Top 5 Emerging Cyber Threats in the U.S. (January 2024)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations. 

This monthly post provides a condensed overview of the threats encountered throughout the month. 

Our team brings to you five significant threats that have recently targeted the United States, including COLDRIVER evolving tactics to deploy custom malware, Medusa ransomware’s evolution into multi-extortion tactic, Turkish hackers targeting MSSQL servers with RE#TURGENCE campaign, highly sophisticated AsyncRAT malware attacks targeting U.S. infrastructure, and new Rugmi malware loader distributing various information stealers. 

Read on to discover more… 

1. COLDRIVER expands arsenal with custom malware beyond phishing

COLDRIVER, a cyber threat group linked to Russia, has evolved its tactics by shifting from credential harvesting to deploying its first custom malware, coded in the Rust programming language, as revealed by Google’s Threat Analysis Group (TAG). Known by various aliases, including Blue Callisto and Star Blizzard, the group has been active since 2019, targeting diverse sectors including defense, governmental organizations, NGOs, defense-industrial and energy facilities, and impacting high-profile individuals in the U.S., the U.K., and NATO countries. 

COLDRIVER employs spear-phishing campaigns, and recent findings show a shift to using PDFs as disguised documents for infection. These PDFs, hosted on Proton Drive, act as lures, appearing encrypted initially. Victims are then provided with a link to a supposed decryption tool, which is, in reality, a backdoor named SPICA. Google TAG has taken measures to disrupt the campaign, adding associated elements to Safe Browsing blocklists, suspecting “very limited, targeted attacks” against high-profile individuals. 

2. Medusa ransomware’s evolution into multi-extortion tactic

Since the unveiling of a dedicated data leak site in February 2023, Medusa ransomware threat actors have escalated their campaigns, targeting a diverse range of sectors across 74 organizations, primarily in the U.S. and India. Operating with audacious tactics, the group exploits vulnerabilities in internet-facing assets, using living-off-the-land techniques for evasion. Following initial access, they progress to network discovery and reconnaissance before deploying ransomware to encrypt files.  

The Medusa leak site, a key element of their strategy, exposes sensitive data and presents victims with choices, including financial demands for extending time, deleting compromised data, or facilitating complete downloads. Notably, the group exhibits a level of professionalization, incorporating a media team and utilizing public relations channels like a Telegram channel named “information support,” signaling a transformation in ransomware operational strategies. 

3. Turkish hackers deploy mimic ransomware on U.S. MSSQL servers

A cybersecurity threat, dubbed RE#TURGENCE, is targeting Microsoft SQL (MS SQL) servers in the U.S. and Latin American areas, orchestrated by Turkish actors. Researchers reveal that the campaign involves brute-force attacks, exploiting the xp_cmdshell configuration option, and deploying a PowerShell script to fetch an obfuscated Cobalt Strike beacon payload.  

The attackers leverage legitimate tools like PsExec and AnyDesk for lateral movement and remote desktop access, concluding the attack chain with the deployment of Mimic ransomware. While similar to the DB#JAMMER campaign, RE#TURGENCE distinguishes itself by its more targeted approach, reliance on legitimate tools, and an operational security oversight that revealed the threat actors’ Turkish origins and online alias “atseverse.” 

4. Stealthy AsyncRAT malware attacks target U.S. infrastructure

Over the past 11 months, a highly sophisticated campaign has systematically distributed the AsyncRAT malware using a variety of loader samples and more than 100 domains. AsyncRAT, an open-source remote access tool for Windows, is adept at tasks such as remote command execution, keylogging, and deploying additional payloads. The attack initiates through malicious emails containing a GIF attachment, leading to an SVG file triggering the download of obfuscated JavaScript and PowerShell scripts.  

The loader, featuring anti-sandboxing measures, communicates with command and control (C2) servers hosted on BitLaunch, known for its support of anonymous cryptocurrency payments. Noteworthy is the use of a domain generation algorithm (DGA) for generating new C2 domains weekly. Despite refraining from specific attribution, researchers underscore the campaign’s commitment to discretion, evidenced by intentional obfuscation of samples, revealing the evolving complexity of cyber threats in the ongoing AsyncRAT malware operations. 

5. Rugmi malware loader detections witness a significant surge

A new malware loader known as Win/TrojanDownloader.Rugmi is facilitating the distribution of various information stealers, such as Vidar, Lumma Stealer, RecordBreaker, and Rescoms. Cybersecurity researchers have observed a significant surge in Rugmi loader detections between October and November 2023. This loader employs three different methods to load payloads, including fetching from external files, using internal resources, and downloading encrypted payloads.  

Notably, these off-the-shelf malware utilities, often sold through Malware-as-a-Service (MaaS) models, contribute to the proliferation of malicious campaigns, making them accessible even to less technically skilled threat actors. The malware uses diverse techniques for dissemination, including malvertising, fake browser updates, and compromised installations of popular software, underscoring the adaptability of its strategies to evade detection. 

Key recommendations to combat cyber risks: 

• Enforce strong password policies, employ multi-factor authentication (MFA), and educate employees on recognizing phishing attempts to minimize the risk of initial access. 
• Regularly back up critical data and ensure that backups are isolated from the network. Establish a comprehensive disaster recovery plan to expedite system restoration in case of an attack. 
• Implement advanced email filtering solutions to detect and block phishing emails at the gateway. 
• Use ad blockers and employ web filtering solutions to mitigate the risk of malvertising. 
• Employ network traffic monitoring tools to identify and analyze unusual or suspicious network activities, especially those indicative of command-and-control communication. 
• Conduct periodic security audits on MSSQL database servers and endpoints to identify vulnerabilities, misconfigurations, or unauthorized changes.  
• Enable process-level logging on both endpoints and servers to enhance telemetry for the detection of Remote Monitoring and Management (RMM) tools and Remote Access Trojans (RATs). 
• Ensure that operating systems, software, and applications are regularly patched and updated to address vulnerabilities that threat actors might exploit. 
• Develop and regularly test an incident response plan to efficiently respond to security incidents. 
• Adopt a zero-trust approach, verifying and validating all users and devices attempting to connect to the network, regardless of their location.