Vercara’s Open-Source Intelligence (OSINT) Report – September 20 – September 26, 2024

ENISA warns about hacktivist, ransomware crossover.

(TLP: CLEAR) The European Union Agency for Cybersecurity (ENISA) recently issued a warning about a concerning trend where hacktivist groups and ransomware gangs are collaborating more frequently, leading to an increase in attacks. These attacks, which combine elements of ransomware with hacktivist-driven denial-of-service (DoS) campaigns, have become one of the most significant threats to EU member states over the past year. Recent reporting derived from ENISA highlighted that this crossover poses a particularly complex challenge due to the blending of politically motivated hacktivism with financially motivated ransomware attacks. Hacktivists, who traditionally focus on ideological goals, are now leveraging ransomware tools to disrupt services while also extorting financial gain, often under the guise of activism. The report also notes the emerging threat of nation-state actors collaborating with these groups, which adds another layer of complexity to cyber defense strategies. This shift makes it more difficult for organizations to distinguish between purely criminal motivations and politically driven cyber campaigns, thus complicating mitigation efforts.

(TLP: CLEAR) Comments: The growing collaboration between hacktivist groups and ransomware gangs highlighted by the aforementioned reporting reiterates the dangerous convergence of political activism and cybercrime. This hybridization significantly complicates defensive measures, as the motives behind attacks become increasingly blurred. Hacktivists adopting ransomware tactics, often in alignment with state-backed actors, pose an evolving threat landscape where financial extortion and political agendas coalesce. Organizations must now address not only criminal threats but also state-sponsored campaigns that leverage hacktivist ideology, requiring more sophisticated attribution and response strategies to defend against these multi-dimensional threats.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.databreachtoday.com/enisa-warns-about-hacktivist-ransomware-crossover-a-26333

 Source: https://www.enisa.europa.eu/news/reporting-on-threathunt-2030-navigating-the-future-of-the-cybersecurity-threat-landscape

Over 300,000! GorillaBot: The new king of DDoS attacks.

(TLP: CLEAR) Recent intelligence reporting highlights, ‘GorillaBot’, a new distributed-denial-of-service (DDoS) botnet that has rapidly escalated as a major threat, launching over 300,000 attacks globally. According to investigators, the botnet is built on the notorious Mirai botnet code and employs attack vectors like UDP, ACK BYPASS, and VSE floods, using a modified Mirai trojan with an observed 19 distinct distributed-denial-of-service (DDoS) vectors. GorillaBot boasts advanced encryption, persistence, and honeypot evasion, and exploits vulnerabilities such as Hadoop YARN, showcasing its sophisticated capabilities. The suggested evolution of this sophisticated botnet makes GorillaBot a formidable adversary in global cybersecurity, posing significant risks across industries by targeting vulnerable systems through extensive DDoS attack strategies. The deployment of dual encryption and persistence mechanisms, including custom service files and counter-honeypot tactics, demonstrates the botnet’s resilience and complexity. Additionally, its use of known malware techniques tied to the KekSec group (threat group behind EnemyBot) raises concerns about attribution, suggesting that GorillaBot may either collaborate with or conceal its identity through the group’s infrastructure. With a multi-faceted approach, GorillaBot exemplifies the advanced threats posed by modern botnets. Its scale and sophistication present an increased challenge to cybersecurity defenses, particularly in the U.S. and China, necessitating enhanced mitigation efforts to counter its evolving capabilities.

(TLP: CLEAR) Comments: Active since at least 2016, the Keksec group is a cybercrime gang known for developing and deploying various malware strains, including EnemyBot, a botnet designed primarily for DDoS attacks and cryptomining. Keksec specializes in exploiting vulnerabilities in Linux and IoT devices and frequently uses leaked source codes, such as Mirai and Gafgyt, to create more sophisticated and adaptable botnets. The rapid escalation of GorillaBot as a DDoS threat underscores the growing risk posed by botnets exploiting vulnerable IoT devices. Its use of Mirai’s code and multi-vector attack capabilities highlight a sophisticated approach to overwhelming critical infrastructure, particularly in energy and healthcare sectors. The adaptability of GorillaBot raises concerns for network defenders, as its ability to launch coordinated, large-scale attacks demonstrates the increasing complexity of modern DDoS threats.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS solution, UltraDDos Protect, is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness.

Source: https://securityboulevard.com/2024/09/over-300000-gorillabot-the-new-king-of-ddos-attacks/

‘SloppyLemming’ APT abuses Cloudflare service in Pakistan attacks.

(TLP: CLEAR) The ‘SloppyLemming APT group’, also known as ‘Outrider Tiger‘ by CrowdStrike, has been recently linked to a series of Indian state-sponsored cyber operations. According to reporting, the group has recently conducted a precise espionage campaign aimed at government, law enforcement, and critical infrastructure in countries like India, Pakistan, Bangladesh, Sri Lanka, and China, with indications of possible targeting in Australia. Their operations demonstrate a high degree of sophistication, reflecting the group’s strategic focus on destabilizing key sectors across the region. Additionally, their tactics include leveraging cloud services such as Cloudflare Workers, Discord, Dropbox, and GitHub to launch phishing attacks aimed at credential harvesting and email compromise. By exploiting Cloudflare’s infrastructure, the group obscures its malicious traffic, making detection difficult while infiltrating sensitive targets. Notably, their operations have disrupted critical entities like Pakistan’s nuclear facility and law enforcement agencies, highlighting an increasing sophistication in their approach to their cyber campaigns.

(TLP: CLEAR) Comments: SloppyLemming has engineered a sophisticated credential-stealing tool, “CloudPhish,” which replicates target webmail login pages by scraping HTML content. Once users input their credentials, they are exfiltrated via Discord webhooks. The group also harvests Google OAuth tokens using malicious Cloudflare Workers in specific cases. Additionally, SloppyLemming directs victims to Dropbox URLs hosting a malicious RAR file that exploits a critical WinRAR vulnerability (CVE-2023-38831). After successful exploitation, a Remote Access Tool (RAT) is deployed, utilizing Cloudflare Workers for command-and-control, showcasing the group’s skill in repurposing legitimate cloud services for malicious purposes.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.darkreading.com/cloud-security/sloppylemming-apt-cloudflare-pakistan-attacks

DragonForce ransomware expands RaaS, targets firms worldwide.

(TLP: CLEAR) The following intelligence reporting underscores the increasing threat posed by Ransomware-as-a-Service (RaaS) operations, with DragonForce emerging as a key player. According to reporting, between August 2023 and August 2024, DragonForce ransomware claimed 82 victims, with 43 of those attacks occurring in the United States. The group leverages dual ransomware variants, LockBit 3.0 and ContiV3, to target industries like manufacturing, real estate, and transportation. Their tactics include double extortion, encrypting data while threatening leaks, and advanced evasion techniques like “Bring Your Own Vulnerable Driver” (BYOVD), increasing their effectiveness across sectors. Furthermore, DragonForce’s RaaS program, launched in June 2024, offers its affiliates extensive customization options, allowing them to disable security features, adjust encryption parameters, and craft unique ransom notes for tailored attacks. This flexibility enables affiliates to maximize the impact on their chosen targets. To enhance evasion, the group employs the BYOVD technique, bypassing security defenses, and erasing Windows Event Logs to hinder forensic efforts. The group utilizes tools like SoftPerfect Network Scanner for reconnaissance and SystemBC and Cobalt Strike for lateral movement and credential harvesting, ensuring sophisticated network infiltration.

(TLP: CLEAR) Comments: DragonForce’s rapid expansion and ability to swiftly adapt its tactics, techniques, and procedures (TTPs) represent a serious global threat to businesses, particularly in critical sectors like manufacturing and transportation. Their dual ransomware approach, utilizing both LockBit and ContiV3 variants, provides significant advantages while their inclusion of SystemBC further complicates their attack chain, facilitating persistent access and lateral movement.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://hackread.com/dragonforce-ransomware-expands-raas-targets-firms/

Source: https://www.group-ib.com/blog/dragonforce-ransomware/

Ivanti warns of another critical CSA flaw exploited in attacks.

(TLP: CLEAR) Ivanti has disclosed a critical vulnerability (CVE-2024-8963) in its Cloud Services Appliance (CSA), allowing unauthenticated attackers to bypass authentication and potentially execute malicious commands through a path traversal exploit. Discovered on September 13, 2024, this flaw can be chained with a previous vulnerability (CVE-2024-8190) for deeper system compromise. While Ivanti has patched the issue in version 519 by disabling some functionality, older CSA versions, such as 4.6, remain vulnerable and unsupported, leaving unpatched systems at serious risk. Additionally, this vulnerability’s active exploitation presents a high-risk scenario for organizations relying on Ivanti’s CSA infrastructure, especially those running unsupported versions. The path traversal weakness offers attackers an entry point to access sensitive functionality, and the potential to chain it with CVE-2024-8190 amplifies the threat by enabling remote command execution. According to reporting, this particular scenario could lead to potential significant data breaches or the disruption of services. Ivanti’s decision to release patches for newer versions underscores the urgency of applying updates, but the lack of support for legacy versions poses a notable challenge for enterprises using outdated systems.

(TLP: CLEAR) Comments: The recent disclosure of Ivanti’s critical CSA vulnerability (CVE-2024-8963) amplifies concerns over supply chain risks and the importance of timely software updates. When combined with CVE-2024-8190, this flaw presents a significant threat to organizations using Ivanti’s CSA for secure access. Immediate patching and upgrading to supported versions are essential to prevent exploitation.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.

“While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.

“WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can provide you with protection in the way that you need it. UltraWAF allows security postures that assume that all traffic is allowed – except an already identified threat or an attack (negative security) – or zero trust models where all traffic is denied unless explicitly permitted (positive security).

Source: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-another-critical-csa-flaw-exploited-in-attacks/