FBI warns of surge in dual ransomware attacks on U.S. firms

In the past week, cybersecurity researchers and agencies have identified a range of evolving threats and attacks that demand attention. From critical vulnerabilities in widely used mail servers to the emergence of a feature-rich malware-as-a-service, and the targeted attacks by a state-sponsored hacking group, the threat landscape continues to evolve rapidly. Additionally, there have been concerns raised about dual ransomware attacks, and sophisticated phishing campaigns targeting Microsoft users. These developments underscore the importance of proactive cybersecurity measures and the need for organizations and individuals to stay vigilant in the face of evolving threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New critical security flaws expose Exim mail servers to remote attacks

A severe zero-day vulnerability has been discovered in all versions of Exim mail transfer agent (MTA) software, posing a significant risk to Internet-exposed servers. Unauthenticated attackers can exploit this flaw, identified as CVE-2023-42115 to achieve remote code execution. This vulnerability permits remote attackers to execute arbitrary code on Exim installations that are affected. Authentication is not a requirement for exploiting this vulnerability, which specifically resides within the SMTP service, typically listening on TCP port 25.

The root cause of this issue lies in the absence of proper validation of user-supplied data, potentially leading to a buffer overflow. An attacker can utilize this vulnerability to execute code within the context of the service account. While a patch to secure vulnerable Exim servers from potential attacks is not yet available, administrators are advised to limit remote access from the Internet to mitigate potential exploitation attempts.

2. FBI cautions about increasing incidents of dual ransomware attacks on U.S. firms

The FBI has observed a pattern of dual ransomware attacks occurring in close proximity. During these attacks, threat actors deploy two distinct ransomware variants, including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. These dual attacks lead to data encryption, data exfiltration, and financial losses through ransom payments. Cybercriminals are also increasingly using custom data theft tools, wipers, and malware to pressure victims into paying ransoms. The scale of these attacks is not fully known, but they appear to happen within a relatively short time frame, ranging from 48 hours to 10 days.

Several factors contribute to the shift in tactics, including the exploitation of zero-day vulnerabilities and the involvement of initial access brokers and affiliates in the ransomware landscape. These entities can sell access to victim systems and deploy multiple ransomware strains quickly. Organizations are advised to enhance their defenses by maintaining encrypted offline backups, monitoring all connections between third-party vendors and external software or hardware for suspicious activity, and implementing application and remote access listing policies that permit only known and approved programs based on established security policies.

3. Emerging threat: BunnyLoader – A Malware-as-a-Service (MaaS) evolution

A new malware-as-a-service (MaaS) called ‘BunnyLoader’ has been found by security researchers on several hacker forums. It is promoted as a fileless loader capable of pilfering and substituting the contents of the system clipboard. Researchers have observed BunnyLoader’s growing popularity among cybercriminals due to its affordability and feature-rich nature. The malware’s command and control panel even allows individuals with limited hacking skills to set a second-stage payload, enable keylogging, steal credentials, manipulate the clipboard (for cryptocurrency theft), and execute remote commands on compromised devices.

The versatile malware achieves persistence through Windows Registry, conceals its presence, and prevents multiple instances. It adapts to evade sandbox environments and primarily operates as an information-stealing tool, targeting browsers, cryptocurrency wallets, VPNs, and messaging apps. Stolen data is sent to the attacker’s server in a compressed format, and it can execute payloads both from disk and in a fileless manner using process hollowing technique. Organizations are recommended to enhance security measures, educate employees, and implement network monitoring, to reduce their risk of falling victim to BunnyLoader and similar malware.

4. Exploitation of Cisco routers by China’s BlackTech hacking group

Cybersecurity agencies and law enforcement in the United States and Japan have issued a warning about Chinese hackers known as ‘BlackTech.’ These state-sponsored hackers utilize continuously updated, customized malware to implant backdoors within network devices. These backdoors serve multiple purposes, including maintaining access, initiating initial network breaches, and exfiltrating sensitive data by redirecting traffic to servers under the attacker’s control.

BlackTech’s methodology involves exploiting stolen administrative credentials to compromise a wide array of router brands, models, and versions. For Cisco routers, the hackers employ crafty techniques, such as enabling and disabling an SSH backdoor through specially crafted TCP or UDP packets, ensuring the backdoor is only active when necessary. In instances involving breached Cisco routers, the attackers further manipulate Embedded Event Manager (EEM) policies used for task automation. They remove specific strings from legitimate commands, thwarting their execution and hindering forensic analysis. To defend against such threats effectively, organizations must adopt a multifaceted approach, including vigilant monitoring for unauthorized downloads and unusual device behavior, particularly when it comes to firmware and SSH traffic.

5. EvilProxy phishing kit exploits vulnerability in Indeed.com targeting Microsoft users

Cybersecurity experts have detected an advanced phishing campaign. Cybercriminals are utilizing the well-known EvilProxy phishing kit to exploit an open redirection vulnerability found in the job search platform Indeed.com, to harvest session cookies, potentially allowing them to bypass multi-factor authentication (MFA) systems. The campaign is particularly aimed at senior executives across diverse sectors, with a strong emphasis on Banking and Financial Services, Insurance companies, Property Management and Real Estate, and the Manufacturing industry.

EvilProxy operates as a phishing-as-a-service platform, employing reverse proxies to facilitate communication between the target and the genuine online service, in this case, Microsoft. When a user accesses their account via this phishing website, which mimics the authentic login page, the threat actor can capture authentication cookies. Since users have already completed the necessary MFA steps during login, the acquired cookies provide cybercriminals with full access to the victim’s account. To avoid being a victim to such attacks, it is recommended to implement phishing-resistant MFA solutions, educate users through awareness sessions and training, and deploy advanced email filtering solutions to detect and block phishing attempts.