Cybersecurity Threats Affecting Businesses in August 2023
Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.
Below are the top four threats that emerged over the past month.
BlackByte 2.0
Ransomware attacks are a growing problem for organizations worldwide, both in scope and severity. Microsoft’s Incident Response team investigated the recent BlackByte 2.0 ransomware attacks, revealing the alarming speed and destructive nature of these cyber strikes. The findings indicate that hackers can execute the entire attack process, from gaining initial access to causing significant damage, in just five days. They swiftly infiltrate systems, encrypt crucial data, and demand a ransom for its release. This condensed timeline poses a significant challenge for organizations striving to defend against these malicious operations.
The BlackByte ransomware is employed in the final stage of the attack, utilizing an 8-digit number key to encrypt data. Attackers use a potent combination of tools and techniques, taking advantage of unpatched Microsoft Exchange Servers to gain access and lay the groundwork for their malicious activities. Process hollowing, antivirus evasion strategies, web shells for remote access, and Cobalt Strike beacons for command-and-control operations further enhance their capabilities, making it harder for organizations to defend against them. Additionally, cybercriminals employ “living-off-the-land” tools to camouflage their activities and avoid detection. They modify volume shadow copies on infected machines to prevent data recovery through system restore points and deploy custom backdoors for persistent access even after the initial compromise.
As ransomware attacks become more frequent and sophisticated, threat actors can quickly disrupt business operations if organizations are not adequately prepared. The severity of these attacks necessitates immediate action from organizations worldwide, and in response to these findings, Microsoft provides practical recommendations. It encourages the implementation of robust patch management procedures to apply critical security updates early. Enabling tamper protection is also crucial as it strengthens security solutions against malicious attempts to disable or bypass them. By following best practices, such as maintaining up-to-date systems and restricting administrative privileges, organizations can significantly mitigate the risk of BlackByte ransomware attacks and other similar threats.
Nitrogen Campaign Leveraging DLL Side-Loading for C2
In a recent campaign, dubbed “Nitrogen,” DLL side-loading was seen being leveraged for C2 communications. Instead of the usual vector of phishing, the attack began with a drive-by download from a compromised WordPress website. The file, an ISO image, contains an install file that must be manually executed by the end-user. The installer then proceeds to load the msi.dll file and decrypts the accompanying data file. An embedded Python distribution and the DLL are dropped to be sideloaded in the user’s C:\Users\Public\Music\python path.
The malware then creates a scheduled task: “OneDrive Security Task-S-1-5-21-5678566754-9123742832-2638705499-2003”, which runs pythonw.exe. This grants the malware persistence. The task schedules to trigger upon system startup, and expires 1 Dec 2029, at midnight.
With persistence established, the malware can perform its duties. It has been seen employing DLL sideloading to maintain persistent connection with C2 servers, and goes so far as to retrieve compressed/encoded data, and then execute it locally.
Cobalt Strike was observed as a chosen payload at one point, and it appears that others could be implemented as well. This malware certainly has the potential to cause great harm, but in this campaign the consolation is that the user must manually execute a file downloaded via a drive-by download from a compromised website. This could, however, always be delivered via phishing which remains one of the most common vectors due to its ease and effectiveness.
Updated Lazarus Malware Distribution
Researchers have discovered that Lazarus, a nationally funded group, is attacking Windows Internet Information Service (IIS) web servers and using them to spread malware. The group is known for using watering hole techniques to gain initial access. When a scan detects a server with a vulnerable version, they use the vulnerability suitable for the version to install a WebShell, download files, or execute commands. The recently identified attack showed that the Lazarus threat group’s malware strains were generated by w3wp.exe, an IIS web server process. The malware generated by the w3wp.exe process is usopriv.exe, a JuicyPotato malware packed with Themida.
The Potato malware strains are responsible for privilege escalation. There are several types leveraged, including JuicyPotato, RottenPotato, and SweetPotato, depending on the privilege escalation method. The Potato strains escalate privilege by abusing processes with certain privileges activated. Afterward, the threat actor can perform malicious actions using the elevated privilege. The whoami command was used to check if privilege escalation was achieved. A log was also found showing that a loader malware which is responsible for the actual malicious behavior had been executed. The loader is in DLL format, so rundll32 was used to execute it. The loader decrypts the file name of the data to be used and obtains a string. This string is the name of the data file which is searched for in a total of three paths. The loader malware then decrypts encrypted data files and executes them in the memory area.
The Lazarus group have also been seen using various other attack vectors for initial access such as joint certificate vulnerabilities and 3CX supply chain attacks. This is one of the most dangerous threat groups currently operating and is highly active globally. They continuously use vulnerability attacks to gain access to unpatched systems. If a system does not have the latest version of a vulnerable product installed, then the latest update must be applied immediately.
Microsoft Vulnerabilities
In the latest round of updates, Microsoft has addressed two zero-day vulnerabilities, namely CVE-2023-36884 and CVE-2023-38180. These vulnerabilities have been actively exploited by threat actors and have prompted swift action from Microsoft. This month’s update also covers fixes for 87 other vulnerabilities, underlining the importance of staying vigilant against potential cyber threats.
CVE-2023-36884, a remote code execution vulnerability, was used by the Russian threat actor Storm-0978/RomCom. This flaw allowed attackers to cleverly manipulate Microsoft Office documents to evade security mechanisms like the Mark of the Web (MoTW), enabling them to execute code remotely. Microsoft has responded with an Office Defense in Depth update to mitigate this risk. Storm-0978/RomCom, previously involved in deploying the Industrial Spy ransomware, has recently rebranded as ‘Underground’ and expanded its activities to include ransomware extortion.
Another worrisome vulnerability, CVE-2023-38180, also received attention in this update. Although Microsoft has not revealed specific details about its exploitation or the discoverer’s identity, this vulnerability has been actively abused and could potentially lead to Distributed Denial of Service (DDoS) attacks on .NET applications and Visual Studio. Notably, this flaw doesn’t require the attacker to possess user privileges on the target system, making it a more severe concern.
Security experts advise organizations to take swift action by implementing the recommended security measures and applying the provided patches. These updates serve as a reminder of the ever-present cyber threats that require consistent efforts to safeguard systems and data from potential breaches.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.