Clop abuses zero-day for a mass-ransomware attack

SISA Weekly Threat Watch - 03 April 2023

The world is under constant threat from cybercriminals who use their skills and innovative techniques to target individuals, organizations, and even government institutions. Threat actors, both state-sponsored and otherwise, are constantly on the lookout for new ways to infiltrate organizations and steal sensitive information. This past week saw cybercriminals targeting .NET developers, PyPI users, telecommunications providers, and governments worldwide with various attack campaigns.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Rogue NuGet Packages infect .NET developers with cypto-stealing malware

A new sophisticated and highly malicious attack aiming to infect .NET developer systems with cryptocurrency stealer malware is targeting the NuGet repository. NuGet is a package manager, primarily used for packaging and distributing software written using the .NET framework. Three of the most downloaded packages alone accounted for 166,000 downloads, which are: Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API.

However, it is also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate. The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed and includes a crypto stealer. Developers are advised to pay attention to typos in imported and installed packages. As observed, some of these packages try to mimic the names of legitimate well-known packages. It is also recommended to manually inspect the packages before installing them via the NuGet Package Explorer.

2. Malicious actors use Unicode support in Python to evade detection

The onyxproxy package, discovered on PyPI, is a type of malevolent package that extracts and sends out confidential data and credentials. This package is similar to other token stealers that are commonly encountered on PyPI. The text strings consist of a combination of bold and italic fonts that can still be deciphered and interpreted by the Python interpreter. However, upon installation of the package, the stealer malware is activated and executed.

The package accumulated 183 downloads before being taken down. This obfuscation technique is not used in other parts of the code, and there are instances where multiple Python modules are imported repeatedly. It is recommended to avoid downloading packages from untrusted sources or unknown developers. Additionally, train developers and other staff on cybersecurity best practices, including identifying potential phishing attempts and avoiding suspicious downloads to prevent such attacks.

3. Clop mass-ransomware attack: Organizations breached using GoAnywhere zero-day

The Clop ransomware gang exploited a newly discovered bug in GoAnywhere file transfer software, used by thousands of organizations to transfer sensitive data over the internet. The Russia-linked Clop gang claimed it compromised about 130 organizations that were using the vulnerable GoAnywhere tool at the time of the ransomware attack. Clop has released samples of data including payment orders and employee information like names, gender, and email addresses.

The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw in which attackers can exploit the flaw and remotely execute code of their choice without having to first authenticate in the GoAnywhere MFT administrative console. To address the vulnerability, all GoAnywhere MFT customers are advised to apply patch 7.1.2 as soon as possible. If the GoAnywere MFT emergency security patch cannot be patched immediately, it is recommended to follow the company’s mitigation advice.

4. Chinese APTs are targeting telcos in new attacks

Chinese cyber espionage actor associated with a long-running campaign dubbed as Operation Soft Cell, are targeting telecommunication providers in the Middle East. In the first stage of the attack, the objective is to infiltrate Microsoft Exchange servers that are publicly accessible over the internet. This is done to install webshells that enable command execution. Once access is gained, the attackers carry out various activities such as gathering information, stealing credentials, moving laterally, and extracting data.

The attackers utilized C:MS_DATA as their primary working directory for storing malware and preparing data for exfiltration. The campaign has been linked to Gallium, and there is a possibility of a connection to APT41, as there are shared code similarities and the use of a common code signing certificate. To carry out credential theft, the attackers utilized customized and modified versions of Mimikatz, which included an executable file named pc.exe. To avoid data compromise, it is recommended to ensure that all internet-facing Microsoft Exchange servers are up to date and MFA is implemented for all accounts.

5. APT43 group uses cybercrime to fund espionage operations

Researchers have discovered a North Korean threat actor that has been targeting organizations in the United States, Europe, Japan, and South Korea for the past five years. APT43 has been using a technique that has gone undetected up until now to launder the stolen cryptocurrency via legal cloud mining services in hopes of rendering it difficult to trace. The gang also used persistent social engineering techniques, creating false names, and forming relationships with targets over a few weeks without using any malware.

APT43 uses a unique set of malwares that is not used by other attackers, including Pencildown, Venombite, Pendown, Laptop, Hangman backdoor, and others. It has been acquired with the aid of free access tools like QuasarRAT, Amadey, and gh0st RAT. Researchers reported that APT43 engages in financially motivated cybercrime to support the government by modifying TTPs and malware in accordance with demands from the North Korean government. It is advised to educate employees, given the group’s advanced social-engineering tactics and tendency to target specific individuals and broader targets. It is recommended to use a defense-in-depth strategy to ensure detections around all known techniques.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider