Vercara’s Open-Source Intelligence (OSINT) Report – August 30 – September 5, 2024

U.S. seizes 32 pro-Russian propaganda domains in major disinformation crackdown. 

(TLP: CLEAR) Recent reporting has highlighted the U.S. Department of Justice’s seizure of 32 internet domains linked to the pro-Russian propaganda campaign known as Doppelganger, as part of a wider initiative to disrupt foreign influence operations. Allegedly directed by the Russian government, this campaign aimed to subtly spread propaganda, weaken international support for Ukraine, and bolster pro-Russian sentiment while influencing voters ahead of the 2024 U.S. Presidential Election. Key players in the operation—Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog—were identified as working under the Russian Presidential Administration. These entities deployed tactics such as typosquatting on legitimate news platforms, alongside using influencers, fabricated profiles, and paid advertisements to redirect traffic to Kremlin-controlled disinformation websites. Along with seizing the domains, the U.S. Treasury Department sanctioned 10 individuals and two organizations for their role in undermining U.S. elections. Several sanctions targeted executives at RT, who secretly recruited American influencers and hid their involvement through front companies to propagate disinformation. Additionally, the U.S. State Department has also introduced a new policy aimed at restricting visa issuance for individuals working on behalf of Kremlin-backed media outlets. This policy specifically targets organizations such as Rossiya Segodnya and its affiliates, including RIA Novosti, RT, TV-Novosti, Ruptly, and Sputnik, which have now been designated as foreign missions. This designation mandates that these entities report their personnel and property assets within the United States, enhancing transparency around their operations and curbing potential influence campaigns. 

(TLP: CLEAR) Comments: The aforementioned actions reflect the U.S. government’s intensified effort to curb Russian disinformation campaigns ahead of the 2024 election. At the same time, China’s influence operations, particularly the Spamouflage campaign, have become increasingly prominent. This campaign has been amplifying divisive narratives within U.S. election debates, taking aim at both Democratic and Republican candidates. According to reporting, various political topics like gun control for example, have been manipulated to deepen political polarization, mirroring tactics observed in Russia’s disinformation playbook. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:  

• “Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.  
• “Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command and control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.  
• “Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.   
• “Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://thehackernews.com/2024/09/us-seizes-32-pro-russian-propaganda.html   

FBI: RansomHub ransomware breached 210 victims since February. 

(TLP: CLEAR) Recent reporting highlights the latest joint advisory warning issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS). The advisory specifically addresses “RansomHub”, a sophisticated ransomware-as-a-service (RaaS) operation that has targeted more than 210 victims since February 2024. This criminal enterprise has affected numerous critical infrastructure sectors, including water and wastewater systems, information technology, government services, healthcare, emergency response, food and agriculture, financial services, commercial facilities, manufacturing, transportation, and communications. According to recent reporting, RansomHub operates under a double-extortion model, where attackers not only encrypt critical systems but also steal sensitive data, using it as leverage to demand ransom payments. As a RaaS platform, RansomHub thrives on a network of affiliates who breach victim networks and execute the ransomware attack. In return, these affiliates receive a portion of the ransom, allowing the RansomHub operators to scale their attacks widely and efficiently. This decentralized, affiliate-driven model enables RansomHub to remain a pervasive and evolving threat across multiple sectors, posing significant risks to the security and resilience of critical infrastructure. To aid organizations in defending against potential RansomHub intrusions, the FBI, CISA, MS-ISAC, and HHS have published a comprehensive breakdown of the tactics, techniques, and procedures (TTPs) used by the ransomware group, along with key indicators of compromise (IOCs) identified in RansomHub attacks. These resources provide critical insights to help organizations detect and mitigate the threat more effectively. 

(TLP: CLEAR) Comments: Despite launching operations earlier this year, RansomHub has quickly gained significant traction in the ransomware ecosystem. Based on data provided by the aforementioned agencies, RansomHub led the ransomware charts in August 2024, surpassing well-established groups like LockBit in attack volume. The group’s ransomware-as-a-service (RaaS) model has become increasingly appealing to affiliates, including those from high-profile groups like BlackCat and LockBit, both of which have experienced law enforcement crackdowns. As more affiliates join RansomHub’s ranks—facilitating initial network access and executing encryption on its behalf—the number of targeted organizations continues to increase.  

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-breached-210-victims-since-february/  

‘Voldemort’ Malware curses organizations using global tax authorities. 

(TLP: CLEAR) Recent intelligence reporting has revealed a highly sophisticated malware campaign known as “Voldemort”, that is actively targeting organizations worldwide by masquerading as tax authorities across Europe, Asia, and the United States. Since its launch on August 5, the campaign has affected dozens of organizations, with over 20,000 phishing attempts recorded, according to Proofpoint. Voldemort employs a custom backdoor written in C, specifically designed for data theft and deploying secondary malicious payloads. According to investigators, the malware leverages Google Sheets for its command-and-control (C2) operations and exploits files containing compromised Windows search protocols. Once a victim downloads the malware, it uses a legitimate version of WebEx to load a malicious DLL, which establishes a connection to the C2 server, allowing the attackers to retain full control over the infected system. Furthermore, reporting indicates that the malware campaign saw an escalation in activity on August 17, with nearly 6,000 phishing emails sent in a single day, predominantly posing as tax authorities like the U.S. Internal Revenue Service (IRS), the UK’s HM Revenue & Customs, and France’s Direction Générale des Finances Publiques. These emails were meticulously crafted in the local languages of the targeted regions and sent from what appeared to be compromised domains, leveraging legitimate-looking domain names to increase trustworthiness. While the exact motive of the campaign remains uncertain, investigators suggest it is likely geared towards espionage, given the malware’s advanced capabilities in intelligence gathering and delivering additional malicious payloads. 

(TLP: CLEAR) Comments: Although the specific threat actor remains unidentified, the operation exhibits a blend of advanced persistent threat (APT) tactics combined with cybercrime methodologies. Future activity from the “Voldemort” malware campaign is likely to escalate as attackers continue to refine their techniques and broaden their target base, focusing on espionage and data theft. To mitigate this risk, organizations should strengthen their defenses against phishing and enhance monitoring for unusual command-and-control (C2) traffic or unauthorized DLL loads. Without proactive monitoring of traffic linked to specific indicators of compromise, these attacks may go undetected. This tactic, classified as T1567.002 in the MITRE ATT&CK framework, highlights the importance of tracking network connections to cloud services—particularly those involving non-browser processes or large data transfers. Additional indicators of compromise can be found at the following link – https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events.”  One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities  

‘Initial access brokers’ target $2bn revenue companies. 

(TLP: CLEAR) Recent intelligence reporting has revealed that the United States was the primary target of the Initial Access Broker (IAB) market in 2023, with 48% of attacks focusing on U.S. organizations, particularly those in the business services sector (29%), followed by finance (21%), retail (19%), technology (17%), and manufacturing (14%). In 2024, the trend shifted toward targeting large enterprises with annual revenues exceeding $1 billion, accounting for 27% of all initial access listings. Cyberint noted that most IAB listings are priced between $500 and $2,000 for corporate access, with occasional high-value listings surpassing $10,000. To counter these threats, organizations must adopt a multi-layered security strategy, combining technical defenses and organizational policies to reduce exploitable vulnerabilities that could grant attackers initial access. Additionally, investigators have identified three main types of Initial Access Brokers (IABs) fueling the majority of ransomware attacks today: brokers selling access to systems compromised via malware or backdoors, those offering access to servers breached through exposed Remote Desktop Protocol (RDP), and those dealing in compromised network devices. In 2023, servers exposed through RDP were the dominant access point, making up over 60% of the market. However, by 2024, VPN access saw a significant rise, nearly overtaking RDP as the preferred method of compromise, with VPN access accounting for 45% of attacks compared to RDP’s 41%. 

(TLP: CLEAR) Comments: WordPress Initial access brokers (IAB) are defined as cyber threat actors who seek to procure access to various organizations networks in order to sell them to other cyber threat actors. One of the most common types of buyers is the cybercriminal who uses network access for financial gain. However, IABs sell to all types of CTAs, including nation-state actors. To defend against Initial Access Brokers (IABs), implementing multi-factor authentication (MFA) is crucial, as it bolsters security by requiring multiple forms of verification before granting access to applications or accounts. Additionally, enforcing the Principle of Least Privilege (PoLP) ensures users are granted only the minimal permissions necessary to complete their tasks, reducing the risk of unauthorized access and limiting potential attack vectors. Together, these measures create a strong defense against IAB-related threats. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:   
“Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.  
“Actively running and up to date as applicable.   
“Generating audit logs.   
“Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.infosecurity-magazine.com/news/initial-access-brokers-2bn-revenue/ 

Source: https://cyberint.com/blog/research/a-deep-dive-into-initial-access-brokers-trends-statistics-tactics-and-more/  

North Korea’s ‘Citrine Sleet’ APT exploits zero-day chromium bug. 

(TLP: CLEAR) Recent reporting indicates that on August 19, 2024, the North Korean-affiliated threat actor known as Citrine Sleet exploited a zero-day vulnerability in Chromium to achieve remote code execution (RCE) on targeted systems. This vulnerability, identified as CVE-2024-7971, is a type of confusion bug within Chromium’s V8 JavaScript and WebAssembly engine, affecting versions prior to 128.0.6613.84. Google swiftly released a patch on August 21, 2024, to mitigate the issue. Citrine Sleet, linked to North Korea’s Reconnaissance General Bureau, primarily targets financial institutions and cryptocurrency entities. The group employs advanced social engineering tactics, including the creation of fake websites and the distribution of malicious cryptocurrency wallets or trading applications, to lure victims. Once access is gained, they deploy the AppleJeus Trojan to steal credentials and exfiltrate sensitive data, with the ultimate goal of siphoning cryptocurrency assets from their victims. Additionally, the CVE-2024-7971 exploit chain relies on several components to successfully compromise a target, and the attack is rendered ineffective if any of these components, such as CVE-2024-38106, are blocked. On August 13, 2024, Microsoft issued a security update addressing CVE-2024-38106, which was exploited by the threat actor Diamond Sleet. This update also disrupts the CVE-2024-7971 exploit chain on patched systems. Organizations that have not yet applied these critical updates are strongly advised to do so immediately to safeguard their environments. Maintaining up-to-date operating systems and applications is essential to fortifying the security of any network infrastructure.  

(TLP: CLEAR) Comments: Citrine Sleet’s exploitation of CVE-2024-7971 underscores the significant and evolving threat posed by North Korean state-sponsored actors within the cybersecurity landscape. This attack reflects their advanced tactics and persistence, as they invest considerable resources into uncovering and leveraging zero-day vulnerabilities to maintain persistence and facilitate lateral movement. The focus on the cryptocurrency sector aligns with North Korea’s strategic use of cybercrime to generate revenue and support its illicit activities. The deployment of a zero-day exploit further highlights the group’s access to sophisticated capabilities and intelligence, making them a formidable threat in the global threat landscape. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.  

Source: https://www.darkreading.com/vulnerabilities-threats/north-korean-apt-exploits-novel-chromium-windows-bugs-steal-crypto 

Source: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/