A new malvertising campaign carried out by the BlackCat ransomware group, is utilizing Google and Bing search ads. BlackCat is using intriguing ads to lure users into a file transfer app that has malicious payloads and malware. Through the use of WinSCP, a copy-file program on Windows, users are redirected to a download ISO file page, and thus the malware is complete. Using authorized commands, attackers are able to get top-level admin controls and implement backdoor access into the system before they restrict the original user’s access. Once in the system and able to access information, threat actors can go in and out using the back door to obtain passwords and backup servers. Cobalt strike, AdFind, AccessChk64, and findstr, are four of the tools used to pull off the attack. These tools helped initiate the attack, bypass security measures, obtain information, and find XML files on the system. After this process was complete, command-line tools were then implemented to aid the other tools across the platform. To unleash customer data, the gang used the PuTTY Secure Copy client, which helped identify the compromised MOVEit Transfer file attack. Attackers have found loopholes in many organizations, and the vulnerabilities being found by these threat actors have led to destruction for many.
(Source: SCMedia)
Fortinet released an update last month addressing the security problem that has affected over 300,000 of their users. On June 11th, Fortinet made this vulnerability public and executed different update versions. Yet, the patch wasn’t sufficient, and the vulnerability for remote code execution, CVE-2023-27997, is still affecting thousands. The security issue was placed at 9.8/10 on the severity score scale. CVE-2023-27997 originated from a problem in the Fortinet operating system that is home to all the different components in FortiOS. Researchers used a search engine to understand the number of devices vulnerable to the code, and almost half were already updated to the latest version Fortinet said was a solution to the ongoing attack. Researchers further found that the application had not conducted a system update in eight years, leaving users’ firewalls exposed through the web.
(Source: BleepingComputer)
Meduza Stealer is a newly discovered malware on the Dark Web that uses advanced data theft skills to target Windows users. This unknown threat actor’s main intent is to steal browser data. Browsing history, account credentials, password managers, two-factor authentication, etc. are all pieces of information that can be acquired from browser data. Further, if one’s device is already infected, the Meduza Stealer can obtain even more confidential information, such as geographical location, screenshots, and IP address. This malware can bypass detection tools and is communicating with other threat actors via the Dark Web to engage in this campaign. Due to this, researchers are worried that this new malware might cause some serious damage to organizations with data breaches.
(Source: InfoSecurityMagazine)
Chinese attackers are responsible for an ongoing campaign since December called SmugX. SmugX is an HTML smuggling campaign. This group of attackers is targeting the European government by placing malicious payloads in HTML documents. The group has been responsible for campaigns in the past, such as the Chinese APT RedDelta and APT Mustang Panda.
This newly identified campaign indicates a shift in Chinese threat actors techniques. Previously, these attackers targeted countries such as Russia, Asia, and the United States; however, now this attack is primarily targeting European countries as well. In the global campaign, attackers are using USB drives to release malicious software and lure vulnerable victims in. In the most recent attack, SmugX utilized HTML documents containing malicious malware regarding political subject matters. One document used in the campaign was a letter from the Serbian Budapest embassy. When a user opens the contaminated document, it releases JavaScript, which has the payload within. PlugX is a RAT that has been used by threat actors since 2008. The systematic process enables attackers to obtain a range of activities within the legitimate program. Attackers can create a hidden folder within the application and have a Run registry key.
(Source: DarkReading)
C10p, a Russian ransomware group, exposed MOVEit file transfer data at the beginning of June and, at the end of the month, had exposed the data of over 160 victims. C10p has methodically coordinated this campaign for the past two years. The group examined and analyzed the zero-day vulnerability and waited for the perfect opportunity to strike and exploit the acquired data. The group likely acquired the zero-day from a third party and conducted lots of research to acquire information and conduct this highly developed campaign. Due to their ongoing successful campaign, the group’s strategy is influencing other attackers’ techniques. John Hammond, Dark Reading’s security threat researcher, stated that C10p has outlined a business model for ransomware attacks. Leading other gangs to potentially utilize this information and learn from this successful extortion campaign.
Stopping the number of zero-day supply chain attacks can be minimized by companies being proactive and having bug bounty programs in place. Further, the frantic responses to the MOVEit breach have created more chaos. Omkhar Arasaratnam, manager of the Open Security Foundation, compares this situation to a paramedic arriving on scene. If the medics arrive freaked out and panicked, it doesn’t solve the problem. Hence, security professionals should have a calm approach and try to deal with the situation in a calm and collected manner.
(Source: DarkReading)