Threat Pulse – September 2023
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
DarkGate Loader Malware Delivered via Microsoft Teams
Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023.
Until now DarkGate Loader was seen delivered via traditional email malspam campaigns similar to those of Emotet.
In August an operator started using Microsoft Teams to deliver the malware via HR-themed social engineering chat messages.
Cisco Catalyst SD-WAN Manager flaw
Cisco has issued a warning regarding five new vulnerabilities in their Catalyst SD-WAN Manager products. The most critical vulnerability among them enables unauthenticated remote access to the server.
The Cisco Catalyst SD-WAN Manager for WAN is a software used for network management, allowing administrators to visualize, deploy, and manage devices on wide area networks (WAN).
The most severe vulnerability disclosed is CVE-2023-20252, with a CVSS v3.1 score of 9.8. This vulnerability stems from issues with the Security Assertion Markup Language (SAML) APIs, and its exploitation could lead to unauthorised access, user impersonation, unauthorised data access, modification, deletion, and service disruption.
Cisco has not provided any workarounds for these vulnerabilities. The recommended action is to upgrade to a patched release to mitigate the risks.
US and Japan warn of Chinese hackers backdooring Cisco routers
US and Japanese law enforcement and cybersecurity agencies have jointly issued a warning about a Chinese hacker group known as ‘BlackTech’.
These state-sponsored hackers have been infiltrating network devices to implant custom backdoors, granting them access to corporate networks. This joint report involves the FBI, NSA, CISA, and Japanese cybersecurity agencies NISC and NPA.
BlackTech utilises regularly updated, custom malware to create backdoors in network devices. These backdoors serve several purposes, including maintaining persistence, gaining initial network access, and redirecting traffic to servers controlled by the attackers to steal data.
Notably, the malware may be signed using stolen code-signing certificates, making it challenging for security software to detect.
To achieve their goals, the hackers employ stolen admin credentials, compromising a wide range of router brands, models, and versions. This allows them to establish a foothold and move laterally within the network.
The advisory advises system administrators to remain vigilant for signs of unauthorised downloads of bootloader and firmware images, as well as unusual device reboots that may indicate the loading of modified firmware onto routers.
Additionally, SSH traffic observed on routers should be viewed with suspicion, as it could be an indicator of compromise.
Bumblebee malware returns in new attacks abusing WebDAV folders
The malware loader ‘Bumblebee‘ has reemerged after a two-month break, launching a new campaign that exploits 4shared WebDAV services. This campaign, which began on 7 September 2023, uses these services to distribute the malware, execute its attack process, and perform post-infection actions.
To lure victims, Bumblebee employs deceptive malspam emails disguised as scans, invoices, and notifications. These emails trick recipients into downloading malicious attachments, mostly Windows shortcut LNK files.
Some attachments are in ZIP archives containing LNK files, indicating experimentation by the Bumblebee operators. When opened, the LNK file triggers a series of commands on the victim’s computer, starting with the mounting of a WebDAV folder using hardcoded credentials for a 4shared storage account.
Bumblebee is known for distributing ransomware payloads like Conti and Akira, making its adoption of the 4shared WebDAV service for distribution a worrisome development.
Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family
A new ransomware strain called 3AM has been uncovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network. 3AM is written in Rust and appears to be unrelated to any known ransomware family, making it a completely new malware.
Before starting to encrypt files, 3AM tries to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec.
Once the encryption process completes, files have the .THREEAMTIME extension and the malware also attempts to delete Volume Shadow copies that could be used to recover the data.
New BlueShell Malware
BlueShell, a notorious backdoor malware written in the Go language, has emerged as a significant cybersecurity threat.
Affecting windows, Linux and Mac devices, BlueShell backdoor has been operational since 2020. It employs TLS encryption to evade network detection when communicating with its C2 server and relies on three configuration parameters: the C2 server’s IP address, port number, and a specified waiting time.
BlueShell is primarily being used against vulnerable servers to pilfer critical data, which it then uses to demand ransom.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
