October 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Top Five Key Threats in October

In October 2023, the surge in cyber threats was alarming. Key threats this month include the exploitation of zero-day vulnerabilities by major technology vendors, as well as activities from ransomware gangs operating under the Ransomware-as-a-Service (RaaS) business model.

• Rhysida Ransomware-as-a-Service (RaaS) Group
• AvosLocker Ransomware-as-a-Service (RaaS) Group
• CVE-2023-20198 Zero-day Vulnerability in Cisco's IOS XE Software
• CVE-2023-46747 Unauthenticated Remote Code Execution Vulnerability in F5 BIG-IP 
• CVE-2023-4911 Looney Tunables Local Privilege Escalation Vulnerability

Rhysida Ransomware Group Targets Middle East

The Rhysida ransomware represents an emerging cyber threat, particularly prevalent in the Middle East, Latin America, and Europe [1]. It targets sectors such as government, healthcare, education, manufacturing, and technology. Rhysida employs a Ransomware-as-a-Service model, offering their malware to affiliates who then initiate attacks, including double extortion tactics by exfiltrating sensitive data. 

For initial access, they commonly use phishing and exploit valid accounts, following which Cobalt Strike beacons are deployed for persistence. The ransomware operates by encrypting files and demanding ransom, threatening to release stolen data if the demands are not met. Rhysida's techniques include the use of PowerShell for execution, modifying registry settings for persistence, and using remote services like RDP for lateral movement and data exfiltration. The Rhysida ransomware group is known to delete volume shadow copies to inhibit system recovery, showcasing an evolving capability that aligns with current ransomware trends. 

It is crucial for organizations to stay vigilant and test their security measures against such threats, mapping defense strategies to the MITRE ATT&CK framework to counteract the TTPs of groups like Rhysida.

AvosLocker Ransomware-as-a-Service Group Is Targeting US

In a CISA alert AA23-284A, the Cybersecurity and Infrastructure Security Agency (CISA) highlighted the persistent threat of AvosLocker ransomware, a Ransomware-as-a-Service operation known for its double extortion tactics [2]. Since its emergence in June 2021, AvosLocker has been targeting entities across the US, Canada, the UK, and Spain, with a particular focus on critical infrastructure. AvosLocker compromises networks through spear-phishing, exploitation of public-facing applications, or compromised RDP credentials, and establishes persistence using custom webshells [3]. 

The group escalates privileges via credential dumping, then exfiltrates sensitive data before encrypting files, appending them with .avos or .avos2 extensions after rebooting infected machines into Safe Mode with Networking. 

CISA's warning emphasizes the necessity for organizations to rigorously test their security controls against AvosLocker's evolving tactics and techniques to mitigate this significant and ongoing cyber threat.

A New Zero-day Vulnerability from Cisco: CVE-2023-20198

CVE-2023-20198 represents a critical vulnerability in Cisco's IOS XE software, marked by its technical sophistication. Specifically, it allows unauthenticated attackers to escalate privileges and create a level 15 access account—the highest administrative level on Cisco devices. This attack particularly targets devices with an enabled and internet-exposed HTTP/S server feature. 

The unique aspect of this exploit is its two-pronged approach: after gaining initial access through CVE-2023-20198, attackers exploit a second, previously patched vulnerability, CVE-2021-1435, to deploy a Lua-based implant. This implant facilitates remote code execution and operates through HTTP POST requests, although it is non-persistent and does not survive reboots. Over 40,000 devices worldwide have been reported as compromised.

To mitigate this threat, Cisco has issued patches for various IOS XE versions. Additionally, organizations are advised to disable the HTTP/S server feature on vulnerable devices, implement access restrictions to these services, and conduct thorough checks for unrecognized user accounts and any trace of the Lua-based implant. The technical intricacies of this exploit, involving privilege escalation and the use of a secondary vulnerability for implant installation, highlight the need for multi-layered security strategies and prompt patch management.

Threat Actors Exploit F5 BIG-IP Remote Code Execution Vulnerability (CVE-2023-46747)

CVE-2023-46747 is a critical AJP smuggling vulnerability in F5 BIG-IP products, allowing unauthenticated attackers to execute arbitrary commands as root. The vulnerability exploits the Apache JServ Protocol (AJP) within the F5 Traffic Management User Interface (TMUI), leading to a critical risk with a CVSS score of 9.8. In technical terms, attackers leverage the AJP's request forwarding mechanism to bypass authentication, inserting malicious requests directly into the administrative controls. 

The cyber kill-chain for this attack typically involves initial reconnaissance to identify vulnerable F5 BIG-IP systems, followed by the crafting and delivery of specially tailored malicious AJP requests. Once delivered, these requests exploit the vulnerability to gain unauthorized access and control, potentially leading to data theft or system compromise. 

Threat actors capable of such attacks range from sophisticated cybercriminals to state-sponsored groups. In response, F5 has released hotfixes for affected versions, and as an immediate measure, organizations are advised to limit access to the TMUI and implement strict controls over network access to these interfaces.

Looney Tunables Linux Vulnerability Exploited by Kinsing Threat Actor

Kinsing threat actors are actively exploiting a recent Linux vulnerability, CVE-2023-4911, known as "Looney Tunables," in a novel campaign aimed at penetrating cloud environments. This local privilege escalation flaw, which originated in the GNU C Library's dynamic loader, is being leveraged by adversaries to gain root access in Linux systems. Despite the vulnerability's high CVSS score of 7.8, indicating significant risk, organizations have been slow to patch, making them susceptible to attacks.

The Kinsing threat group, known for quickly capitalizing on new security flaws, is exploiting this vulnerability by initially gaining access through a critical remote code execution flaw in PHPUnit (CVE-2017-9841) [4]. Upon breaching a system, the actors manually test for Looney Tunables using a published Python-based exploit. After confirming the vulnerability, they deploy additional PHP exploits, which upon de-obfuscation, reveal JavaScript web shells that provide extensive backdoor capabilities, including file management and command execution.

The exploit works by manipulating the 'GLIBC_TUNABLES' environment variable, which affects the runtime behavior of the GNU C Library. Attackers craft a malicious environment variable that causes a buffer overflow in the dynamic loader, allowing them to overwrite the pointer to the library search path and load a malicious 'libc.so' from a location they control, thereby escalating privileges.

The proof of concept provided demonstrates the system's vulnerability when a segmentation fault occurs after executing the PoC command. This breach in security emphasizes the need for organizations to rapidly update their systems and to verify the integrity of their cloud environments to thwart such sophisticated cyber attacks.

Top Three Most Active Malware in October

The sophistication of emerging malware and malware campaigns are concerning in October.

Xenomorph Malware Masks Itself as a Benign Android Application

The Xenomorph Android malware, first detected in February 2022, has evolved into a significant threat to global financial security, now targeting an alarming array of over 400 banking institutions across various regions including the United States, Spain, Turkey, and India [5]. This sophisticated malware leverages an Automated Transfer System (ATS) to bypass multi-factor authentication, enabling it to autonomously extract credentials, check balances, and initiate unauthorized transactions. 

Initially found on the Google Play store masquerading as benign applications, Xenomorph's evolution has been carefully managed by its developers, "Hadoken Security", who have not only refined its code for greater modularity but also enhanced its capability to steal data from both banking apps and cryptocurrency wallets. The latest iteration, v3, is distributed via a deceptive service known as 'Zombinder' and is capable of stealing session cookies, potentially allowing cybercriminals to hijack web sessions and take over accounts. 

With its growing threat, Xenomorph represents a clear and present danger to Android users, highlighting the need for vigilance in app downloads and a conservative approach to app installation from app stores.

BiBi-Linux Wiper Malware Targeting Israeli Organizations

The BiBi-Linux wiper malware emerged as a destructive cyber weapon against Israeli organizations, showcasing a targeted approach to cyber warfare aimed at Linux systems [6]. BiBi-Linux is distinguished by its lack of communication with command and control servers, absence of ransom notes, and irreversible damage methodology. Unlike ransomware, it doesn't encrypt files for potential recovery but instead corrupts them by overwriting with nonsensical data, rendering both the data and the operating system inoperable. The wiper, executable as 'bibi-linux.out', is versatile, allowing attackers to specify target directories or, if unleashed with root access without a specified path, to wipe the entire root directory of a system. 

Its file renaming convention, appending 'BiBi' followed by a numeral indicative of the overwrite rounds, is a political taunt directed at the Israeli government. BiBi-Linux lacks sophistication in evasion, with no obfuscation or packing, suggesting the attackers prioritize sheer destructive impact over stealth or longevity of the malware. This development reflects a growing trend in cyber tactics where Russian groups have deployed an arsenal of wipers like DoubleZero and HermeticWiper against Ukraine, indicating a strategic shift towards cyberattacks that cause irreversible damage rather than financial gain.

The SIGNBT and LPEClient Malware Leveraged by Lazarus Group

The Lazarus Group, a North Korean state-sponsored cyber threat group, has been documented for its persistent cyberattacks on a software vendor, exploiting vulnerabilities repeatedly even after patches were issued. This pattern of breaches suggests a strategic intent to steal valuable source code or engage in software supply chain disruption. Kaspersky's investigation, which places these incidents within a larger campaign targeting software vendors from March to August 2023, revealed Lazarus's use of the SIGNBT malware [7] and an accompanying post-compromise toolkit to maintain stealth and control over compromised systems.

SIGNBT, named for its unique C2 communication strings, operates by establishing persistence through startup DLL ('ualapi.dll') execution or registry modifications, verifying victim IDs, and then executing the payload. It handles various functionalities, from system information retrieval and process management to file system manipulation and screen capturing, showcasing its versatility in system control. Additionally, SIGNBT is capable of downloading further payloads, enhancing Lazarus's operational range.

Alongside SIGNBT, Lazarus deploys LPEClient, a sophisticated info-stealer and loader that has evolved significantly. LPEClient's latest versions feature advanced techniques to evade detection, such as disabling user-mode syscall hooking and restoring system library memory sections. LPEClient has been used in parallel campaigns throughout 2023, injected early in infections to load other malware.

This continuous activity by the Lazarus Group emphasizes the advanced and persistent nature of their threats, highlighting the imperative for organizations to stay vigilant in patching vulnerabilities to prevent initial compromise and subsequent malicious activities.

Top Three CVE’s Exploited in October

Here are the three key CVE’s exploited in October.

CVE-2023-38831: WinRAR Remote Code Execution Vulnerability

CVE-2023-38831, a vulnerability in WinRAR software versions before 6.23, has been exploited by pro-Russia hacking groups for credential harvesting [10]. This phishing attack involves malicious archive files containing a deceptive PDF document. When opened, due to the vulnerability, a BAT script is executed, triggering PowerShell commands that establish a reverse shell, granting attackers access to the victim's machine. The script also steals login credentials from Google Chrome and Microsoft Edge browsers and sends this data to the attackers using the legitimate webhook[.]site service. 

The attack's sophistication, including the use of a decoy PDF displaying Indicators of Compromise and stealthy BAT script execution, indicates a possible link to the Russian state-sponsored group APT28, known as Fancy Bear.

CVE-2023-46604: Apache ActiveMQ Servers Remote Code Execution Vulnerability

CVE-2023-46604 is a Remote Code Execution (RCE) vulnerability in Apache ActiveMQ, an open-source message broker software that implements the Java Message Service (JMS) protocol. Discovered in October 2023, this vulnerability allows threat actors to execute arbitrary code by exploiting the OpenWire protocol used by ActiveMQ. Threat actors have actively exploited this vulnerability, as observed in several ransomware attacks. 

The exploitation often involves the deployment of malware like SparkRAT [12], a cross-platform RAT written in Golang, providing attackers with remote control over compromised systems. Additionally, forensic analysis identified similarities between the ransomware used in these attacks and the TellYouThePass ransomware variant, indicating a link in their operational tactics. The exploitation process typically involves initiating a HTTP request from the victim's system to a malicious server, downloading and executing payloads like SparkRAT or ransomware, and leveraging techniques like service stopping and victim fingerprinting to facilitate the attack. 

This CVE represents a significant security threat due to its potential for enabling unauthorized remote control and data encryption, emphasizing the need for robust detection and prevention strategies in cybersecurity.

CVE-2023-42793: JetBrains TeamCity Server RCE Vulnerability

Microsoft's Threat Intelligence Center has detailed how two distinct North Korean threat actors, Diamond Sleet and Onyx Sleet, are exploiting CVE-2023-42793, a critical remote code execution vulnerability in JetBrains' TeamCity servers [13]. 

Diamond Sleet's attack pathway involves the deployment of the ForestTiger backdoor, which decrypts a configuration file using a static key to establish C2 communications and employs techniques such as DLL search-order hijacking with malicious DLLs like DSROLE.dll to load and execute next-stage payloads, including wksprt.exe, a communications conduit to C2 domains. 

Onyx Sleet's modus operandi includes creating system user accounts for persistent access, employing system discovery commands, and deploying payloads that decrypt and execute embedded PE resources for maintaining foothold and data exfiltration. These exploitation flows indicate the actors' proficiency in leveraging initial server vulnerabilities to drop further malicious payloads, execute in-memory payloads, and create backdoors for sustained network compromise, all while skillfully navigating around endpoint defenses such as Microsoft Defender for Endpoint.

References

[1] H. C. Yuceel, “Rhysida Ransomware Explained: Tactics, Techniques, and Procedures,” Oct. 03, 2023. Available: https://www.picussecurity.com/resource/blog/rhysida-ransomware-explained. [Accessed: Nov. 08, 2023]

[2] “#StopRansomware: AvosLocker Ransomware (Update),” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a. [Accessed: Nov. 08, 2023]

[3] H. C. Yuceel, “AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A,” Oct. 12, 2023. Available: https://www.picussecurity.com/resource/blog/avoslocker-ransomware-continues-to-target-us-cisa-alert-aa23-284a. [Accessed: Nov. 08, 2023]

[4] A. Fouillen, “CVE-2017-9841: What is it, and how do we protect our customers?,” OVHcloud Blog, Feb. 19, 2020. Available: https://blog.ovhcloud.com/cve-2017-9841-what-is-it-and-how-do-we-protect-our-customers/. [Accessed: Nov. 08, 2023]

[5] R. Priyanka, “Xenomorph Malware targets US banks,” Latest Cyber Security News, Leading Cyber Security News, Sep. 27, 2023. Available: https://cybersafe.news/xenomorph-malware-targets-us-banks/. [Accessed: Nov. 08, 2023]

[6] S. Gatlan, “New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks,” BleepingComputer, Oct. 30, 2023. Available: https://www.bleepingcomputer.com/news/security/new-bibi-linux-wiper-malware-targets-israeli-orgs-in-destructive-attacks/. [Accessed: Nov. 08, 2023]

[7] B. Toulas, “Lazarus hackers breached dev repeatedly to deploy SIGNBT malware,” BleepingComputer, Oct. 27, 2023. Available: https://www.bleepingcomputer.com/news/security/lazarus-hackers-breached-dev-repeatedly-to-deploy-signbt-malware/. [Accessed: Nov. 08, 2023]

[8] “NVD - CVE-2023-38831.” Available: https://nvd.nist.gov/vuln/detail/CVE-2023-38831. [Accessed: Nov. 10, 2023]

[9] Y. Ernalbant, “Zero-Day Vulnerabilities in Citrix NetScaler and WinRAR Are Under Active Exploitation (CVE-2023-4966, CVE-2023-38831),” SOCRadar® Cyber Intelligence Inc., Oct. 19, 2023. Available: https://socradar.io/zero-day-vulnerabilities-in-citrix-netscaler-and-winrar-are-under-active-exploitation-cve-2023-4966-cve-2023-38831/. [Accessed: Nov. 10, 2023]

[10] “CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations,” Oct. 12, 2023. Available: https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack. [Accessed: Nov. 10, 2023]

[11] B. Toulas, “3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online,” BleepingComputer, Nov. 01, 2023. Available: https://www.bleepingcomputer.com/news/security/3-000-apache-activemq-servers-vulnerable-to-rce-attacks-exposed-online/. [Accessed: Nov. 07, 2023]

[12] S. Hostetler, M. Neis, C. Prest, H. Azzam, J. Wedderspoon, and R. Phillips, “TellMeTheTruth: Exploitation of CVE-2023-46604 Leading to Ransomware,” Arctic Wolf, Nov. 03, 2023. Available: https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/. [Accessed: Nov. 10, 2023]

[13] M. T. Intelligence, “Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability,” Microsoft Security Blog, Oct. 18, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/. [Accessed: Nov. 07, 2023]