New Black Basta Ransomware Springs into Action with a Dozen Breaches
Published April 27, 2022
Black Basta ransomware group first appeared in the second week of April 2022 and have since breached at least twelve companies.
One notable example is the attack on the US-based American Dental Association (ADA), when Black Basta started leaking ADA’s data, but then withdrew it, likely due to ransom negotiations.
Black Basta shows signs of being an experienced ransomware group that went through rebranding. MalwareHunterTeam and other researchers assess with medium confidence that Black Basta is a rebrand of Conti ransomware that is operated by the threat group Wizard Spider.
As with other forms of cyber-attacks, it is crucial that organizations ensure that their systems are secure and protected. This includes patch management, enhanced security systems and practices, regular backups, and effective solutions to security problems.
Policies should be updated to include how to address these double-ransom attacks.
VMWare Identity Manager Attack: New Backdoor Discovered
Published April 25, 2022
On April 6, 2022, VMware addressed a number of vulnerabilities including VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability (CVE-2022-22957).
On April 11, a proof-of-concept for this RCE was published and on April 13, it started to be exploited in the wild. Morphisec researchers detected exploitation to launch reverse HTTPS backdoors—mainly Cobalt Strike, Core Impact, or Metasploit payloads. Core Impact is a penetration testing tool developed by Core Security and abused by the attackers.
The attack flow includes exploitation to deploy a PowerShell stager, which downloads a large, highly-obfuscated PowerShell script identified as the PowerTrash Loader, which decompresses the deflated payload: a Core Security Agent, and reflectively loads it in memory.
VMWare’s identity access management should immediately apply the VMWare patches or consider virtual patching. Make sure your affected identity access management components are not accidentally published on the internet.
Emotet Malware Infects Users Again after Fixing Broken Installer
Published April 25, 2022
Threat group Mummy Spider adopted a new way to deliver Emotet, its modular stealer-downloader.
The first wave of malspam could not infect due to a file-referencing error in the LNK dropper code, but Mummy Spider fixed it by April 25, 2022.
This new malspam campaign includes password-protected ZIP archive attachments containing Windows shortcut (LNK) droppers masquerading as Microsoft Word documents.
After the user executes the LNK dropper, it finds a string in itself, copies the remainder into a Visual Basic Script (VBS) file and executes it.
Defenders are advised against allowing .LNK files in incoming email attachments or password-protected archives.
Block .VBS executions out of temporary folders.
Encourage your users to report to sysadmin instead of clicking through unwarranted suspicious emails, especially with password-protected archives.
North Korean Hackers Targeting Journalists with Novel Malware
Published April 25, 2022
Stairwell researchers describe a multi-stage spear phishing attack on NK News, a US-based news media covering North Korea.
The attack is attributed to North Korea-sponsored group APT37 (Ricochet Chollima, ScarCruft).
Prior to the attack, APT37 compromised the computer of a former South Korean intelligence official, stole his past email correspondence with the NK News founder, and registered a similarly-looked email address.
They also typosquatted NK News domain by registering .US instead of .COM top-level domain (TLD).
The infection chain included user extracting and executing an attached LNK file leading to Powershell and shellcode scripts sequentially executing and downloading additional malware abusing Microsoft OneDrive and Google Drive file storages.
The final payload, Goldbackdoor, shares code similarities with Bluelight malware attributed to APT37 by Volexity in August 2021.
Have offline antivirus capabilities available as APT37 pad their malicious attachments to make them too large for online analysis. Some foreign spear phishing attempts could be identified by minor inconsistencies in grammar or even cultural settings. In the described case, the target became suspicious of the request for help getting a book published in the US, something not so complicated.
Published April 25, 2022
Researchers with The DFIR Report detail a March 2022 domain-wide ransomware attack with an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes.
The first stage of the attack saw a user in the organization clicking a phishing ISO attachment and executing the embedded LNK file resulting in the IcedID infection. Actors gathered system and network information and created a scheduled task for IcedID persistence.
During the second hour of the attack, they created a cmd.exe process and injected Cobalt Strike into it, and proceeded with domain and network discovery and stealing credentials from LSASS memory.
During the third hour, attackers used stolen credentials to remotely (RDP) access an organization’s server, deploy a Cobalt Strike on it from second attempt, and move laterally to other Domain Controllers and file servers in the environment.
Finally during the fourth hour, attackers staged the Quantum ransomware executable on the Domain Controller, used Admin Shares to deliver it to individual machines, and executed it via WMIC and PsExec from the Domain Controller.
Attackers can encrypt your organization machines just a couple hours after an employer activated a phishing email. Defenders should implement constant network monitoring and consider 24/7 security operation center (SOC) operations to respond to detected warnings in a timely manner.
Mummy Spider is a cybercrime actor that was first identified by the security community in June 2014.
Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader.
Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others.
Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.
Malicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.
Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
CVE-2022-22957 & CVE-2022-22958
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.