Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (Senior SOC Analyst) and Ed Bailey (SOC Intern).
Top stories – 23 June 2023
- New Mystic Stealer malware targets 40 web browsers and 70 browser extensions
- US govt offers $10 million bounty for info on Clop ransomware
- Microsoft blames massive DDoS Attack for Azure, Outlook, and OneDrive disruptions
- Fresh Ransomware gangs emerge as market leaders decline
- Apple fixes zero-days used to deploy Triangulation spyware via iMessage
- Police cracks down on DDoS-for-hire service active since 2013
New Mystic Stealer malware targets 40 web browsers and 70 browser extensions
- New info-stealing malware targets browsers, extensions, wallets, Steam, Telegram. Uses obfuscation, C programming, Python control panel.
- Mystic Stealer communicates with 50 C2 servers via custom binary protocol over TCP. Author seeks suggestions on Telegram, caters to cybercriminals.
- Mystic Stealer is part of evolving info-stealer landscape with strains like Album, Aurora, Bandit, Devopt, Fractureiser, Rhadamanthys. Pikabot is modular trojan similar to QBot, has anti-analysis, backdoor capabilities.
A new information-stealing malware called Mystic Stealer has been discovered, which targets web browsers, web browser extensions, cryptocurrency wallets, Steam, and Telegram. It employs various obfuscation techniques to resist analysis. The malware was first advertised in April 2023 and is implemented in the C programming language, with the control panel developed using Python. In May 2023, an update introduced a loader component that retrieves and executes next-stage payloads from a command-and-control (C2) server, making it a more potent threat.
The malware communicates with the C2 servers using a custom binary protocol over TCP. There are currently around 50 operational C2 servers identified. The author of Mystic Stealer actively seeks suggestions for improvements through a dedicated Telegram channel, indicating efforts to cater to the cybercriminal community. Info-stealers have become popular in the underground economy as they serve as a foundation for launching financially motivated campaigns involving ransomware and data extortion. Mystic Stealer is part of the ever-evolving landscape of stealers, which also includes other strains like Album Stealer, Aurora Stealer, Bandit Stealer, Devopt, Fractureiser, and Rhadamanthys.
We also observe a modular malware trojan called Pikabot, which shares similarities with QBot in terms of distribution methods and behaviors. Pikabot implements anti-analysis techniques and offers backdoor capabilities.
US govt offers $10 million bounty for info on Clop ransomware
- Up to $10 million bounty for linking Clop ransomware attacks to foreign government.
- Clop ransomware exploits MOVEit Transfer vulnerability, conducts data theft attacks worldwide.
- State Department sets up Tor SecureDrop server to gather information on Clop ransomware and disrupt cybercriminal activities.
The U.S. State Department’s Rewards for Justice program has announced a bounty of up to $10 million for information linking the Clop ransomware attacks to a foreign government. The program, initially launched to gather information on terrorists, has expanded to include cyber criminals.
The Clop ransomware group recently conducted data-theft attacks on companies worldwide, exploiting a zero-day vulnerability in the MOVEit Transfer security file transfer platform. The attacks resulted in data breaches at various U.S. federal agencies, with the Clop group claiming to have stolen data from hundreds of companies. In an attempt to prevent future attacks, the Rewards for Justice program is offering the monetary reward to incentivize individuals, including other threat actors, to provide information on the Clop operation.
The program has set up a dedicated Tor SecureDrop server to receive tips. While the Clop group claims to delete stolen government data, federal agencies must assume the possibility of data abuse or acquisition by foreign governments. The State Department’s initiative aims to gather information and disrupt cybercriminal activities associated with the Clop ransomware attacks.
Microsoft blames massive DDoS Attack for Azure, Outlook, and OneDrive disruptions
- Microsoft attributes recent outages in Azure, Outlook, and OneDrive to Storm-1359, an unidentified threat actor group. No customer data was compromised.
- Storm-1359 launched layer 7 DDoS attacks, including HTTP(S) floods and Slowloris attacks. Anonymous Sudan claimed responsibility, but no direct link to Storm-1359 has been established.
- Flashpoint associates Storm-1359 with Anonymous Sudan, but its origins and motivations remain uncertain.
Microsoft has attributed recent service outages impacting Azure, Outlook, and OneDrive to an unidentified threat actor group known as Storm-1359. The attacks involved the use of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. Microsoft clarified that no customer data was accessed or compromised, but some services experienced temporary availability issues.
The threat actor behind Storm-1359 launched layer 7 DDoS attacks, including HTTP(S) flood attacks, cache bypass techniques, and Slowloris attacks. While hacktivist group Anonymous Sudan has claimed responsibility for the attacks, Microsoft has not explicitly linked Storm-1359 to this group. Anonymous Sudan has been active in launching DDoS attacks against various organizations, and it is suspected to be connected to the Pro-Russian threat actor group KillNet. KillNet has engaged in DDoS attacks on healthcare entities hosted in Microsoft Azure and has established a “private military hacking company” named Black Skills. Anonymous Sudan has collaborated with KillNet and REvil to orchestrate cyber attacks on financial institutions.
The latest update from Flashpoint associates Storm-1359 with Anonymous Sudan, but questions about the group’s origins and motivations remain.
Fresh Ransomware gangs emerge as market leaders decline
- Ransomware victims increased in May, despite leading groups like LockBit and AlphaV observing a decline.
- New ransomware groups like Akira are targeting educational organizations with double extortion tactics.
- Ransomware groups employ various tactics, including single extortion and exploiting zero-day vulnerabilities, with the education sector being a prime target.
The number of ransomware victims increased in May compared to the previous month, despite a decline in observed victims for leading ransomware groups like LockBit and AlphaV. The GuidePoint Security GRIT report highlighted the emergence of new ransomware groups, including Akira, which has targeted educational organizations using a double extortion approach.
The report also identified other groups such as 8Base, Malas, Rancoz, and BlackSuit, each with their own tactics and targets. Some groups have shifted towards single extortion, focusing on exfiltrated data rather than encryption. Ransomware groups are following tactics they perceive as successful, with a trend towards single extortion likely to continue throughout 2023.
The education sector is increasingly targeted due to the availability of personally identifiable information and sensitive student data. Media attention, such as the cyberattack against the LA Unified School District, contributes to this trend. Ransomware groups are exploiting zero-day vulnerabilities en masse, as seen in the Cl0p attacks targeting the MOVEit vulnerability.
Strategic planning by threat actors, including timing the exploitation during holidays, is evident. While ransomware activity typically slows down during the summer, other groups may attempt to replicate the mass exploitation tactics seen in the Cl0p attacks, potentially offsetting declines in activity elsewhere.
Apple fixes zero-days used to deploy Triangulation spyware via iMessage
- Apple releases security updates to address actively exploited zero-day vulnerabilities used for Triangulation spyware installation on iPhones via iMessage.
- Kaspersky researchers discovered and reported the vulnerabilities (CVE-2023-32434 and CVE-2023-32435) exploited by the TriangleDB spyware.
- Apple denies allegations of providing a backdoor to the NSA and patches additional zero-day vulnerabilities, including a WebKit flaw (CVE-2023-32439) allowing arbitrary code execution.
Apple has released security updates to address three zero-day vulnerabilities that were being actively exploited to install Triangulation spyware on iPhones via iMessage zero-click exploits. The vulnerabilities, tracked as CVE-2023-32434 and CVE-2023-32435, were discovered and reported by Kaspersky researchers. The spyware, known as TriangleDB, is deployed in memory after exploiting a kernel vulnerability and is lost upon device reboot. The attackers reinfect the device by sending a malicious iMessage attachment.
The attacks, which began in 2019, are ongoing and have affected iPhones on Kaspersky’s network, including its Moscow office and employees in other countries. Russia’s FSB intelligence agency claimed that Apple provided the NSA with a backdoor to infect iPhones in Russia, but Apple denied these allegations. In addition, Apple patched a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher that allows arbitrary code execution. Apple has patched a total of nine zero-day vulnerabilities in 2023, including ones used to install commercial spyware and targeted at high-risk individuals.
The security updates cover various Apple devices and operating systems, including macOS, iOS, iPadOS, and watchOS.
Police cracks down on DDoS-for-hire service active since 2013
- Polish police arrest two suspects involved in operating a long-standing DDoS-for-hire service as part of international law enforcement operation PowerOFF.
- Valuable data collected from suspects’ server in Switzerland includes information on over 35,000 user accounts, 76,000 login records, and more than 320,000 unique IP addresses associated with the DDoS service.
- Records show buyers paid around $400,000 for 11,000 attack plans and over $44,000 for 1,000 other attack plans, highlighting the profitability of the DDoS-for-hire business.
Two suspects involved in operating a long-standing DDoS-for-hire service have been arrested by Polish police as part of an international law enforcement effort called Operation PowerOFF. Europol, the FBI, and law enforcement agencies from the Netherlands, Germany, and Belgium collaborated on the operation.
The arrests were made after Polish officers conducted ten searches and collected valuable data from the suspects’ server located in Switzerland. The evidence obtained included information on over 35,000 user accounts, 76,000 login records, and more than 320,000 unique IP addresses associated with the DDoS-for-hire service.
Additionally, the police found records of purchased attack plans, revealing that buyers paid approximately $400,000 for 11,000 attack plans and around $44,000 for over 1,000 other attack plans.
The operation is part of ongoing efforts by law enforcement agencies to dismantle DDoS-for-hire platforms. The FBI and the US Department of Justice have previously taken down multiple DDoS-as-a-service platforms and seized associated domains. The FBI warns that launching DDoS attacks, either through personal infrastructure or hiring booter services, is illegal and can result in criminal charges.