Leaked Babuk source code sparks 9 different ransomware strains

SISA Weekly Threat Watch - 22 May 2023

Security breaches and cyber-attacks continue to evolve, with threat actors evading detection by leveraging built-in tools and services. Over the last week, ransomware gangs and threat groups have increased their attacks to exploit new and existing vulnerabilities in critical software and systems. Organizations may greatly improve their resilience and lower the likelihood of successful attacks by developing a thorough defensive strategy, staying up to date on the latest security measures, and fostering a culture of security awareness.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New stealthy variant of Linux Backdoor BPFDoor emerges from the shadows

Security researchers have identified a new and more sophisticated variant of the Linux malware known as ‘BPFDoor’. The previous versions of the BPFDoor malware, observed until 2022, relied on RC4 encryption, bind shell, and iptables for communication. However, the newer variant utilizes static library encryption and reverse shell communication, allowing all commands to be sent by the command-and-control server. This approach enhances the malware’s stealth and obfuscation, making it harder to detect.

BPFDoor starts by creating and locking a runtime file at “/var/run/initd.lock” upon its first execution. It then forks itself to run as a child process and sets itself to ignore various OS signals. BPFDoor allocates a memory buffer and creates a packet sniffing socket to monitor incoming traffic for a specific byte sequence. After establishing a connection, the malware sets up a reverse shell and waits for a command from the server. It is recommended to conduct a thorough review of all Linux systems in the environment to determine if they have been compromised. Deploy security measures such as endpoint protection, network traffic monitoring, and file integrity checks on the “/var/run/initd.lock” file to detect and prevent such cyber-attacks.

2. Swiss multinational ABB suffers Black Basta Ransomware attack

Swedish-Swiss robotics and automation major ABB Ltd. recently faced a cybersecurity incident thus becoming the latest victim of a Black Basta Ransomware attack, impacting its business operations. The ransomware attack affected the company’s Windows Active Directory, impacting hundreds of devices. In response, ABB terminated VPN connections with its customers to prevent the spread of the ransomware to other networks.

Black Basta ransomware group is a relatively new entrant in the Ransomware-as-a-Service (RaaS) space and believed to be a “rebranding” of the Conti ransomware. The Windows version boots the system in safe mode before encrypting. This allows the malware to evade detection by security solutions as many of them cannot operate in safe mode. Using strong passwords, enforcing multi-factor authentication (MFA), monitoring network ports, protocols, and services, training and assessing employees on security skills, and enabling Data Loss Prevention (DLP) solutions on all systems are some of the best practices to prevent ransomware attacks.

3. Bl00dy ransomware gang strikes education sector with critical PaperCut vulnerability

In response to the active exploitation of CVE-2023-27350, FBI and CISA has released a joint advisory. PaperCut servers vulnerable to CVE-2023-27350 implement improper access controls in the SetupCompleted Java class, allowing malicious actors to bypass user authentication and access the server as an administrator. After accessing the server, actors can leverage existing PaperCut software features for remote code execution (RCE).

The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet, some of these operations led to data exfiltration and encryption of victim systems. The gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files. It is recommended to upgrade PaperCut to the latest version. To detect the malicious activities, look for network traffic attempting to access the SetupCompleted page of an exposed and vulnerable PaperCut server. Admins who suspect their servers were compromised are advised to take backups, wipe the Application Server, and rebuild everything from a safe backup point.

4. Babuk source code sparks 9 different ransomware strains targeting VMware ESXi systems

There has been a significant increase in the development of ransomware strains that specifically target ESXi hosts, with at least nine different variants emerging between the second half of 2022 and the first half of 2023. Notably, three of these strains, namely Cylance, Rorschach, and RTM Locker, heavily borrowed from the leaked Babuk source code. Other ransomware families such as DATAF, LOCK4, Mario, Babuk 2023, and Play ransomware also incorporated various elements from Babuk’s code into their own implementations.

Some notable examples not linked to Babuk include ALPHV, Hive, LockBit’s ESXi lockers, and Black Basta. Furthermore, researchers found similarities between ESXiArgs and Babuk, specifically in their use of the same open-source encryption implementation, Sosemanuk. To avoid being a victim to such attacks, it is recommended to keep your ESXi servers, hypervisors, and associated software up to date, limit access and privileges, implement network segmentation to isolate ESXi servers from other critical systems, and train employees on best practices for identifying and avoiding phishing emails.

5. Threat group leveraging Azure Serial Console for VM takeover

A recently identified cybergang known as ‘UNC3944’ has been employing phishing and SIM swapping techniques to hijack Microsoft Azure admin accounts, enabling them to gain unauthorized access to virtual machines. Once inside, the attackers exploit the Azure Serial Console to install remote management software for long-term persistence, while also utilizing Azure Extensions for discreet surveillance activities. In the subsequent stage of their attack, UNC3944 employs the Azure Serial Console to gain administrative access to virtual machines (VMs) and execute commands through the serial port’s command prompt.

To ensure stealthy and persistent access while bypassing network restrictions and security controls, UNC3944 establishes a reverse SSH tunnel to their command-and-control (C2) server. This secure channel allows them to maintain a direct connection to the Azure VM, facilitating remote desktop access. It is recommended to restrict remote administration channels, disable SMS as multifactor authentication, and implement conditional access authentication strength policies to safeguard the organization’s environment.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider