September 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Executive Summary

• The Akira ransomware group [1] significantly increased its attack campaigns globally in September, exploiting vulnerabilities in Cisco ASA and FTD products and resembling the tactics of the Conti ransomware, emphasizing the need for enhanced multi-factor authentication and security measures.

• The discovery of a critical privilege escalation vulnerability, CVE-2023-29357, in Microsoft SharePoint [2] has exposed severe security threats, enabling attackers to impersonate Administrative level users and execute malicious commands.

• The BlackTech APT [3] group has been compromising router firmware and leveraging domain-trust relationships, predominantly targeting U.S. and Japanese corporations, stressing the importance of implementing Zero Trust models and intensifying router security.

• The Snatch ransomware gang [4] exemplifies a sophisticated, multilayered cyber-attack method, employing double extortion tactics and blending into network traffic, emphasizing the need for organizations to adopt robust, multifaceted cybersecurity strategies to ensure the protection of sensitive data.

• The exploitation of vulnerabilities CVE-2022-47966 and CVE-2022-42475 [5] by various APT actors has led to multi-faceted cyber threats against organizations in the Aeronautical Sector, highlighting the importance of immediate patching and continuous monitoring.

• Iranian state-sponsored hackers exploit Microsoft Exchange Servers globally using Sponsor malware ([6], [7]), focusing on data theft in Israel, the Middle East, and Brazil.

• HTTPSnoop Backdoor [8] is attributed to a newly identified actor named ShroudedSnooper and has been primarily targeting telecommunications providers in the Middle East.

• SprySOCKS [9] is attributed to the Chinese cyber espionage group, Earth Lusca APT, and has been targeting government agencies globally, focusing particularly on entities in Southeast Asia, Central Asia, and the Balkans.

• Lastly, in September, CVE-2023-32315 [10], CVE-2023-41064 and CVE-2023-41061 [11], CVE-2022-47966 [12], and CVE-2021-26855 [13] vulnerabilities were targeted the most.

Top Five Key Threat Actors in September

The surge in cyber threats in September 2023 is alarming.

Akira Ransomware: Cisco-ing Into Networks with the Unpatched CVE-2023-20269 Vulnerability!

In September, the Akira ransomware group [1], driven by financial motives, ramped up their attacks campaigns, exploiting vulnerabilities in Cisco ASA and FTD products globally. The group exploited the still-unpatched Cisco CVE-2023-20269 vulnerability, a medium severity unauthorized access vulnerability affecting the remote access VPN feature of Cisco ASA and FTD. The vulnerability is caused by improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature, HTTPS management, and site-to-site VPN features.

To successfully exploit the CVE-2023-20269 vulnerability, attackers need to either 

• brute-force usernames and passwords for the vulnerable system, or 

• use valid credentials to establish a clientless SSL VPN session with an unauthorized user. 

Certain conditions, including the presence of at least one user with a password in the local database and the activation of either SSL VPN or IKEv2 VPN on at least one interface, must be met for successful exploitation. Additionally, the DfltGrpPolicy group policy must include the clientless SSL VPN protocol.

Akira's breach affected numerous organizations, especially those with less robust multi-factor authentication on VPN appliances. The tactics of Akira bear a remarkable resemblance to the well-known Conti ransomware, suggesting that they likely utilized Conti's leaked source code. Even after the release of a decryptor by Avast in June 2023, Akira adapted their encryption tactics, highlighting their persistent and evolving threat in the cybersecurity landscape. Their concentrated and strategic breaches into vulnerable infrastructures underscore the enduring danger they represent in the contemporary digital era.

To learn more about the tools used by Akira ransomware holders and which MITRE ATT&CK tactics these tools correspond to, visit our latest blog here.

Sharing More Than Points: A Dive into SharePoint Server's CVE-2023-29357 Privilege Escalation Vulnerability

Identified in June 2023, CVE-2023-29357 poses a severe security threat, representing a critical privilege escalation vulnerability within Microsoft SharePoint [2]. It stems from a flaw in signature validation for JSON Web Tokens (JWTs) used in OAuth authentication, allowing adversaries to exploit this vulnerability when the JWT's signing algorithm is set to 'none'. This bypass of the signature validation process is due to a logical error within the ReadTokenCore() method, enabling attackers to impersonate any SharePoint user, potentially gaining elevated access if the impersonated user possesses administrative privileges.

This vulnerability can be leveraged by cyber adversaries to facilitate remote code execution by chaining it with other vulnerabilities, notably CVE-2023-24955, allowing the substitution of files in the web root directory and the execution of malicious commands via the SharePoint API.

With a critical CVSS score of 9.8 and publicly available proof-of-concept (PoC) exploits, organizations must act swiftly and decisively to apply the recommended patches to vulnerable SharePoint servers, fortifying defenses against unauthorized intrusions, data breaches, and systemic compromises by malicious actors.

To view the spoofed token employed to impersonate the Administrator user, delve into our most recent blog post on the SharePoint vulnerability by clicking here.

Router’s Stealthy Samba: Dancing through BlackTech APT’s Firmware Backdoors!

In September, the NSA, FBI, CISA along with Japanese stakeholders such as the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), released a joint cybersecurity advisory (AA23-270A), focusing on the BlackTech APT group. 

This advisory elucidated BlackTech's sophisticated methods of 

• compromising router firmware to establish backdoors, and 

• leveraging routers’ domain-trust relationships to infiltrate the internal networks of multinational corporations, predominantly those in the U.S. and Japan [3]. 

The meticulous modification of router firmware allows BlackTech to conceal their operations and sustain persistent backdoors, facilitating seamless pivoting from international subsidiaries to the main networks of the targeted corporations, posing profound security risks and enabling unauthorized access and manipulation of sensitive information, which jeopardizes both national security and corporate integrity. The advisory emphasized the crucial need for corporations to meticulously review subsidiary connections, implement Zero Trust models, verify access, and intensify router security and network traffic monitoring as a countermeasure against the highly sophisticated threats emanating from state-sponsored entities like BlackTech, thereby averting potential severe compromises.

To have a more in depth understanding of the tools used by BlackTech APT group, and see the in-depth coverage of vendor-based mitigation solutions for your preventative security solutions, visit our blog here.

Snatch Ransomware Unmasked: A Comprehensive Explanation

The Snatch ransomware [4], highlighted by CISA on September 20, 2023 [14], exemplifies a sophisticated, multilayered cyber-attack method. Emerging in 2018 and leveraging a Ransomware-as-a-Service (RaaS) model, Snatch has consistently employed double extortion tactics across diverse sectors. 

• The modus operandi involves gaining initial access typically via brute force attacks on vulnerable remote desktop services or by exploiting compromised credentials procured from Initial Access Brokers. 

• Once access is secured, the ransomware forces the system to reboot in Safe Mode, a notable defense evasion technique enabling Snatch ransomware to bypass antivirus or endpoint protections usually in place, due to the limited functionalities enabled in Windows Safe Mode. 

• Post-reboot, extensive network enumeration is conducted using batch files, facilitating substantial data exfiltration and eventual deployment of the ransomware. 

• Additionally, Snatch ransomware uses Service Control to run malicious commands, modifies registry keys, and disables defense mechanisms like Windows Defender, escalating its persistence and lateral movement capabilities within the network. 

• The ransomware further executes its final payload, encrypting files with AES, appending a .snatch extension, and threatening victims with public data release to enforce ransom payment. 

The meticulously planned and executed stages of Snatch ransomware demonstrate a concerted effort to blend into network traffic, manipulate system functionalities, and render data irretrievable, underscoring the imperative for robust, multifaceted cybersecurity strategies in organizational defense frameworks.

For more information about the killchain of Snatch ransomware holders, and the malicious codes that they run on the victim system, click here.

CISA Alert AA23-250A: Nation-State APT Actors Exploit CVE-2022-47966 and CVE-2022-42475

On September 7, 2023, an joint advisory coded AA23-250A was released by CISA [15], disclosing multi-faceted cyber threats from various APT actors, predominantly targeting organizations in the Aeronautical Sector. 

This advisory unveils a meticulously executed intrusion, starting from January 2023, where attackers, exploiting vulnerabilities CVE-2022-47966 and CVE-2022-42475, initiated a complex kill chain to gain unauthorized access, primarily through a web server hosting Zoho ManageEngine ServiceDesk Plus. 

This initial access allowed the attackers to 

• move laterally within the network, 

• establishing administrative privileges, 

• deploying malware, 

• erasing logs, and 

• potentially exfiltrating proprietary information. 

Forensic analysis revealed that actors focused on internet-facing devices like firewalls and VPNs to expand malicious infrastructure and executed multiple TLS-encrypted sessions indicating successful data transfers. 

The revelation of these intricate attacks underscores the crucial need for fortified cybersecurity defenses, immediate patching, stringent monitoring, and removal of unnecessary accounts to counteract such sophisticated cyber threats.

To have a deeper understanding of the attack lifecycle and obtain actionable mitigation content provided by Picus Security, click here.

Top Three Most Active Malware in September

Here are the most active malware used in September by cyber attackers.

Cat's Out of the Bag: Ballistic Bobcat's Cunning Sponsor Backdoor!

The Iranian state-sponsored hackers known as Ballistic Bobcat [13], among other aliases Charming Kitten, APT35, Mint Sandstorm, Phosphorus, have orchestrated a meticulous cyber-espionage campaign, unleashing a sophisticated backdoor malware variant named ‘Sponsor’ ([6], [7]). 

The Sponsor backdoor, an evolution of the earlier identified ‘PowerLess,’ is deployed with a focus on exploiting vulnerable Microsoft Exchange Servers, leveraging the CVE-2021-26855 vulnerability as the entry point to gain initial access. Victims of this cyber onslaught span across sectors, encompassing organizations located primarily in Israel, the Middle East, and Brazil, highlighting the versatility and adaptability of the Sponsor backdoor in infiltrating a myriad of systems.

Once infected the host system, Sponsor backdoor, coded using the C++ programming language, operates discreetly, gathering an extensive array of host information including but not limited to

• hardware specifics, 

• software details, and 

• linguistic settings, 

which are subsequently relayed to a central C&C server. 

This stealthy exchange enables the operator to issue arbitrary commands, ranging from executing specific commands on the host and altering communication intervals to downloading and executing files from the internet, offering a multi-faceted approach to cyber intrusion and data theft. 

HTTPSnoop Dogg on the Prowl: ShroudedSnooper Targets the Middle East with Stealthy Backdoor!

In September, the telecommunications sector faced heightened cyber threats, notably from a novel malware family dubbed “HTTPSnoop” [8].

This new malware family is reportedly deployed by a newly identified actor named ShroudedSnooper against telecommunications providers, specifically in the Middle East. HTTPSnoop is a well-crafted backdoor that integrates novel techniques to interface with Windows HTTP kernel drivers and devices, allowing it to effectively listen to incoming requests for specific HTTP(S) URLs and execute the content on the infected endpoint. This malware can masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, complicating detection efforts.

HTTPSnoop, coupled with its sister implant, PipeSnoop, symbolizes a novel threat. The latter accepts arbitrary shellcode from a named pipe and executes it on the infected endpoint. The incursion methodology likely involves 

• exploiting internet-facing servers, 

• deploying HTTPSnoop for initial access, and 

• mimicking HTTP URL patterns, such as those resembling Microsoft’s Exchange Web Services (EWS) platform, making this attack a complex multi-faceted cyber-espionage campaign. 

This activity underscores a concerning trend, with telecommunications consistently emerging as a top-targeted industry vertical, acting as a conduit for adversaries to potentially access an extensive range of critical infrastructure assets, private entities, and government services. The use of HTTPSnoop and PipeSnoop represents the latest development in the escalating cyber threat landscape targeting the telecommunications sector, highlighting the need for enhanced vigilance and robust cybersecurity measures within the industry.

Securing the Sock Drawer: Exposing the Stealthy Threads of Earth Lusca's SprySOCKS Linux Backdoor!

A Chinese cyber espionage group Earth Lusca APT, has been targeting crucial government agencies globally, leveraging an innovative Linux backdoor dubbed SprySOCKS [9]. 

This state-of-the-art malware, an adaption from the renowned Trochilus open-source Windows malware [9], is a sinister amalgamation of multiple malware capabilities, 

• merging the command and control (C2) communication protocol reminiscent of the Windows backdoor RedLeaves, and 

• an interactive shell rooted in the principles of the notorious Linux malware Derusbi.

SprySOCKS has been a pivotal instrument in Earth Lusca's unscrupulous campaigns, focusing on entities primarily engaged in foreign affairs, technology, and telecommunications across Southeast Asia, Central Asia, and the Balkans, executing a plethora of functions from collecting sensitive system information to managing SOCKS proxy configurations, all while maintaining clandestine communications via its high-performance HP-Socket networking framework and AES-ECB encrypted TCP communications.

SprySOCKS’ intricate modus operandi involves exploiting a series of n-day unauthenticated remote code execution flaws for initial access, subsequently deploying Cobalt Strike beacons to gain a foothold within the network, enabling lateral movement and facilitating the theft of account credentials, file exfiltration, and additional payload deployments.

Earth Lusca’s prowess is underscored by their adept utilization of SprySOCKS loader, a variant of the Linux ELF injector, effectively masquerading under the name "kworker/0:22", mimicking a Linux kernel worker thread to avoid detection. The meticulously orchestrated operations of SprySOCKS, coupled with its evolving versions, underscore the escalating threat landscape and the paramountcy of implementing robust security protocols on public-facing servers to thwart the advancements of Earth Lusca and secure national interests and sensitive information.

Top CVE’s Exploited in September

Here are the top most targeted vulnerabilities in September, with respective CVE IDs, as well as the malware and tools used in their exploitation campaign.

Below, you are given more contextual information regarding the CVEs and how they are leveraged by adversaries in their attack campaigns.

CVE-2023-32315 Exploited by Earth Estries APT Group

Earth Estries APT group, which is believed to be involved in cyber espionage activities, recently launched a campaign against government and technology sectors in countries such as the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US [10]. 

This campaign exploited the OpenFire vulnerability (CVE-2023-32315) to deploy the BadBazaar and Kinsing malware and a cryptominer using Trojanized versions of popular messaging apps like Telegram and Signal. Notably, the malware in question is the BadBazaar Android malware, which has links to the China-associated GREF. As the cyber threat landscape continues to evolve, sectors worldwide are urged to remain vigilant and adopt necessary measures to safeguard their digital assets.

Charming Kitting Exploiting the CVE-2021-26855 to Deploy the Sponsor Backdoor

In a broad-reaching cyber espionage campaign from March 2021 to today, the Iranian hacker group known as 'Charming Kitten' [13], with various aliases like Phosphorus, TA453, and APT35/42, leveraged a Microsoft Exchange vulnerability (CVE-2021-26855) to target entities in sectors ranging from government to telecommunications across countries like 

• Israel, 

• Brazil, and 

• the UAE. 

Exploiting this remote code execution vulnerability, the threat actor infiltrated 34 global companies, deploying a previously undisclosed backdoor malware named Sponsor. This malware, once embedded, communicated with its command and control server, allowing for data exfiltration, system monitoring, and further infiltration. Given the Sponsor backdoor's ability to dodge detection and the wide targeting, 'Charming Kitten' emerges as a highly sophisticated and concerning adversary in the cybersecurity arena.

Organizations must prioritize proactive security practices to protect their networks and valuable data from the ever-evolving tactics of threat actors.

CVE-2023-41064 and CVE-2023-41061 Exploited by NSO Group

In September, Apple patched two critical zero-day vulnerabilities [17], 

• CVE-2023-41064 and 

• CVE-2023-41061, 

which were actively being exploited to deliver NSO Group’s notorious Pegasus spyware to iPhones [11]. These vulnerabilities allowed attackers to compromise devices running the latest iOS (16.6) without requiring any action from the targeted user [18]. Specifically, the exploits took advantage of a buffer overflow vulnerability in the ImageI/O framework and a validation issue in Apple’s Wallet by sending malicious images and attachments via iMessage.

Andariel APT Exploiting CVE-2022-47966 to Deploy QuiteRAT and CollectionRAT

The North Korean state-sponsored APT group Andariel [12], a sub-group of Lazarus APT, has intensified its cyber offensive against the healthcare sector in Europe and the United States [12]. Exploiting a vulnerability in ManageEngine IT management tools, identified as CVE-2022-47966, they have been deploying remote access Trojans, namely 

• QuiteRAT and 

• CollectionRAT. 

Notably, CollectionRAT has ties to the Jupiter/EarlyRAT malware family. Given the vital nature of healthcare entities and the potential repercussions of such breaches, this campaign by the Lazarus Group poses a considerable threat and underlines the persistent cyber risks faced by the health sector.

This threat underscores the increasing threats faced by civil society from state-backed cyber espionage activities. In response, Apple swiftly released patches for its devices, advising users to update immediately, and those at higher risk of targeted attacks were recommended to activate Lockdown Mode.

References

[1] H. C. Yuceel, “CVE-2023-20269: Akira Ransomware Exploits Cisco ASA Vulnerability,” Sep. 11, 2023. Available: https://www.picussecurity.com/resource/blog/cve-2023-20269-akira-ransomware-exploits-cisco-asa-vulnerability. [Accessed: Oct. 02, 2023]

[2] H. C. Yuceel, “CVE-2023-29357: SharePoint Server Privilege Escalation Vulnerability,” Sep. 28, 2023. Available: https://www.picussecurity.com/resource/blog/cve-2023-29357-sharepoint-server-privilege-escalation-vulnerability. [Accessed: Oct. 02, 2023]

[3] H. C. Yuceel, “BlackTech APT Group Targets US and Japan - CISA Alert AA23-270A,” Sep. 28, 2023. Available: https://www.picussecurity.com/resource/blog/blacktech-apt-group-targets-us-and-japan-cisa-alert-aa23-270a. [Accessed: Oct. 02, 2023]

[4] H. C. Yuceel, “Snatch Ransomware Explained - CISA Alert AA23-263A,” Sep. 21, 2023. Available: https://www.picussecurity.com/resource/blog/snatch-ransomware-explained-cisa-alert-aa23-263a. [Accessed: Oct. 02, 2023]

[5] H. C. Yuceel, “CISA Alert AA23-250A: Nation-State APT Actors Exploit CVE-2022-47966 and CVE-2022-42475,” Sep. 08, 2023. Available: https://www.picussecurity.com/resource/blog/cve-2022-47966-and-cve-2022-42475-cisa. [Accessed: Oct. 03, 2023]

[6] B. Toulas, “Iranian hackers backdoor 34 orgs with new Sponsor malware,” BleepingComputer, Sep. 11, 2023. Available: https://www.bleepingcomputer.com/news/security/iranian-hackers-backdoor-34-orgs-with-new-sponsor-malware/. [Accessed: Oct. 02, 2023]

[7] A. Burgher, “Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor.” Available: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/. [Accessed: Oct. 02, 2023]

[8] A. Malhotra, “New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants,” Cisco Talos Blog, Sep. 19, 2023. Available: https://blog.talosintelligence.com/introducing-shrouded-snooper/. [Accessed: Oct. 02, 2023]

[9] B. Toulas, “New SprySOCKS Linux malware used in cyber espionage attacks,” BleepingComputer, Sep. 18, 2023. Available: https://www.bleepingcomputer.com/news/security/new-sprysocks-linux-malware-used-in-cyber-espionage-attacks/. [Accessed: Oct. 02, 2023]

[10] “Website.” Available: https://thecyberwire.com/newsletters/research-briefing/5/26

[11] S. Gatlan, “CISA warns govt agencies to secure iPhones against spyware attacks,” BleepingComputer, Sep. 11, 2023. Available: https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-to-secure-iphones-against-spyware-attacks/. [Accessed: Oct. 03, 2023]

[12] M. K. McGee and R. Ross, “Feds Warn Health Sector of Lazarus Group Attacks.” Available: https://www.govinfosecurity.com/feds-warn-health-sector-lazarus-group-attacks-a-23122. [Accessed: Oct. 03, 2023]

[13] A. Asokan and R. Ross, “Iranian Hackers ‘Ballistic Bobcat’ Deploy New Backdoor.” Available: https://www.govinfosecurity.com/iranian-hackers-ballistic-bobcat-deploy-new-backdoor-a-23060. [Accessed: Oct. 02, 2023]

[14] “#StopRansomware: Snatch Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a. [Accessed: Oct. 02, 2023]

[15] “Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a. [Accessed: Oct. 02, 2023]

[16] R. Priyanka, “Iranian hackers target entities with new Sponsor malware,” Latest Cyber Security News, Leading Cyber Security News, Sep. 12, 2023. Available: https://cybersafe.news/iranian-hackers-target-entities-with-new-sponsor-malware/. [Accessed: Oct. 03, 2023]

[17] Z. Zorz, “Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061),” Help Net Security, Sep. 08, 2023. Available: https://www.helpnetsecurity.com/2023/09/08/cve-2023-41064-cve-2023-41061/. [Accessed: Oct. 03, 2023]

[18] “About the security content of iOS 16.6.1 and iPadOS 16.6.1,” Apple Support, Sep. 07, 2023. Available: https://support.apple.com/en-us/HT213905. [Accessed: Oct. 03, 2023]