Emerging Cyber Threats of February 2023

February was another challenging month for cybersecurity, with new malware families, ransomware campaigns, and even a zero-day vulnerability making their way onto the scene. Luckily, Picus Labs quickly responded by adding attack simulations for these emerging threats to the Picus Threat Library. 

This blog briefly explains the top four cyber threats observed in February 2023. You can easily simulate these threats and validate and improve your security controls against them with the Picus Complete Security Validation Platform.

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of February 2023

1. ESXi Args Ransomware (CISA Alert AA23-039A)

2. Earth Kitsune Malware (WhiskerSpy Backdoor)

3. WIP26 (CMD365 and CMDEmber Backdoors)

4. GoAnyWhere MFT Zero-Day Vulnerability

5. MortalKombat Ransomware

1. ESXi Args Ransomware (CISA Alert AA23-039A)

On February 8, 2023, CISA, FBI, and CERT-FR published security advisories on ESXiArgs ransomware that exploits known a vulnerability, CVE-2021-21972, in VMware ESXi software with publicly facing ESXi hypervisors [1]. 

Even though this vulnerability was disclosed two years ago and had a CVSS score of 9.8 (Critical), some organizations still run outdated or unpatched ESXi versions, which makes them potential targets for these attacks. Since it is not the only initial access vector, some organizations that have patched their vulnerable ESXi servers or disabled SLP service can still get infected with ESXiArgs ransomware.

Although not all initial access methods are known, victim statistics indicate that over 3,800 servers in France, Germany, the US, Canada, and the Netherlands were infected. 

One key factor that differs ESXiArgs ransomware from other ransomware families is that earlier variants did not encrypt a large portion of data if the file size was over 128 MB, which allowed researchers to recover virtual machines in some cases. However, newer variants encrypt 50% of the data if the file size is over 128 MB, making it nearly impossible to recover the data without the key.

We strongly suggest simulating ESXiArgs ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. 

Picus Threat Library includes the following threats for ESXiArgs ransomware: 

For more information, visit our latest blog on the ESXiArgs ransomware.

2. Earth Kitsune Malware (WhiskerSpy Backdoor)

Since 2019, Earth Kitsune has been distributing custom-designed backdoors to specific targets, mainly those interested in North Korea. Security researchers [2] have found that attackers often use a technique known as "watering hole", which involves injecting browser exploits into compromised websites, giving attackers access to the systems of visitors.

Further analysis shows that targeted visitors are prompted by a “Codec Error” to lure the victims into installing the malicious payload disguised as Advanced Video Codec - AVC1. In reality, this installer contains a malicious JavaScript payload, which redirects its victims to download the malicious MSI installer.

For installation, threat actors prefer to abuse a legitimate installer, which is patched with malicious and encrypted shellcode. When decrypted, this shellcode downloads various other malicious binaries as well as the main backdoor called WhiskerSpy, which is unseen before. 

For the asymmetric key exchange between the backdoor and the C2 (clientPrivKey, clientPubKey, sharedKey), adversaries leverage a cryptographic algorithm called Elliptic Curve Diffie-Hellman (ECDH) on a very well-known curve called secp256r1 to establish a shared secret key for secure communication. 

When receiving packets from the C2 server, WhiskerSpy generates a random 16-byte AES key to encrypt and decrypt the communication. The backdoor also generates a session ID by hashing the AES key with the Murmur3 function to identify the session. This session ID is used to track communication between the backdoor and the C2 server during a specific session. However, it's worth noting that whether the received packet is encrypted depends on the packet's purpose. For example, command packets that contain instructions such as opening an interactive shell, performing process injection, deleting, uploading, or modifying files are received encrypted. In contrast, packets that generate a new session key remain plaintext.

We strongly suggest simulating Advanced Persistent Threats (APTs) to test the effectiveness of your security controls against cyber attacks using the Picus Complete Security Validation Platform. You can test your defenses against infamous APT actors like Earth Kitsune within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the Earth Kitsune APT group: 

3. WIP26 (CMD365 and CMDEmber Backdoors)

WIP26 is a threat actor, which is infamous for targeting telecommunication providers in the Middle East. 

As an initial access technique, the attackers prefer using targeted messages through WhatsApp messages that contain Dropbox links to archive files masquerading as benign-looking documents on poverty issues in the Middle East. In reality, these archives contain a malware loader, called PDFelement.exe, which deploys two backdoors, CMD365 and CMDEmber, that utilize public Cloud infrastructure for C2 purposes.

CMD365 is a backdoor that utilizes a Microsoft 365 Mail inbox as a C2 server and interacts with the Microsoft Graph API. Once installed, CMD365 creates a scheduled task for persistence and masquerades as the legitimate Postman application. The malware exchanges encrypted and Base64-encoded data with the C2 server using an AES key and an empty initialization vector for data encryption and decryption. CMD365 executes system commands provided as standard input to the Windows command interpreter, allowing the attacker to conduct various activities such as reconnaissance, privilege escalation, staging additional malware, and data exfiltration. The malware polls the inbox folder for C2 commands and sends the output back to the C2 server using the Microsoft Graph API.

CMDEmber, on the other hand, is a backdoor that utilizes a Google Firebase Realtime Database instance as a C2 server. Once installed, CMDEmber connects to the Firebase instance and exfiltrates information about the infected machine, such as the computer name, bitness, name, and ID of the CMDEmber process, user name, and IPv4 and physical addresses of all operational network interfaces on the machine. The malware masquerades as the Opera browser and uses an invalid digital signature indicating the Opera Norway software vendor. CMDEmber exchanges data with the C2 server through the Firebase Realtime Database and encrypts and decrypts the Base64 data exchanged with the C2 server using the MD5 hash of the Triple DES key. The malware executes system commands and sends the results of the executed commands back to the C2 server. CMDEmber polls the Firebase instance for C2 commands by issuing HTTP GET requests.

We highly recommend you simulate the WIP26 attacks to evaluate the efficiency of your security controls against ransomware attacks using Picus Complete Security Validation Platform. 

Picus Threat Library includes the following threats for WIP26 attacks including the CMD365 and CMDEmber backdoors:

4. GoAnyWhere MFT Zero-Day Vulnerability

GoAnyWhere, which is a secure managed file transfer (MFT) software, has warned its customers about a Zero-Day Remote Code Execution (RCE) vulnerability [3] that is being actively exploited in the wild. The vulnerability was tracked as CVE-2023-0669 with CVSS score of 7.2 [4], and disclosed by a developer who is working in Fortra, after in-the-wild exploitation was detected. 

Although mitigations and indicators of compromise were released immediately, a patch was only made available a week later. Security researcher Florian Hauser recently released technical details and proof-of-concept (PoC) exploit code [5] for the vulnerability, allowing unauthenticated remote code execution on vulnerable servers. 

Note that the attack vector of this exploit requires access to the administrative console of the application (pre-authentication RCE [6]), which is mostly accessible only from within a private company network, through VPN, or by allow-listed IP addresses. While a Shodan scan revealed that almost 1,000 GoAnyWhere instances are exposed on the Internet, just over 140 are on the ports (8000, 8001) used by the vulnerable admin console. 

Figure 1. Shodan Scan for GoAnyWhere Instances

The Cl0p ransomware group has taken credit for the attack, claiming that they managed to steal data from more than 130 organizations. 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog, and federal agencies have been instructed to patch the flaw until March 3.

Picus Threat Library now includes attack simulations for the GoAnyWhere zero-day vulnerability, in addition to those already available for the Cl0p ransomware group. 

We highly recommend organizations to effectively test their security controls against the latest emerging threats and stay ahead of potential attacks.

5. MortalKombat Ransomware

MortalKombat ransomware is malware, which was first observed in January 2023, based on the Xorist Commodity ransomware. Victim statistics shows that MortalKombat ransomware mainly affects the US, as well as the Philippines, the UK, and Turkey [7].

Adversaries typically infect their victims through cryptocurrency themed phishing emails. Analysis shows that threat actors use a BAT loader script that uses the native bitsadmin to deploy and execute both Laplas Clipper malware and MortalKombat ransomware from the attacker-controlled C2 server [8]. 

MortalKombat ransomware encrypts various files on the victim machine's filesystem and maps the logical drives, encrypting every file that matches a list of file extensions. It changes the victim machine's wallpaper, removes applications and folders from Windows startup, disables the Run command window, and corrupts even the deleted files in the recycle bin. The ransomware establishes persistence by creating a Run registry key and registering its classes, filename extension, and icon for the encrypted files. 

Laplas Clipper, on the other hand, is a clipboard stealer malware that monitors the victim machine's clipboard for cryptocurrency wallet addresses. Once it finds the victim's wallet address, it sends it to the attacker-controlled Clipper bot, which generates a lookalike wallet address and overwrites it in the victim's clipboard. If the victim uses the lookalike address, a fraudulent cryptocurrency transaction occurs. Laplas Clipper establishes persistence by creating a folder in the local user's profile and copies itself into the folder. It also creates a Windows scheduled task to activate the Clipper for every minute for 416 days [7]. 

On March 3, 2023, security professionals published a decryption tool for the ransomware [9], however, it is important to note that these keys can be easily changed by adversaries in new attack campaigns and cannot be relied on continuously. 

For this reason, Picus Labs has swiftly added the MortalKombat threat to Picus Threat Library so that organizations can validate their security controls against it. 

References

[1] “ESXiArgs Ransomware Virtual Machine Recovery Guidance,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a. [Accessed: Mar. 06, 2023]

[2] “Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack,” Trend Micro, Feb. 17, 2023. [Online]. Available: https://www.trendmicro.com/en_ca/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html. [Accessed: Mar. 02, 2023]

[3] B. Toulas, “GoAnywhere MFT zero-day vulnerability lets hackers breach servers,” BleepingComputer, Feb. 03, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/goanywhere-mft-zero-day-vulnerability-lets-hackers-breach-servers/. [Accessed: Mar. 03, 2023]

[4] “NVD - CVE-2023-0669.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2023-0669. [Accessed: Mar. 03, 2023]

[5] Frycos Security Diary, “GoAnywhere MFT - A Forgotten Bug,” Frycos Security Diary, Feb. 06, 2023. [Online]. Available: https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html. [Accessed: Mar. 03, 2023]

[6] S. Gatlan, “Exploit released for actively exploited GoAnywhere MFT zero-day,” BleepingComputer, Feb. 06, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-exploited-goanywhere-mft-zero-day/. [Accessed: Mar. 03, 2023]

[7] C. Boyd, “Mortal Kombat ransomware forms tag team with crypto-stealing malware,” Malwarebytes, Feb. 17, 2023. [Online]. Available: https://www.malwarebytes.com/blog/news/2023/02/mortal-kombat-ransomware-forms-tag-team-partnership-with-laplas-clipper. [Accessed: Mar. 06, 2023]

[8] C. Raghuprasad, “New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign,” Cisco Talos Blog, Feb. 14, 2023. [Online]. Available: https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/. [Accessed: Mar. 06, 2023]

[9] V. Vrabie and Á. C. S. Dávid, “Bitdefender Releases Decryptor for MortalKombat Ransomware,” Bitdefender Labs. [Online]. Available: https://www.bitdefender.com/blog/labs/bitdefender-releases-decryptor-for-mortalkombat-ransomware/. [Accessed: Mar. 06, 2023]