At a Glance
Ransomware, Malware & Phishing
- Harvard Pilgrim Health Care ransomware attack hits 2.5 million people
- Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics
- Malicious PyPl Packages Using Compiled Python Code to Bypass Detection
- Evasive QBot Malware Leverages Short-Lived Residential IPs for Dynamic Attacks
- Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals
Vulnerabilities
- MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited
- Android security update fixes Mali GPU flaw exploited by spyware
- KeePass Update Patches Vulnerability Exposing Master Password
- Google fixes new Chrome zero-day flaw with exploit in the wild
Ransomware, Malware & Phishing
Harvard Pilgrim Health Care ransomware attack hits 2.5 million people
Analysis: Harvard Pilgrim Health Care (HPHC), a non-profit health services provider based in Massachusetts, has revealed that it experienced a ransomware attack in April 2023. The attack affected approximately 2.5 million individuals, and the attackers were able to steal sensitive data from compromised systems.
HPHC reported the incident to the US Department of Health and Human Services portal. The cybercriminals had access to HPHC’s systems from March 18 to April 17, during which they exfiltrated sensitive information. The stolen data includes personal details such as full names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, and clinical information. The incident impacts both current and former members of Harvard Pilgrim who registered starting from March 28, 2012. HPHC is conducting an active investigation and system reviews before resuming normal business operations.
So far, no misuse of stolen data has been detected, but affected individuals are advised to exercise caution regarding unsolicited messages and remain vigilant. HPHC is providing credit monitoring and identity theft protection services to affected individuals. No ransomware group has claimed responsibility for the attack at this time.
Access Point recommends prioritizing cybersecurity measures, including robust threat detection, prevention and response strategies, regular data backups, employee training, and timely software patching to protect against ransomware and other cyber threats. Having a tried and tested incident response plan is essential to ensuring that you are mitigating against the attack as quickly as possible with the least amount of business impact.
Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics
Analysis: BlackCat ransomware, a notable threat actor, has released an improved variant called Sphynx in an effort to enhance its stealth and speed capabilities. The new version aims to bypass security measures and avoid detection.
Sphynx was first announced in February 2023 and offers updated features that strengthen the group's evasion tactics. BlackCat is the first known ransomware strain developed in the Rust programming language and has been active since November 2021, targeting over 350 victims as of May 2023.
BlackCat operates as ransomware-as-a-service (RaaS) and follows a double extortion scheme. It employs custom data exfiltration tools, such as ExMatter, to steal sensitive data before encrypting it. The initial access to targeted networks is typically obtained through a network of actors known as initial access brokers (IABs) who use off-the-shelf information stealer malware to gain legitimate credentials. BlackCat has similarities to the now-defunct BlackMatter ransomware family, as noted by Cisco Talos and Kaspersky.
The Sphynx version of BlackCat incorporates junk code, encrypted strings, and modifieds command line arguments passed to the binary. It also includes a loader to decrypt the ransomware payload. Once executed, Sphynx performs network discovery to find additional systems, delete volume shadow copies, encrypt files, and drop a ransom note.
Despite law enforcement’s efforts against ransomware groups, BlackCat remains an active and evolving threat to organizations. The constant evolution of tactics indicates that the group shows no signs of slowing down, with ransomware attacks contributing to the professionalization of cybercrime, with illicit financial gains leading to the emergence of underground services that support ransomware operations. Major ransomware groups have begun to adopt this ransomware-as-a-service model, offering tools and expertise to affiliates in exchange for a share of the profits. This has fueled the development of a service industry providing various tools and services to threat groups, facilitated by cryptocurrency and the anonymity of the dark web.
Access Point urges organizations to ensure their employees remain cautious of suspicious links or attachments through security awareness training. Phishing is one of most prevalant methods of attack and it is essential that your employees are able to recognize phishing emails when they see them.
For more information on cyber defense tactics, visit the Access Point Resource Center.
Evasive QBot Malware Leverages Short-Lived Residential IPs for Dynamic Attacks
Analysis: QBot, also known as QakBot and Pinkslipbot, is a highly sophisticated and persistent malware. It has evolved from a banking trojan into a downloader for various payloads, including ransomware. Recent analysis conducted by Lumen Black Lotus Labs has revealed some interesting findings about QBot's command-and-control (C2) servers. It was discovered that 25% of these servers remain active for only one day, while 50% of them are inactive for more than a week. This indicates that the malware utilizes an adaptable and dynamic C2 infrastructure.
The threat actors behind QBot have consistently improved their tactics to infiltrate victims’ systems. They employ techniques such as email thread hijacking, HTML smuggling, and uncommon attachment types to bypass security measures. QBot's malspam campaigns follow a pattern of intense activity followed by periods of inactivity. However, they always resurface with an updated infection chain. In 2023, earlier phishing waves used Microsoft OneNote as an intrusion vector, but recent attacks have shifted to using protected PDF files to install the malware.
QBot relies on compromised web servers and hosts in the residential IP space for its C2 infrastructure. As a result, the lifespan of these servers is short, and there is a high turnover rate. On average, 70 to 90 new servers emerge within a seven-day period. To maintain resilience, QBot repurposes victim machines as C2 servers and replenishes its C2 supply through bots that are subsequently converted into C2s. Data from Team Cymru suggests that many QBot C2 servers are compromised hosts purchased from third-party brokers, with a significant number located in India. Additionally, Black Lotus Labs discovered the presence of a backconnect server within the attack infrastructure, which converts a large number of infected bots into proxies that can be advertised for other malicious purposes.
QBot demonstrates technical expertise and resiliency through its flexible approach to building and developing its architecture. While it may not rely on sheer numbers like Emotet, QBot utilizes diverse initial access methods and maintains a resilient yet evasive C2 architecture through the use of residential IP space and compromised web servers. Although QBot has recently shifted to other infection methods, it is not uncommon for them to revert to previous tactics in subsequent campaigns. Threat actors are continuously changing their tactics, techniques, and procedures to avoid detection in target networks.
It is crucial for organizations to stay informed through active threat hunting programs, and to implement best practices — including regular data backups, employee training, network segregation, and timely software patching — to protect against ransomware and other cyber threats. Having a multi-layered defense with multi-factor authentication (MFA) enabled is also important.
Malicious PyPl Packages Using Compiled Python Code to Bypass Detection
Analysis: Researchers have recently uncovered a new attack targeting the Python Package Index (PyPI) repository.
This attack exploits compiled Python code to bypass detection by application security tools, making it potentially the first of its kind to leverage the direct execution capability of Python bytecode (PYC) files. The specific package involved in this attack is called fshec2, which was removed from the third-party software registry on April 17, 2023 following responsible disclosure.
PYC files are generated by the Python interpreter as compiled bytecode when a Python program is executed. In the case of the attack package fshec2, it consists of three files: init.py, main.py, and full.pyc. The malicious functionality is contained within the full.pyc file, while the entry point of the package is found in init.py. This entry point imports a function from main.py that is responsible for loading the Python compiled module from full.pyc. The importlib package is used for loading and executing the code within the .pyc file.
Upon reverse-engineering the PYC file, researchers discovered that it collects usernames, hostnames, and directory listings. It also fetches commands from a hardcoded server (13.51.44[.]246) for execution on the host. The fshec2 package was observed downloading and running another Python script, which fetches new commands from a file that can be modified by the threat actor. The command-and-control server associated with the attack had a misconfiguration that allowed stolen files to be downloaded without authorization, indicating that the attacker may not be highly sophisticated.
This attack highlights the ongoing efforts of threat actors to employ obfuscation techniques in order to evade security solutions. Loader scripts, like the one found in the fshec2 package, typically contain minimal Python code and perform a simple action, which in this case is the loading of a malicious compiled Python module.
Access Point emphasizes the importance of having a dedicated threat hunting team that continuously monitors the network for any indicators of compromise associated with threat groups and their latest tactics, techniques, and procedures. Threat groups often evade security systems by continuously improving and changing their attack methods, making proactive hunting for indicators of compromise essential. Staying informed about the latest news regarding threat groups and their attacks is crucial for maintaining the security of an organization.
Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals
Analysis: Threat actors associated with the Cyclops ransomware have recently been observed promoting an information stealer malware that is specifically designed to capture sensitive data from infected hosts. These threat actors operate through a ransomware-as-a-service (RaaS) model, where they offer their malware on forums and request a portion of the profits from those who engage in malicious activities using their malware.
Cyclops ransomware primarily targets major desktop operating systems, including Windows, macOS, and Linux. To ensure the smooth encryption process, the ransomware terminates any processes that could potentially interfere. The macOS and Linux variants of the ransomware are coded in Golang, and the encryption scheme employed combines asymmetric and symmetric encryption techniques.
The information stealer malware associated with Cyclops focuses on Windows and Linux systems. It captures various details, such as operating system information, computer names, number of processes, and fields of interest with specific extensions. The harvested data — including files with extensions like .TXT, .DOC, .XLS, .PDF, .JPEG, .JPG, and .PNG — is then uploaded to a remote server. Customers who utilize this malware can access the stolen data through an admin panel.
It is important to note that Access Point strongly advises against paying ransom, as doing so not only encourages further attacks but also funds criminal activities. Furthermore, there is no guarantee that the data will be decrypted even after payment. Instead, organizations are advised to prioritize prevention and mitigation strategies. This includes implementing robust backup and disaster recovery plans, as well as having a well-tested incident response plan in place. By focusing on these measures, organizations can better protect themselves against ransomware attacks and minimize potential damage.
Vulnerabilities
MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited
Analysis: A critical vulnerability, assigned the CVE identifier CVE-2023-34362, has been actively exploited in Progress Software's MOVEit Transfer managed file transfer application.
The vulnerability is a severe SQL injection flaw that could allow unauthorized access and escalated privileges. Attackers can exploit the vulnerability to gain unauthorized access to MOVEit Transfer's database and potentially alter or delete elements within it. Progress Software has released patches for the bug in various versions of the application. Approximately 2,500 instances of MOVEit Transfer were exposed to the internet as of May 31, 2023, with many located in the United States. Successful exploitation results in the deployment of a web shell named "human2.aspx," which enables the exfiltration of stored data and the creation of new admin user accounts to avoid detection.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the vulnerability and advised users to apply the provided patches and take mitigation steps, such as isolating servers and deleting indicators of compromise (IoCs).
The attacks targeting MOVEit Transfer highlight a concerning trend of threat actors focusing on file transfer solutions. The motives behind the exploitation are not yet known, but stolen data could be monetized through extortion or sale on underground forums. The vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA, which recommends applying the vendor-provided patches by June 23, 2023. The attacks have affected various industries in Canada, India, the United States, Italy, Pakistan, and Germany.
Mandiant, the threat intelligence firm tracking the activity, has observed large-scale theft of files from victims' MOVEit transfer systems. It is anticipated that victims may receive extortion emails in the near future. Enterprise file transfer systems have increasingly become targets for cybercriminals due to their potential for stealing critical data from multiple victims simultaneously.
To mitigate the risk posed by the actively exploited vulnerability in Progress Software's MOVEit Transfer application (CVE-2023-34362), Access Point Technology recommends that users and organizations promptly apply the patches for the affected versions. Additionally, we recommend isolating servers by blocking inbound and outbound traffic, thoroughly inspecting environments for indicators of compromise (IoCs), and deleting any identified IoCs before applying the patches.
Android security update fixes Mali GPU flaw exploited by spyware
Analysis: Google has released the monthly security update for Android, addressing 56 vulnerabilities, including five critical ones.
One of the critical flaws, CVE-2022-22706, is a high-severity vulnerability in the Mali GPU kernel driver from Arm. Google's Threat Analysis Group (TAG) believes it may have been exploited in a spyware campaign targeting Samsung phones. This flaw allows non-privileged users to gain write access to read-only memory pages. The fix for CVE-2022-22706 is included in the security patch level 2023-06-05, and Samsung has already addressed it in their May 2023 update due to active exploitation.
The critical-severity flaws fixed in the Android update include:
- CVE-2023-21127
- CVE-2023-21108
- CVE-2023-21130
All of the above are considered remote code execution flaws in the Android Framework and Android System impacting Android versions 11, 12, and 13.
Additionally, two critical flaws impacting Qualcomm closed-source components — CVE-2022-33257 and CVE-2022-40529 — have been fixed. It's important to note that devices running Android 10 or older are no longer supported and won't receive this security update.
Users of outdated devices should be cautious as they are at risk of potential impacts. Access Point advises that you upgrade to newer, actively-supported Android models or consider using a third-party Android distribution that provides security fixes, even with some delay.
KeePass Update Patches Vulnerability Exposing Master Password
Analysis: KeePass, an open-source password manager, has released an update to address a vulnerability tracked as CVE-2023-32784.
The flaw, affecting KeePass 2.X versions, involves the custom-developed textbox used for password entry, which leaves a string in memory for each typed character. Attackers can retrieve these strings from memory dumps, such as process dumps or hibernation files, and reconstruct the cleartext master password. While a proof-of-concept tool was published demonstrating the exploit, the risks were considered minimal as remote exploitation was not possible unless the system was already compromised with malware.
The patch, released earlier than expected, enhances process memory protections to prevent string creation and password recovery, including the introduction of dummy fragments mixed with correct fragments. Alongside this fix, the update also includes various user interface improvements, integration enhancements, new features, and bug fixes.
Access Point Technology recommends that users of KeePass 2.X versions update to the latest version, KeePass 2.54, which includes a patch for the vulnerability tracked as CVE-2023-32784. By promptly applying the update, users can benefit from enhanced process memory protections that prevent the retrieval of cleartext master passwords from memory dumps. Additionally, the update brings other improvements and bug fixes, ensuring a more secure and efficient user experience.
Google fixes new Chrome zero-day flaw with exploit in the wild
Analysis: Google has released a security update for its Chrome web browser to address a zero-day vulnerability — identified as CVE-2023-3079 — that has been exploited by hackers.
Details about the specific exploitation and attacks have not been disclosed, as Google typically restricts such information to protect users until a majority have updated to the secure version. CVE-2023-3079 is a high-severity issue discovered by Google researcher Clément Lecigne, and it relates to a type confusion bug in Chrome's JavaScript engine, V8. This type of bug can result in the misinterpretation of object types during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.
To address the zero-day vulnerability (CVE-2023-3079) exploited in Google Chrome, Access Point Technology strongly advises that all users promptly update their Chrome web browsers to the latest version (114.0.5735.110 for Windows, 114.0.5735.106 for Mac and Linux). Users can manually initiate the update process by accessing the Chrome Settings menu, selecting Help, and choosing About Google Chrome. Relaunching the application is necessary to complete the update. Install the security update as soon as possible to mitigate the risk of exploitation.
Sources
https://www.bleepingcomputer.com/news/security/harvard-pilgrim-health-care-ransomware-attack-hits-25-million-people/
https://thehackernews.com/2023/06/improved-blackcat-ransomware-strikes.html
https://thehackernews.com/2023/06/evasive-qbot-malware-leverages-short.html
https://thehackernews.com/2023/06/malicious-pypi-packages-using-compiled.html
https://thehackernews.com/2023/06/cyclops-ransomware-gang-offers-go-based.html
https://thehackernews.com/2023/06/moveit-transfer-under-attack-zero-day.html
https://www.bleepingcomputer.com/news/security/android-security-update-fixes-mali-gpu-flaw-exploited-by-spyware/
https://www.securityweek.com/keepass-update-patches-vulnerability-exposing-master-password/
https://www.bleepingcomputer.com/news/security/google-fixes-new-chrome-zero-day-flaw-with-exploit-in-the-wild/
.webp)
.png)
