November 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Top Five Key Threats in November

In November 2023, there was an alarming surge in cyber threats. Key threats during the month included the exploitation of zero-day vulnerabilities by major technology vendors, along with activities from ransomware gangs utilizing their ransomware-as-a-service models.

LockBit Exploiting the Citrix Bleed Vulnerability for Ransomware Deployment

On November 16, 2023, CISA issued an advisory about the LockBit ransomware group exploiting the Citrix Bleed vulnerability (CVE-2023-4966) in Citrix NetScaler ADC and Gateway appliances [1]. This critical vulnerability, with a CVSS score of 9.4, enables adversaries to bypass password requirements and multi-factor authentication, gaining control over user sessions. 

The flaw is in the NetScaler Packet Processing Engine, where a buffer overflow can be triggered by a malicious HTTP request, leaking memory and allowing session hijacking. LockBit, known for its ransomware-as-a-service model and sophisticated encryption techniques, used this vulnerability in high-profile attacks, including against Boeing. They initiated the malware infection with a PowerShell script leading to data theft and encryption. Due to the ease of exploitation and the availability of proof-of-concept exploits, organizations are strongly advised to patch their vulnerable Citrix appliances immediately.

Scattered Spider in November: Mastering High-Stakes Ransomware and Social Engineering Attacks

In November, Scattered Spider [2], identified as a highly active cybercriminal group, targeted large companies and their IT help desks with sophisticated cyber attacks. Specializing in data theft for extortion, they also employed BlackCat/ALPHV ransomware in their operations. The FBI and CISA noted [3] their expertise in social engineering, particularly in phishing, push bombing, and SIM swap attacks, to gain unauthorized access and bypass multi-factor authentication. 

Scattered Spider’s tactics included posing as IT staff to acquire credentials, directing employees to run remote access tools, and convincing employees to share one-time passwords. Their advanced techniques extended to monetizing access through ransomware and data theft, using legitimate tools like Fleetdeck.io and Teamviewer for remote system management, and deploying malware such as AveMaria for remote access. Their ability to frequently modify tactics for evasion and persistence made them a formidable threat, particularly in their recent shift to encrypting victim files post-exfiltration. 

Scattered Spider’s detailed reconnaissance and resource development, alongside effective execution, persistence, and lateral movement strategies, demonstrated a sophisticated approach to cyber espionage and financial extortion, solidifying their status as a prominent threat group in the cybercrime landscape.

A New Zero-day Vulnerability in Sophos Web Appliance: CVE-2023-1671

CVE-2023-1671 represents a critical command injection vulnerability in the Sophos Web Appliance (SWA), rated with a CVSS score of 9.8 [4]. This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on vulnerable systems. SWA, a tool used in enterprise settings for web traffic filtering and threat protection, is particularly susceptible when running versions prior to 4.3.10.4.

Technically, this vulnerability exploits insufficient input validation in the SWA's warn-proceed handler. Attackers can craft a malicious HTTP POST request targeting the "/index.php?c=blocked" endpoint. This request is processed by a component where user input, expected to be benign, is mishandled. Specifically, the vulnerability lies in the way user inputs are processed by the escapeshellarg function within the UsrBlocked.php script. Attackers can base64 encode their malicious payload, bypassing the rudimentary input validation, and inject commands directly into the system’s command line interface.

The severity of CVE-2023-1671 stems from the fact that it allows command execution without requiring system authentication, making it a potent tool for attackers. Successful exploitation can lead to full system compromise. Given the nature of the SWA's deployment, typically at network perimeters, this vulnerability can provide attackers with a significant foothold within an organization's network. To mitigate this risk, it's crucial for organizations to update their SWA to the latest version and ensure that such appliances are not directly accessible over the public internet.

Play Ransomware Group Expands Victims and Shifts to RaaS Model

In November, the Play ransomware group significantly ramped up its activities, listing 17 new victims, predominantly from the US, but also including companies in the UK, Netherlands, and Canada [5]. This cybercriminal group, known for targeting a wide range of industries including IT services, outsourcing, retail, real estate, shipping, engineering, consulting, and management, has raised alarms due to the potential exposure of sensitive data on the Dark Web. The affected companies face serious risks including identity theft, reputational damage, loss of customer trust, and legal and financial repercussions.

What sets Play ransomware apart is its evolution into a ransomware-as-a-service (RaaS) model [6]. This transition allows the group to offer their ransomware to other cybercriminals, effectively broadening their reach and impact. Their attacks are characterized by a lack of variation, indicating a standardized approach likely guided by detailed playbooks provided as part of their RaaS offering. The group leverages security vulnerabilities, notably in Microsoft Exchange Server, to infiltrate networks, and employs tools like AnyDesk for remote administration and Grixba for double extortion, adding to the sophistication and effectiveness of their attacks.

The Play ransomware group, also known as PlayCrypt and initially created by a team called Balloonfly, has been active since 2022 and is believed to have ties to Russia. Their methods not only include encryption of files with the “.play” suffix but also threats of data release if ransoms are not paid. The group's shift to a RaaS model signifies a major development in their operational strategy, potentially leading to an increase in the frequency and severity of attacks, and posing a heightened threat to businesses and organizations globally.

The ALPHV (BlackCat) Ransomware Gang Expands Its Global Campaigns

In November, the ALPHV (BlackCat) ransomware gang emerged as a particularly active and formidable threat group, demonstrating a sophisticated array of attack strategies and targeting a diverse set of industries across the Americas and Europe. 

Their methods ranged from exploiting vulnerabilities in remote management tools and using stolen credentials, to sophisticated malvertising campaigns via Google Ads, tricking users into downloading Nitrogen malware disguised as legitimate software [7]. This versatility in attack vectors was evident in their high-profile breaches, including significant data thefts from entities like Barts Health NHS Trust [8], Sabre Insurance [9], and potentially Fidelity National Finance [10], along with other corporations in sectors like healthcare, legal, manufacturing, media, and finance. ALPHV's evolution from single to triple extortion tactics in ransomware, alongside continuous technological innovation such as the development of an API on their leak site [11], underscores their adaptability and technical sophistication. 

With a legacy linked to major cyber incidents and associations with notorious ransomware operators, ALPHV's activities in November have not only marked them as a prominent threat but also highlighted the urgent need for enhanced cybersecurity measures across various industries.

Top Three Most Active Malware in November

The sophistication of emerging malware and malware campaigns are concerning in November.

DarkGate and PikaBot Malware

Following the dismantling of the Qakbot operation by the FBI in September 2023, two new malware, DarkGate and PikaBot, have emerged as its successors in a sophisticated phishing campaign [12]. According to a Cofense report [13], these campaigns utilize tactics and techniques similar to Qakbot, indicating that the same threat actors are behind these new botnets. Both DarkGate and PikaBot are modular malware loaders with functionalities akin to Qakbot, posing significant risks to enterprise networks. These malware are used for initial network access and are likely to be employed in ransomware, espionage, and data theft attacks. DarkGate, known since 2017 but widely distributed recently through phishing and malvertising, supports various malicious activities including remote access, cryptocurrency mining, and data theft. PikaBot, newer and first seen in early 2023, is a versatile tool with advanced anti-detection capabilities, capable of executing various malicious modules. These campaigns signify a continued high-level threat from actors with advanced capabilities, necessitating organizations to stay vigilant and familiar with these emerging TTPs.

LambLoad Malware

In November 2023, Microsoft Threat Intelligence uncovered a supply chain attack by North Korean threat actor Diamond Sleet (ZINC), distributing a malicious variant of a CyberLink application installer. This compromised installer, signed with a valid CyberLink certificate and hosted on legitimate CyberLink infrastructure, contained malicious code for downloading and executing a second-stage payload, identified as LambLoad [14]. LambLoad, a sophisticated downloader and loader, was part of a campaign that impacted over 100 devices in multiple countries. Diamond Sleet, known for espionage and data theft, utilized this malware to target environments not using specific security software and to download further payloads disguised as PNG files. This attack, indicative of Diamond Sleet's advanced capabilities and focus on supply chain compromises, underscores the ongoing threat posed by state-sponsored actors in global cybersecurity.

Top Three CVE’s Exploited in November

Here are the five key CVE’s exploited in November.

CVE-2023-4966: Threat Actors Exploiting the 'Citrix Bleed' Vulnerability 

Threat actors are exploiting the 'Citrix Bleed' vulnerability, identified as CVE-2023-4966, in a series of attacks against government, technical, and legal organizations globally. Security researchers have identified four distinct campaigns targeting Citrix NetScaler ADC and Gateway appliances since August 2023 [15]. The flaw, disclosed on October 10, 2023, as a critical vulnerability, allows unauthorized access to sensitive information on affected devices. Attackers use specially crafted HTTP GET requests to hijack authenticated sessions and bypass multifactor authentication, stealing NetScaler AAA session cookies. The attackers’ post-exploitation activities include network reconnaissance, credential theft, and lateral movement using tools like net.exe, netscan.exe, and novel backdoors like FREEFIRE [15], in addition to commonly used remote access tools like Atera, AnyDesk, and SplashTop

Critical ownCloud Vulnerability CVE-2023-49103 Targeted for Exploitation in November 2023

In November 2023, a critical vulnerability in ownCloud, CVE-2023-49103, became a target for exploitation, raising significant concerns in the cybersecurity community [16]. This vulnerability, which affects ownCloud versions 0.2.0 to 0.3.0 in the “graphapi” app, allows unauthorized access to admin passwords, mail server credentials, and license keys due to an exposed PHP environment configuration. The severity of the situation escalated with GreyNoise reporting widespread real-world exploitation attempts starting from November 25 [17]. This trend, highlighting the targeting of file-sharing software, raises the likelihood of threat actors shifting focus to ownCloud, similar to previous ransomware attacks on similar software. Shadowserver [18] and SANS [19] have observed and reported on the active exploitation of this vulnerability, with scans targeting specific URLs affected by CVE-2023-49103. As disabling the graphapi app is not a viable solution, ownCloud has recommended deleting a specific directory and changing compromised secrets to mitigate the vulnerability. Additionally, two other critical vulnerabilities, CVE-2023-49104 and CVE-2023-49105, have also been disclosed, with recommendations for their respective mitigations provided by ownCloud.

CVE-2023-41265: Qlik Sense Enterprise Unauthenticated Remote Code Execution Vulnerability

In November 2023, cybersecurity experts observed targeted exploitation of the CVE-2023-41265 vulnerability in Qlik Sense Enterprise, despite a patch issued by Qlik in August [20]. The vulnerability, initially allowing unauthenticated remote code execution via path traversal and HTTP request tunneling, was bypassed by attackers using a novel technique. This bypass involved crafting a message that the backend interpreted as chunked encoding, while the front-end proxy did not, due to a precise comparison against the "chunked" keyword. The issue persisted even after applying patches for both CVE-2023-41265 and CVE-2023-41266, leading Qlik to issue a second, more robust patch. The new vulnerability, tracked as CVE-2023-48365, revealed the ingenuity and persistence of threat actors in exploiting complex software vulnerabilities for unauthenticated remote code execution.

References

[1] H. C. Yuceel, “CVE-2023-4966: LockBit Exploits Citrix Bleed in Ransomware Attacks,” Nov. 23, 2023. Available: https://www.picussecurity.com/resource/blog/cve-2023-4966-lockbit-exploits-citrix-bleed-in-ransomware-attacks. [Accessed: Dec. 08, 2023]

[2] H. C. Yuceel, “Scattered Spider: Leveraging Social Engineering for Extortion - CISA Alert AA23-320A,” Nov. 17, 2023. Available: https://www.picussecurity.com/resource/blog/scattered-spider-leveraging-social-engineering-for-extortion-cisa-alert-aa23-320. [Accessed: Dec. 08, 2023]

[3] “Scattered Spider,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a. [Accessed: Dec. 08, 2023]

[4] H. C. Yuceel, “CVE-2023-1671: Sophos Command Injection Vulnerability Exploited in the Wild,” Nov. 22, 2023. Available: https://www.picussecurity.com/resource/blog/cve-2023-1671-sophos-command-injection-vulnerability-exploited-in-the-wild. [Accessed: Dec. 08, 2023]

[5] I. Tripathi, “Play Ransomware Group Lists 17 Victims, 14 US-Based Companies Named,” The Cyber Express, Nov. 29, 2023. Available: https://thecyberexpress.com/play-ransomware-attack-us-uk-canada-netherland/. [Accessed: Dec. 08, 2023]

[6] 2023 newsroom Nov 21, “Play Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals,” The Hacker News, Nov. 21, 2023. Available: https://thehackernews.com/2023/11/play-ransomware-goes-commercial-now.html. [Accessed: Dec. 08, 2023]

[7] D. Ahmed, “ALPHV (BlackCat) Ransomware Using Google Ads to Target Victims,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 16, 2023. Available: https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/. [Accessed: Dec. 07, 2023]

[8] I. Thomson, “Barts NHS hack leaves folks on tenterhooks over extortion,” The Register, Jul. 11, 2023. Available: https://www.theregister.com/2023/07/11/barts_blackcat_theft/. [Accessed: Dec. 07, 2023]

[9] N. Goud, “Two Insurance companies come under the influence of Ransomware Attacks,” Cybersecurity Insiders, Nov. 23, 2023. Available: https://www.cybersecurity-insiders.com/two-insurance-companies-come-under-the-influence-of-ransomware-attacks/. [Accessed: Dec. 07, 2023]

[10] C. Jones, “BlackCat claims it is behind Fidelity National Financial ransomware shakedown,” The Register, Nov. 23, 2023. Available: https://www.theregister.com/2023/11/23/blackcat_ransomware_fnf/. [Accessed: Dec. 07, 2023]

[11] V. Pandagle, “ALPHV Threatens to Leak Over 300GB of Confidential Data from North East BIC,” The Cyber Express, Aug. 23, 2023. Available: https://thecyberexpress.com/north-east-bic-cyber-attack-alphv-blackcat/. [Accessed: Dec. 07, 2023]

[12] B. Toulas, “DarkGate and Pikabot malware emerge as Qakbot’s successors,” BleepingComputer, Nov. 21, 2023. Available: https://www.bleepingcomputer.com/news/security/darkgate-and-pikabot-malware-emerge-as-qakbots-successors/. [Accessed: Dec. 08, 2023]

[13] Cofense, “Are DarkGate and PikaBot the New QakBot?,” Cofense, Nov. 20, 2023. Available: https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/. [Accessed: Dec. 08, 2023]

[14] “Microsoft Uncovers Diamond Sleet’s Supply Chain Attack with LambLoad Malware,” WaterISAC, Nov. 28, 2023. Available: https://www.waterisac.org/node/17700. [Accessed: Dec. 08, 2023]

[15] “Website.” Available: https://www.bleepingcomputer.com/news/security/us-health-dept-urges-hospitals-to-patch-critical-citrix-bleed-bug/

[16] “NVD - CVE-2023-49103.” Available: https://nvd.nist.gov/vuln/detail/CVE-2023-49103. [Accessed: Dec. 08, 2023]

[17] “CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild.” Available: https://www.greynoise.io/blog/cve-2023-49103-owncloud-critical-vulnerability-quickly-exploited-in-the-wild. [Accessed: Dec. 08, 2023]

[18] “[No title],” X (formerly Twitter). Available: https://twitter.com/Shadowserver/status/1729135484881043646. [Accessed: Dec. 08, 2023]

[19] SANS Internet Storm Center, “Scans for ownCloud Vulnerability (CVE-2023-49103),” SANS Internet Storm Center. Available: https://isc.sans.edu/diary/0. [Accessed: Dec. 08, 2023]

[20] Emmaline, “DoubleQlik: Bypassing the Fix for CVE-2023-41265 to Achieve Unauthenticated Remote Code Execution,” Praetorian, Sep. 22, 2023. Available: https://www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/. [Accessed: Dec. 08, 2023]