strong, unique passwords and implement multi-factor authentication (MFA) whenever possible, prioritizing authentication apps or hardware tokens over SMS text-based codes.
3. System Updates: Keep systems updated and apply patches promptly after thorough testing to address vulnerabilities.
4. Endpoint Security: Install endpoint security solutions to fortify defenses against malware attacks.
5. Monitoring and Detection: Utilize monitoring and detection solutions to identify suspicious login attempts and abnormal user behavior.
6. Email Filtering: Implement email filtering solutions such as spam filters to block malicious messages. Reference the provided resources for establishing DMARC authentication.
7. Ransomware Mitigation: Refer to available resources for ransomware mitigation techniques and strategies.
8. Phishing Reporting: Report phishing emails and other malicious cyber activities to relevant authorities like the FBI’s IC3 and the NJCCIC.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phorpiex botnet)