LockBit 3.0 leaks 600 GB of stolen data in a ransomware attack

SISA Weekly Threat Watch - 15 May 2023

From nation-state hacking groups targeting organizations worldwide to widespread vulnerabilities in commonly used software, and from spear-phishing email campaigns to data leaks in massive ransomware attacks, cyberattacks have had a global impact this week. As a result, security experts are concerned that people’s data security will continue to be jeopardized if organizations fail to strengthen their infrastructure defenses.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. ScarCruft’s latest tactics use LNK files to deliver RokRAT malware

ScarCruft is a North Korean threat group that primarily targets South Korean individuals and entities using spear-phishing attacks to deliver custom malware. ScarCruft has recently adapted its modus operandi to use LNK files and cloud services like Dropbox and Microsoft OneDrive to disguise command-and-control (C2) communications as legitimate. The group is also developing new malware, including SidLevel, which has extensive capabilities to steal sensitive information from victims.

ROKRAT is typically delivered as a malicious Microsoft Office document, often in the form of a spear-phishing email. Once the document is opened and the user enables macros, ROKRAT downloads additional payloads and executes its main functionality. To avoid being a victim of such attacks, it is recommended to keep operating system and software up to date, use strong passwords for all accounts, and enable two-factor authentication wherever possible. Additionally, monitor the network traffic for unusual activity and implement intrusion detection and prevention systems.

2. XSS flaw found in WordPress plugin with more than 2 million installations

Security researchers have warned that the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, with millions of installs, are vulnerable to reflected cross-site scripting attacks (XSS). The flaw allows any unauthenticated user from stealing sensitive information to privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.

It’s worth noting that the vulnerability can be activated on a default installation or configuration of Advanced Custom Fields, although it’s only possible to do so from logged-in users who have access to the plugin. Users of Advanced Custom Fields plugin for WordPress are strongly advised to update to version 6.1.6 to safeguard their websites from this XSS vulnerability.

3. Fullerton India hacked, LockBit 3.0 leaks 600 GB of data

Fullerton India Credit Company, or shortly Fullerton India, a large lending institution from India, appears to be hacked back in early April 2023. It is confirmed by the LockBit ransomware Darknet blog, where hackers listed the company, and now, over a month later, published all the leaked information. Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

LockBit has mentioned that those stolen data are loan agreements with individuals and legal companies, customer status and organizational accounts, agreements with financial institutions, data on international transfers, financial documents, mail correspondence on important transactions with attachments, customers’ personal information, and more. To avoid data loss due to such attacks, it is recommended to implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a secure location. To prevent the spread of ransomware, identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.

4. SideCopy uses Action RAT and AllaKore RAT to infiltrate Indian organizations

SideCopy, a suspected Pakistan-aligned threat actor, has been observed leveraging themes related to the Indian military research organization as part of an ongoing phishing campaign. This involves the use of a ZIP archive lure, pertaining to India’s Defence Research and Development Organization (DRDO), to deliver a malicious payload capable of harvesting sensitive information. Intriguingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote access trojan known as AllaKore RAT.

Analysis of the Action RAT command-and-control (C2) infrastructure has identified outbound connections from one of the C2 server IP addresses to another address, which is geolocated in Pakistan. Collectively, as many as 18 distinct victims in India have been detected as connecting to C2 servers associated with Action RAT and 236 unique victims, again located in India, connecting to C2 servers associated with AllaKore RAT. It is recommended to avoid downloading attachments from untrusted sources, keep all the systems updated, and use strong encryption and key management to protect sensitive information from being misused.

5. Kimsuky hackers expand targeting scope with advanced reconnaissance tool

The Kimsuky hacking group from North Korea has been using a new version of its reconnaissance malware named ‘ReconShark’ in a worldwide cyberespionage campaign. The emails are designed to contain a link to a password-protected document hosted on Microsoft OneDrive, which helps reduce the likelihood of detection by email security tools. Once the target downloads the document and enables macros, as instructed, the embedded ReconShark malware is activated. 

ReconShark is capable of using Windows Management Instrumentation (WMI) to gather data on the infected system, including running processes and battery status. It then sends the collected information directly to the C2 server via HTTP POST requests, avoiding local storage. ReconShark can also fetch additional payloads from the C2 server, which further strengthens Kimsuky’s foothold on the compromised system. To safeguard against these attacks, organizations must educate employees on cybersecurity best practices, deploy, and regularly update anti-malware and intrusion detection software, and limit administrative privileges.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider