Lazarus hackers target crypto experts with KandyKorn malware

SISA Weekly Threat Watch 13 Nov 2023

Last week’s cybersecurity landscape was marked by a series of concerning developments, highlighting diverse threats and vulnerabilities across multiple sectors. Notable incidents included sophisticated macOS malware deployed by North Korean hackers, the discovery of the long-hidden StripedFly malware ecosystem, critical vulnerabilities in Veeam ONE IT monitoring software, exploitation of a zero-day flaw in SysAid, and the emergence of a new critical vulnerability in Atlassian’s Confluence. These incidents underline the urgency for enhanced cybersecurity measures, including prompt software updates and rigorous vulnerability assessments to mitigate these growing threats effectively.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. StripedFly malware operated unnoticed for 5 years, infecting 1 million devices

Security researchers recently uncovered the complex StripedFly malware ecosystem, which went undetected for five years, infiltrating over a million Windows and Linux systems. Initially mistaken as a Monero miner, this framework is far more intricate, equipped with advanced TOR-based traffic obfuscation, EternalBlue SMBv1 exploit, and worm-like spreading capabilities. StripedFly injects shellcode into the wininit.exe process and incorporates a modular architecture, deploying TOR for communication, exploiting GitLab and Bitbucket for updates, and employing spy modules for data theft, screenshots, and microphone access.

It disables SMBv1, spreads through SMB and SSH, and persists by modifying the Windows Registry or Linux settings. To mask its activities, it deploys a Monero miner using DNS over HTTPS and encrypts binaries on repositories like Bitbucket, GitHub, and GitLab, ensuring continued operation even if the primary C2 server becomes unavailable. To stay protected, it is recommended to use firewalls and intrusion detection systems (IDS) to monitor network traffic, implement the principle of least privilege, and conduct regular cybersecurity awareness training for employees.

2. North Korean hackers target crypto experts with KandyKorn macOS malware

The emergence of ‘KandyKorn,’ a macOS malware attributed to the Lazarus hacking group, has targeted blockchain engineers associated with cryptocurrency exchanges. Operating via Discord channels, the attackers distribute a deceptive ZIP archive posing as an arbitrage bot, concealing a multi-stage infection process. Security researchers have linked these attacks to Lazarus due to similar tactics, network infrastructure, and code signatures. The attack involves executing Python scripts and a loader named HLoader, camouflaged as Discord, leveraging a novel execution flow hijacking technique to install a backdoor, KandyKorn.

This sophisticated backdoor allows data retrieval, file manipulation, process termination, and command execution, emphasizing Lazarus’ focus on the cryptocurrency sector and their adeptness in crafting intricate macOS malware. This incident necessitates continued vigilance and robust cybersecurity measures within the cryptocurrency industry to thwart such threats effectively.

3. Critical vulnerabilities identified in Veeam ONE IT monitoring software

Veeam has recently issued security updates to resolve four vulnerabilities in its ONE IT monitoring and analytics platform. Among these vulnerabilities, two are classified as critical in terms of severity. CVE-2023-38547 allows unauthenticated users to gather SQL server connection information used by Veeam ONE, potentially leading to remote code execution on the SQL server. CVE-2023-38548 permits an unprivileged user to obtain the NTLM hash of the Veeam ONE Reporting Service account.

CVE-2023-38549 involves cross-site scripting, enabling a Veeam ONE Power User to access the token of a Veeam ONE Administrator. Lastly, CVE-2023-41723 allows users with the Read-Only User role to view sensitive information in the Dashboard Schedule. Affected products include Veeam ONE versions 11, 11a, 12. Users are advised to stop the Veeam ONE Monitoring and Reporting services, replace the existing files with the files provided in the hotfix, and restart both the Veeam ONE Monitoring and Reporting services, to ensure that the updates take effect.

4. CVE-2023-47246: SysAid zero-day vulnerability exploited by Lace Tempest

The hacking group Lace Tempest has exploited a recently discovered zero-day vulnerability in SysAid IT support software, leveraging a path traversal flaw to enable code execution in on-premises installations. Findings revealed that after exploiting this vulnerability, Lace Tempest used SysAid commands to deliver a Gracewire malware loader, initiating manual operations like lateral movement, data theft, and ransomware deployment.

The attackers uploaded a WAR archive containing a web shell and additional payloads into SysAid’s Tomcat web service, providing backdoor access, and executing PowerShell scripts to install Gracewire. To cover their tracks, they utilized another PowerShell script and deployed the MeshCentral Agent and Cobalt Strike post-exploitation framework. To stay protected, it is recommended to update the SysAid systems to the latest version, perform a comprehensive assessment to detect any potential compromise, and examine relevant activity logs for any signs of suspicious behavior.

5. Atlassian Confluence flaw exploited to deploy Cerber ransomware

Threat actors are now targeting a recently patched severe vulnerability, CVE-2023-22518, in Atlassian’s Confluence Data Center and Confluence Server. Exploiting this flaw allows attackers to bypass authentication mechanisms, enabling them to reset Confluence and establish an administrator account. This unauthorized access grants complete administrative control, leading to potential compromise of data integrity and system availability.

Attackers are leveraging this flaw, along with an older privilege escalation vulnerability (CVE-2023-22515), to launch attacks aiming to deploy the Cerber ransomware on compromised Confluence servers, demonstrating significant data and security risks. To avoid being a victim to these attacks, it is recommended to patch vulnerable Confluence servers, block internet access to unpatched servers, and monitor systems for any suspicious files or directories created in the “/temp” folder.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider