Top 5 Cyber Threat Groups Raising Serious Security Alarms (June 2024)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five recently encountered phishing campaigns that you should know about, including ExCobalt deploying GoRed backdoor in widespread attacks, Velvet Ant exploiting outdated F5 BIG-IP appliances, Commando Cat targeting misconfigured Docker instances, FlyingYeti group targeting Ukraine with COOKBOX malware, and LilacSquid attacking IT, energy, and pharma industries.

Read on to discover more…

1. ExCobalt deploys GoRed backdoor in widespread Russian cyber attacks

ExCobalt, a cybercrime group specializing in cyber espionage, has been allegedly attacking Russian organizations with a newly discovered Golang-based backdoor named GoRed. Active since at least 2016 and potentially linked to the notorious Cobalt Gang, ExCobalt has targeted sectors such as government, IT, metallurgy, mining, software development, and telecommunications over the past year. They gain initial access through previously compromised contractors and supply chain attacks. ExCobalt employs a range of tools, including Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT, and Linux privilege escalation exploits.

The sophisticated GoRed backdoor allows operators to execute commands, retrieve credentials, and gather extensive system information, communicating with its C2 server using the RPC protocol. The researchers noted ExCobalt’s high activity and determination, continually integrating new tools and refining techniques to circumvent security controls.

2. Velvet Ant exploits outdated F5 BIG-IP appliances to exfiltrate data

The Chinese cyberespionage group known as Velvet Ant has exploited outdated F5 BIG-IP appliances to establish persistent access to internal networks and exfiltrate sensitive data over a span of three years, according to security researchers. Using custom malware, Velvet Ant targeted legacy F5 BIG-IP appliances running vulnerable OS versions, leveraging known remote code execution vulnerabilities to install malicious tools like PlugX. This remote access Trojan facilitated data collection and exfiltration from internal file servers.

The group employed additional malware such as PMCD, MCDP, SAMRID, and ESRDE to maintain control, create secure tunnels, and blend malicious traffic with legitimate network activity, evading detection efforts. Despite attempts to remove the threat, Velvet Ant repeatedly re-established control, highlighting the critical importance of robust security measures and timely system updates.

3. Commando Cat targets misconfigured Docker instances via cryptojacking campaign

Commando Cat, a cyber threat group, has been linked to a cryptojacking campaign targeting poorly secured Docker instances to install cryptocurrency miners. Identified earlier this year, the group deploys a seemingly benign Docker image named cmd.cat/chattr, which they use to create a Docker container and escape the container environment using the ‘chroot’ command to access the host operating system.

Once inside, they download a malicious binary using tools like ‘curl’ or ‘wget’ and execute a shell script to fetch the cryptomining payload from their command-and-control server. This method, exploiting vulnerabilities in Docker configurations, allows the attackers to evade conventional security measures, highlighting the sophisticated and challenging nature of this attack campaign.

4. Russia-aligned FlyingYeti group targets Ukraine with COOKBOX malware

The Russia-aligned FlyingYeti group targeted Ukraine in a phishing campaign that exploited fears of housing and utility loss using debt-themed lures to deploy PowerShell malware, COOKBOX. The campaign, observed in mid-April 2024, leveraged Cloudflare Workers and GitHub, exploiting the WinRAR vulnerability CVE-2023-38831.

Phishing emails contained links to a GitHub page impersonating the Kyiv Komunalka website, prompting downloads of a malicious RAR file that executed COOKBOX after processing the HTTP request through a Cloudflare Worker. Once the RAR file was opened, it exploited the vulnerability to deploy the COOKBOX malware, which then contacted a DDNS domain for command-and-control, waiting to execute received PowerShell cmdlets.

5. Cyber espionage group LilacSquid attacks IT, energy, and pharma industries

A newly identified cyber espionage group called LilacSquid has been implicated in targeted attacks across multiple sectors in the United States, Europe, and Asia, focusing on data theft since at least 2021. Their targets include IT organizations in the U.S., energy companies in Europe, and the pharmaceutical sector in Asia. LilacSquid uses publicly known vulnerabilities and compromised RDP credentials to breach servers and deliver open-source tools and custom malware.

A hallmark of their campaign is the use of MeshAgent to deploy a customized Quasar RAT, referred to as PurpleInk, along with other methods like the .NET-based InkLoader. PurpleInk, highly obfuscated and versatile, allows the attackers to perform various malicious activities and maintain long-term access. They also use Secure Socket Funneling (SSF) to establish communication channels, with their tactics showing overlaps with North Korean APT groups such as Andariel and Lazarus.

Key recommendations to combat cyber risks: 

• Ensure all systems, applications, and software are up to date with the latest security patches.
• Deploy advanced threat detection and response systems to identify and mitigate attacks early. Utilize behavioral analysis and anomaly detection to spot unusual activities.
• Conduct thorough security assessments of all contractors and suppliers. Implement robust security controls and monitoring across the supply chain to prevent compromise.
• Utilize comprehensive endpoint protection solutions that include antivirus, anti-malware, and endpoint detection and response (EDR) capabilities to protect against malicious activities.
• Segment networks to limit the spread of malware and unauthorized access. Isolate critical systems and data from other parts of the network.
• Restrict outbound connections to minimize C&C communications and implement strict controls over management ports.
• Use only official or certified images to ensure trusted content within the environment.
• Configure systems to disable macros in documents received via email unless specifically required and verified.
• Disable unused RDP ports, enforce strong authentication mechanisms, and monitor for unauthorized access.
• Conduct regular cybersecurity awareness training to educate employees on recognizing phishing and other social engineering attacks.