July 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Executive Summary

• The month of July 2023 has seen significant cyber threats with Storm-0558 [1], Lazarus APT [2], Cl0p Ransomware Gang ([3], [4], [5]), LockBit 3.0 Ransomware Gang ([6], [7], [8]), and ALPHV (BlackCat) Ransomware Gang [9] being the top five most active threat actors.

• Alarmingly, all the threat actors demonstrated the capacity for significant disruption to both businesses and eservices, with LockBit 3.0 Ransomware disrupting one of Japan's busiest ports (Nagoya Port Unified Terminal System [7]) and Cl0p Ransomware Gang compromising the network of a U.S. government contractor (Maximus [5]), impacting over 8 million customers.

• In July 2023, significant malware threats emerged, including the SUBMARINE [10] and SEASPY [11] backdoors, both expertly manipulating vulnerabilities in the Barracuda Email Security Gateway. Concurrently, WikiLoader [12] rose to prominence, a sophisticated malware that skillfully used PHP-obfuscated shellcodes and the MQTT protocol to clandestinely introduce the Ursnif banking Trojan, with Italian organizations being most heavily impacted.

• Additionally, TrueBot (a.k.a silence.downloader) [13] shifted its infection techniques to exploit the remote code execution vulnerability in the Netwrix Auditor application, and utilized a suite of tools for malware distribution, payload deployment, post-exploitation activities, and data exfiltration.

• In July 2023, an array of vulnerabilities was actively exploited. The Storm-0978 [14] threat actor utilized CVE-2023-36884 [15] to target defense and government entities in Europe and North America. Separate instances saw a host of vulnerabilities including CVE-2023-3466 [16], CVE-2023-3467 [16], and CVE-2023-3519 [16], compromising NetScaler products. 

• The Barracuda Email Security Gateway also came under threat due to CVE-2023-2868 [17], facilitating arbitrary remote commands. TP-Link Archer AX21 routers were impacted by CVE-2023-1389 [18], granting unauthorized access to sensitive information. Finally, active exploits were observed against the CVE-2023-23397 [19] vulnerability in Microsoft's Office Outlook, allowing attackers to impersonate users.

Top Five Most Active Threat Actors in July

The surge in cyber threats in July 2023 is alarming. From Storm-0558's sophisticated Azure exploits to Lazarus APT's relentless targeting of the financial sector, it's clear we're dealing with sophisticated and determined threat actors. The Cl0p and LockBit 3.0 ransomware attacks on diverse industries reveal an unsettling expansion in targets, with potential consequences for global economies. ALPHV's tactics show cybercriminals are becoming more innovative, requiring constant vigilance. The need for robust, comprehensive cybersecurity solutions has never been more pressing.

1. Storm-0558

In July 2023, the threat group known as Storm-0558 [20] emerged as a significant player in the cyber threat landscape, with a particular focus on exploiting vulnerabilities in Microsoft Azure's Active Directory service [1].

• Attack Technique

Their attack lifecycle reveals that Storm-0558 managed to acquire the encryption key used for signing OpenID v2.0 tokens for "Personal Microsoft accounts" (MSA) and mixed audience applications (MSA and Azure AD accounts) [20]. This gave the group the ability to forge access tokens, impersonate users, and potentially gain unauthorized access to any Azure Active Directory application that trusts Microsoft's OpenID v2.0 certificates.

Storm-0558 carried out this intricate attack by taking advantage of a security issue in the Microsoft OpenID protocol's token verification process. More specifically, the protocol did not mandate key validation for the issuer, allowing Storm-0558 to use the MSA keys to authenticate organizational accounts. This technique indicates the group's high level of technical prowess and an in-depth understanding of complex authentication protocols.

• Victim Statistics

The potential victim base of this attack is broad, extending to any organization using Azure Active Directory and Microsoft's OpenID v2.0. This includes managed Microsoft applications, such as Outlook, SharePoint, OneDrive, and Teams, as well as customer applications that support Microsoft Account authentication, including those who allow the “Login with Microsoft” functionality.Specifically, applications that support accounts in any organizational directory (Any Azure AD directory – Multi-tenant) and personal Microsoft accounts (e.g. Skype, Xbox) were also at risk. There have been confirmed cases of the group forging valid access tokens for Outlook Web Access (OWA), indicating their capabilities.

2. Lazarus APT

In July 2023, the Lazarus APT (Advanced Persistent Threat), a group linked to North Korea, escalated its cybercriminal activities, targeting multiple sectors across the globe. 

• Attack Technique

Andariel, a subgroup of Lazarus, uses a multi-stage attack initiating with a Log4j exploit for initial access, enabling further malware downloads from its C2 infrastructure [2]. One of these is the DTrack backdoor. A newly discovered malware, EarlyRat, is then deployed via the same Log4j vulnerability or through phishing documents. As a Remote Access Trojan (RAT), EarlyRat collects and encrypts system information and sends it to the C2 server. Despite its simplicity, primarily executing commands, EarlyRat shares similarities with another Lazarus-deployed malware, MagicRat, suggesting a sophisticated adaptation and evolution of attack techniques. Commands are manually executed by a human operator, introducing potential errors but also unique TTPs.

• Victim Statistics

One sector that faced significant threat from the Lazarus APT was the finance industry. On July 22, CoinsPaid, an Estonian crypto-payment service provider, suffered a cyber-attack attributed to Lazarus, resulting in the theft of $37,200,000 in cryptocurrency [21]. Additionally, Lazarus APT made inroads into the technology industry through a sophisticated social engineering campaign on GitHub [22]. The group targeted employees' personal accounts, particularly those linked to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors, seeking collaboration on a shared repository to deliver malware. 

This heightened activity in July 2023 reaffirms Lazarus' reputation as a formidable cyber threat, targeting vulnerable sectors to fulfill its objectives.

3. Cl0p Ransomware Gang

In July 2023, the Cl0p Ransomware Gang, known as TA505, was exceptionally active, targeting a range of sectors with a significant uptick in cyberattacks. 

• Attack Technique

The CL0P ransomware group exploited the SQL injection vulnerability CVE-2023-34362 in MOVEit Transfer software, leading to the installation of a web shell named LEMURLOOT. This allowed the group to steal data and persist within the compromised system, marking their transition from encryption-based attacks to a focus on data exfiltration. Notably, the group's malware toolkit includes FlawedAmmyy/FlawedGrace RAT, SDBot RAT, Truebot, Cobalt Strike, DEWMODE, and LEMURLOOT, demonstrating their ability to operate as a Ransomware as a Service (RaaS), an initial access broker, and a large botnet operator.

• Victim Statistics

Notably, the group targeted major European manufacturers Schneider Electric and Siemens Energy, the renowned American university UCLA, and pharmaceutical technology provider Werum [3]. They also extended their attacks into the cosmetics industry, compromising the network of American cosmetics giant Estée Lauder [4]. Even government services were not spared, with U.S. government contractor Maximus suffering a substantial data breach, impacting over 8 million customers [5]. 

The diverse nature of Cl0p's targets during July 2023 underscored their advanced capabilities, strategic planning, and the far-reaching impact of their operations, underlining the need for comprehensive cybersecurity measures across all sectors.

4. LockBit 3.0 Ransomware Gang

In July 2023, the LockBit 3.0, part of the Ransomware-as-a-Service (RaaS) mode, ramped up its nefarious activities, launching a series of cyberattacks that spanned across various sectors worldwide. 

• Attack Technique

LockBit 3.0 initiates its attack chain via tactics such as phishing campaigns, RDP exploitation, and abuse of valid accounts, followed by privilege escalation and system reconnaissance. Critical to its operation are tools like Stealbit for data exfiltration, or open-source tools like Rclone, MEGASync, and Mimikatz for varied malicious purposes. Its advanced capabilities such as encrypting data while skipping core system files, dropping a unique ransom note, and self-deleting after execution highlight the ransomware's sophistication.

• Victim Statistics

This Russia-linked gang targeted high-profile entities, from tech giants to vital infrastructure facilities and healthcare providers. 

Taiwan Semiconductor Manufacturing Company (TSMC), the world's leading contract chip manufacturer, was allegedly attacked by LockBit [6]. Although TSMC denied a direct breach, it confirmed that Kinmax Technology, one of its IT hardware suppliers, fell victim to the group's attack. Meanwhile, in Japan, LockBit managed to disrupt one of the busiest ports, Nagoya Port Unified Terminal System (NUTS), which handles a significant 10% of the country's trade volume [7]. In the healthcare sector, LockBit made a significant breach against Managed Care of North America, a prominent dental insurer, affecting the personal data of 8.9 million members [8]. 

Despite the denial by authorities to pay the demanded ransoms, LockBit's activities in July demonstrated its audacious reach and the pervasive threat of ransomware attacks in today's digital age.

5. ALPHV (a.k.a BlackCat) Ransomware Gang

The ALPHV, also known as the BlackCat Ransomware Gang, demonstrated significant activity in July 2023, orchestrating multi-faceted cyber attacks across various sectors [9]. 

• Attack Technique

The ALPHV (BlackCat) ransomware, written in Rust, uses various cryptographic algorithms to lock victims' data. Exploiting unpatched Microsoft Exchange server vulnerabilities and malvertising on popular applications for initial access, it uses a tool called Exmatter for data exfiltration. Updated to target specific file types, Exmatter aids stealth, evasion, and detection. BlackCat also deploys Eeamfo, a malware that specifically targets credentials stored in Veeam backups. The ransomware then threatens victims with the publication of sensitive data and potential DDoS attacks to pressure for high ransom payments, typically demanded in Bitcoin or Monero.

• Victim Statistics

Their victims included prominent healthcare and educational institutions, along with major consumer goods entities. Barts Health NHS Trust, a healthcare network caring for over 2.5 million patients across six hospitals and ten clinics in East London, found itself in the crosshairs of BlackCat. Meanwhile, the University of Manchester suffered a confirmed attack compromising the NHS details of over a million patients. In a striking shift, the gang infiltrated the consumer goods sector, targeting American cosmetics giant, Estée Lauder. In this incident, the company's network was accessed, and data was exfiltrated, with both BlackCat and Cl0p ransomware groups claiming responsibility. 

Alongside these direct attacks, BlackCat also resorted to malvertising and cloning legitimate websites to spread their malware. These extensive activities in July highlight the gang's audacious tactics and underscore the growing cybersecurity threats facing organizations across industries.

Top Most Active Malware in July

Here are the four most actively used malware in July 2023.

1. SUBMARINE Backdoor

On July 28, 2023, the CISA published malware analysis reports concerning the exploitation of a vulnerability in the Barracuda Email Security Gateway. The reports detail two backdoors planted by threat actors: SEASPY and SUBMARINE backdoors. 

In the following discussion, we will specifically concentrate on the SUBMARINE backdoor, a severe threat operating within a compromised appliance's SQL database. The SUBMARINE backdoor exemplifies a sophisticated type of cyber-espionage attack, utilizing the inherent capabilities of the Linux system, reflecting the attacker's deep understanding of the system's architecture. 

The operation exploits the method of Linux Shared Object Preloading, analogous to DLL side-loading in Windows, which alters the loading sequence of libraries to preferentially load malicious ones before legitimate ones, making detection more difficult. The attack primarily manipulates the Batched Simple Mail Transfer Protocol (BSMTP) daemon, an element of the Linux system's email infrastructure, cleverly disguising the malicious activity as normal system behavior.

Two notable components are deployed in this attack. The first is a malicious shell script known as 'smtpctl' [10], which manages the configuration of the backdoor, allowing the attacker to specify the details of the operation and the execution of commands. The second component is a malicious Linux shared object named 'libutil.so' [10], the main payload of the backdoor. This payload is designed to provide the attacker with remote access to the infected system, allowing them to execute commands, exfiltrate data, and generally blend in with normal system activity.

2. SEASPY Backdoor

The SEASPY [11] is a sophisticated backdoor, leveraging the capabilities of the Linux system and underscoring the attackers' deep knowledge of the system's architecture. 

This operation is distinguished by its installation as a system service, a technique that camouflages the malware as a legitimate system service, therefore making it more challenging to detect. The attack primarily mimics the Barracuda Mail Service, further masking the malicious activity as normal system operations.

The SEASPY backdoor is marked by two distinctive technical components. The initial one is a function designated "start_pcap_listener" [11]. This function sets up the configuration of the backdoor, giving the attacker the ability to dictate the specific parameters of the operation, as well as execute predefined or arbitrary commands.

The second core component of this malware is the "reverse shell" function, embedded within "start_pcap_listener". Acting as the primary payload of the SEASPY backdoor, this function facilitates a remote connection back to the attacker's system. This covert line of communication allows the attacker to execute commands, exfiltrate sensitive data, and maintain operational stealth, seamlessly blending into standard system activities to avoid detection.

Unique to this variant of the SEASPY backdoor (BarracudaMailService.1) is its optimization for stealth. Instead of executing an extra set of instructions before starting the reverse shell functionality (like its counterpart BarracudaMailService.2), it jumps directly to the set of instructions that initiate the reverse shell, making the execution quicker and less likely to raise alarms.

In this light, the SEASPY Backdoor emerges as a stealthy, efficient, and highly skilled operation that leverages the complexities of the Linux system and its functionalities to circumvent security measures and maintain persistent, covert access to targeted systems.

3. WikiLoader 

In July 2023, cyber threat groups TA544 and TA551 launched high-profile attack campaigns targeting Italian organizations, deploying the advanced WikiLoader malware [12]. 

This multifaceted malware manipulates compromised hosts to retrieve obfuscated shellcodes via PHP, presenting a challenging front for security measures with its advanced evasion capabilities. Intricate obfuscation techniques including busy loops, string encoding, and indirect syscalls help maintain its stealth, making detection difficult. 

Notably, the malware introduced a new stealth tactic of employing the MQTT protocol to fetch the notorious Ursnif banking Trojan as the second-stage payload, thereby bypassing the need for direct communication with compromised hosts. WikiLoader further complicated its operation by writing the shellcode stages byte-by-byte through the NtWriteVirtualMemory API instead of performing a single pass. This subtle mechanism allowed the Ursnif Trojan to be stealthily injected and executed, potentially compromising sensitive data. 

The evolution and increased complexity of WikiLoader highlight the rapidly progressing sophistication of contemporary cyber threats and the importance of advanced defense measures.

4. TrueBot (a.k.a silence.downloader)

On July 6, 2023, CISA released an advisory highlighting increased activity of Truebot malware, predominantly targeting U.S. and Canadian networks [13]. Truebot, notably utilized by the CL0P Ransomware Gang, demonstrated evolving infection techniques: transitioning from phishing email attachments to exploiting the remote code execution vulnerability, CVE-2022-31199, in the Netwrix Auditor application.

Upon a successful breach, Truebot deploys FlawedGrace, a remote access tool, which manipulates the registry and print spooler programs to elevate privileges and establish persistence. Moreover, the malware employs over a gigabyte of junk code to evade detection and analysis.

Conducting a comprehensive scan of the compromised system, Truebot identifies active processes and security tools, subsequently encoding this data to evade defensive mechanisms. By establishing a command-and-control connection, it downloads additional malicious modules, self-replicates, and stealthily navigates within the infected network.

The operation involves a suite of tools such as Raspberry Robin for malware distribution, FlawedGrace for deploying additional payloads, Cobalt Strike for post-exploitation activities, and Teleport for undetectable data exfiltration. 

The escalating Truebot activity underscores the crucial need for robust cybersecurity measures and the timely application of patches.

Top CVE’s Exploited in July

In July 2023, a concerning surge in active exploits was observed across multiple critical vulnerabilities. 

Microsoft recently flagged a sophisticated phishing campaign carried out by a threat actor known as Storm-0978 [14]. This meticulously crafted attack, specifically devised to exploit defense and government organizations in Europe and North America, leverages a potent remote code execution vulnerability, CVE-2023-36884, to breach defenses.

Meanwhile, CVE-2023-3466 (a Reflected XSS vulnerability), CVE-2023-3467(allowing for privilege escalation to root administrator level), and the most severe, CVE-2023-3519 (CVSS 9.8), an unauthenticated remote code execution (RCE) vulnerability targeted NetScaler Application Delivery Controller and Gateway products, exposing organizations to unauthenticated remote code execution and security bypass risks. 

The Barracuda Email Security Gateway was at risk with CVE-2023-2868, enabling arbitrary remote commands. Simultaneously, TP-Link Archer AX21 routers faced threats with CVE-2023-1389, granting unauthorized access to sensitive information. 

Furthermore, even though not discovered in July, CVE-2023-23397 affected Microsoft's Office Outlook products and was actively exploited during the month as the vulnerability allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

Here is a detailed table presenting the vulnerabilities, their affected products with respective versions, as well as the malware and tools used in their exploitation campaign.

The increasing number of public-facing products facing exploitation underscores the critical importance of swift and comprehensive cybersecurity measures to safeguard systems from attackers. Patch management, threat detection, and robust incident response strategies become paramount to prevent such relentless attacks. 

Organizations must prioritize proactive security practices to protect their networks and valuable data from the ever-evolving tactics of threat actors.