Cybersecurity Threats Affecting Businesses in July 2024
The overall level of cyber threat continues to be elevated globally and the impact is being felt across organizations of all sizes and industry sectors. Cyber-attacks persist across all industrial sectors with continued global focus on healthcare and industrial control systems (ICS). This follows the current trend where attackers are looking for ‘soft’ targets in industries with a history of underinvestment in cybersecurity. The impact of each attack is increasing as malicious actors focus on higher value targets.
Below are the top six threats that have emerged over the past month.
Spanish Speakers Targeted by Agent Tesla
The Agent Tesla Remote Access Trojan (RAT) has been used in cyber campaigns for years to steal sensitive information from victims’ computers. This malware can collect various types of data, such as hardware details, login credentials, keystrokes, email contacts, browser cookies, clipboard data, screenshots, and more. The recent campaign demonstrates how Agent Tesla employs multiple delivery techniques, including exploiting known vulnerabilities in Microsoft Office and using JavaScript and PowerShell scripts to avoid detection.
The attack begins with a phishing email in Spanish, disguised as a SWIFT transfer notification, containing an Excel attachment. This Excel file exploits the CVE-2017-0199 vulnerability to download an RTF document, which further exploits the CVE-2017-11882 vulnerability in Microsoft Office’s Equation Editor. This chain of exploits allows the attacker to execute malicious code on the victim’s computer.
The malicious code downloads and executes a JavaScript file, which in turn runs base64-encoded PowerShell code. This code downloads the Agent Tesla core module without saving it locally, making detection difficult. The malware then uses process hollowing to inject the Agent Tesla executable into a legitimate process, ensuring its persistence and execution.
Agent Tesla employs various methods to detect if it is being analyzed, such as checking for debugging tools, virtual environments, and specific antivirus software. If any of these checks indicate an analysis environment, the malware exits to avoid detection.
This variant can steal saved credentials from Chromium-based and Mozilla-based browsers, and email contacts from Thunderbird. However, some features like keylogging and screen logging were disabled in this variant. The stolen data is then exfiltrated to the attacker’s server using the FTP protocol.
Latrodectus Using Brute Ratel C4
A Latrodectus sample delivery chain was observed recently using a malicious JavaScript stager, discovered by being uploaded to a third-party public scanning service. From early this year until now, versions 1.1 -1.3 have been seen in the wild as part of various campaigns by the adversary.
Typically delivered via phishing, Latrodectus is a loader that utilizes a shortened link to a compromised captcha-gated WordPress site that pretends to be Cloudflare or other services. This captcha-gating appears to be to thwart automated payload retrieval by defense programs. The user instead must manually download and execute an MSI, with the payload sometimes having a PDF that contains social engineering lures.
Despite suffering some hindrance at being targeted by international efforts to suppress malware loader infrastructure, they have returned to normal operations after a quick rebuild, highlighting the difficulty of defending against such threat groups in the modern era.
The delivery chain starts with, as often is the case, a phishing email. Once again, it is simply easiest to fool a careless end-user, and those are plentiful targets. The stager has the msiPath of http[:]//85.208.108[.]63/BST.msi, unchanged from previous and interrupted campaigns. The “Installer.InstallProduct” API is used which gets the MSI onto the machine and executes it. It then spawns a child process to decompress a bundled CAB archive (CAB and CABless attacks highlighted in past threat reports) which contains the malicious .dll file aclui.dll. This .dll is a packed Brute Ratel C4 (BRC4) badger implant “edit,” a DLL export, is then executed via rundll32.exe by the installer.
Brute Ratel is a tool used for pentesting, but obviously if it is good enough for pentesting, it is good enough for malicious activity. Once it is unpacked and has injected itself, it goes to sleep, laying low to avoid immediate execution by automated sandboxing. For instance, if it were picked up by a sandbox it would simply remain dormant until the sandbox’s pre-set time runs out on the assumption that if the malware ever were going to do anything, it would have by then.
After this sleep, it executes a Latrodectus payload upon a victim connecting. The core bot component injects into explorer.exe, the stealer module is downloaded and injected into explorer, which then targets Edge, Internet Explorer, Outlook, Chrome, 360, Firefox, Yandex, etc. Any passwords, session keys, financial information, etc. are stolen. From here, access is established, and other malware can be loaded and launched.
A considerable amount of string obfuscation is used to hinder analysis with a pseudorandom number generator and hardcoded seed to drive the XOR key for decrypting the strings.
Another strategy is checking how many processes are running, assuming that low process counts indicate a simple barebones sandbox.
Once again, this attacker is relying on phishing for access. And, despite a concerted international law enforcement effort to stomp out attacker networks like this, they were simply able to regroup and restart their campaigns. This highlights that each organization must take it upon itself to establish strong cybersecurity defenses, and among those defenses, some of the most effective are simple end-user education regarding phishing, which continues to reign as the most popular initial entry vector.
MerkSpy Infostealer
Researchers have recently identified an attack exploiting the vulnerability CVE-2021-40444 in Microsoft Office. When exploited, it allows attackers to execute malicious code through specially crafted documents, leading to the deployment of a spyware payload known as “MerkSpy.” This spyware monitors user activities, captures sensitive information, and maintains persistence on compromised systems for weeks or even months at a time.
The attack starts with a Microsoft Word document disguised as a document containing details on a software developer job position. Opening the document exploits the CVE-2021-40444 vulnerability within Internet Explorer in Microsoft Office. This vulnerability allows arbitrary code execution without any interaction from the user. The attacker hides a URL within an innocent .xml file, directing it to another malicious URL, which leads to the download of an HTML file that triggers the next phase of this attack.
After exploiting the vulnerability, the malicious document launches the downloaded payload, “olerender.html,” from a remote server. This HTML file initially contains a harmless script to hide its true intent. The latter part of the file hides the shellcode and injection process, advancing the attack when executed on the victim’s machine. The HTML file checks the system’s OS version and, if it detects an X64 architecture, extracts the “sc_x64” shellcode.
Following OS version detection and shellcode extraction, this file retrieves the Windows APIs “VirtualProtect” and “CreateThread.” These functions enable modifying memory permissions and executing the malicious shellcode, respectively. This shellcode acts as a downloader, initiating the next attack phase by fetching a file named “GoogleUpdate” from the attacker’s server.
Although its name seems innocuous, “GoogleUpdate” contains the core malicious payload, which is made to evade standard security measures. The shellcode decodes this payload using a key, which finally reveals the embedded malicious content.
The extracted payload is protected with VMProtect, enabling it to inject the MerkSpy spyware into crucial system processes. MerkSpy secretly operates within the system, capturing sensitive information, monitoring user activities, and sending data to remote servers controlled by attackers. It achieves persistence by posing as “Google Update,”, which would seem innocent to the naked eye, and perhaps even to the eye of an IT professional.
MerkSpy is used to capture screenshots, log keystrokes, retrieve Chrome login credentials, and access the MetaMask extension. The spyware then uploads the gathered data to the attacker’s server through a specific URL.
By exploiting CVE-2021-40444, threat actors can infiltrate user computers, steal sensitive information, and upload it for abuse. This malicious payload is just one example of why it is so crucial to update software when it becomes available. It may seem like a small inconvenience at the time, but if put off repeatedly, users leave themselves at the mercy of attackers.
Blacksuit Ransomware Attack on CDK Global and Auto Dealership Clients
The BlackSuit ransomware gang has been identified as the culprit behind a large-scale IT outage at CDK Global, which has disrupted operations for numerous car dealerships across North America. Sources who spoke anonymously revealed that CDK Global is currently negotiating with the ransomware group to obtain a decryptor and prevent the leak of stolen data. This situation arose after CDK was forced to shut down its IT systems and data centers to contain the spread, impacting their car dealership platform. Despite efforts to restore services, a second cybersecurity incident prompted another shutdown.
CDK Global’s platform is crucial for car dealerships, managing operations such as sales, financing, inventory, service, and administrative functions. The disruption has forced dealerships to revert to manual operations, severely impacting their ability to sell or service cars. Two major car dealership companies, Penske Automotive Group and Sonic Automotive, confirmed they were affected by the outage. Penske detailed the disruptions to its Premier Truck Group business in an SEC filing, while Sonic reported that its dealer management system and customer relationship management system were compromised. All affected dealerships are operating using alternative solutions.
Adding to the challenge, CDK has warned that threat actors are impersonating CDK agents to gain unauthorized access to dealership systems. Bloomberg News reported that the BlackSuit ransomware cartel is behind the attack, with a ransom demand initially set at $10 million but rumored to have increased to $50 million over the weekend. CDK is reportedly planning to pay off the ransomware group responsible for the shutdown. Meanwhile, the extensive reliance on CDK’s systems has plunged the auto retail industry into disarray, emphasizing the need for heightened security measures across third-party providers.
The attack underscores the broader implications of relying heavily on third-party vendors for critical business functions. The Research Team at AttackIQ pointed out that the interconnectedness of ecosystems means a breach of one provider, like CDK, can trigger widespread effects.
BlackSuit, which emerged in May 2023, is believed to be a rebrand of the Royal ransomware operation, a successor to the notorious Conti cybercrime syndicate. The FBI and CISA have linked Royal and BlackSuit to numerous global attacks and substantial ransom demands, highlighting the persistent threat posed by these sophisticated cybercriminals. The gang is notorious for data exfiltration and extortion, often publishing the data of victims who refuse to pay.
The ransomware group’s demands have ranged from approximately $1 million to $11 million in Bitcoin, putting CDK Global on the top end of the ransom demand spectrum. BlackSuit’s involvement in this high-profile attack underscores the ongoing risks and challenges posed by ransomware groups in the digital age.
Windows Wi-fi Driver Remote Code Execution Vulnerability (CVE-2024-30078)
On June 11th, Microsoft disclosed a significant vulnerability within the Windows Wi-Fi driver as part of its “Patch Tuesday” updates. This flaw, identified as CVE-2024-30078, allows for remote code execution by sending a specially crafted network packet, requiring no authentication or interaction from the victim. An attacker must simply be in range of the target Wi-Fi network. Due to its low exploitation complexity, the risk associated with this vulnerability is notably high. The urgency to address this security threat is paramount, as cybercriminals are already selling an exploit for $5000 USD. Affected Windows versions include several Windows 10/11 varieties, and Windows Server versions from 2008 to 2022.
Critical wget Vulnerabiltiy (CVE 2024-38428)
A critical security vulnerability, CVE-2024-38428, has recently been discovered in GNU Wget, a widely-used utility for retrieving files via HTTP, HTTPS, and FTP. This vulnerability affects versions up to 1.24.5 and stems from improper handling of semicolons in the userinfo subcomponent of a URI within the url.c file.
The core issue lies in how GNU Wget parses URIs containing semicolons. Specifically, data intended for the userinfo subcomponent can be incorrectly interpreted as part of the host subcomponent. This misinterpretation can lead to insecure behavior, potentially allowing attackers to manipulate the data flow and inject malicious content.
The global cyber threat level has continued to increase as a function of general global political unrest around the Middle East, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.