Cybersecurity Threats Affecting Businesses in July 2023

Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.

Below are the top four threats that emerged over the past month.

Midnight Group’s Fraud Campaign Resurgence

Midnight Group has recently been observed sending fake ransomware emails to companies in an attempt to extort them, preying on ransomware fears that have remained prevalent since the malware rose to fame with the Wannacry attacks. Midnight Group operates by pretending to be different ransomware groups and sending threatening emails in which they claim to have stolen data. If compliance is not gained outright, the group will utilize DDoS attacks to increase pressure.

They are known to impersonate the ransomware groups Surtr and Silent Ransom Group (SRG), while recent victims have been U.S. companies that were previously targeted by actual threat actors. This tactic, preying on those who have been hit before, can be extremely effective as the attackers impersonate groups already known to target the company. Publicly available information sourced from news reports and posts on hacker websites make it easy for Midnight Group to target companies that have been hit and pose as the groups antagonizing them.

The term “Phantom Incident Extortion,” (PIE) has been used to describe this attack. In one incident, where the attackers impersonated SRG, they reminded the company of the previous attack by SRG, claimed to have data of all kinds including PII, financial data, medical data, etc., and offered a resolution.

Victims of attacks like these should know that these attackers do not have any of the information they claim to, and payment to them would not lead to any resolution to attacks or extortion attempts by other actors. This is a particularly insidious kind of phishing because it prays on victims of past attacks. Attacks of this nature can get lost in the shuffle of incident response or in the aftermath of events arising from a real attack, especially when combined with the threat of a DDoS that would indeed hinder services.

For attacks like this, the barrier to entry is low, as they are examples of social engineering with the capacity for a DDoS incident. Given that it is much easier to fool a person than a computer, for every successful attack (which usually begin with a phishing email) organizations can expect ten separate attackers riding the coattails in an attempt to get a cut for themselves.

Rapperbot Cryptojacking

FortiGuard Labs has discovered new samples of the RapperBot campaign, which has been active since January 2023. RapperBot is a malware family that primarily targets IoT devices and has been observed in the wild since June 2022. Previous campaigns focused on expanding the botnet’s footprint by brute-forcing devices with weak or default SSH or Telnet credentials and using them to launch Distributed Denial of Service (DDoS) attacks.

In the latest campaign, the threat actors behind RapperBot have started incorporating cryptojacking, specifically targeting Intel x64 machines. Initially, they deployed a separate Monero cryptominer alongside the RapperBot binary. However, in late January 2023, they combined both functionalities into a single bot.

In terms of obfuscation, RapperBot samples continue to employ XOR encoding, but with an additional layer of XOR encoding using multi-byte XOR keys. The miner code includes modifications to facilitate cryptojacking, such as removing the ability to read external configuration files and using multiple mining pools for redundancy and privacy. The machine owner is prevented from terminating the mining process and all identifiers are removed to evade detection.

To maximize efficiency, the RapperBot kills off other miners by scanning running processes and terminating those associated with blacklisted keywords. This behavior indicates a focus on terminating other miners rather than IoT bots, emphasizing their interest in cryptojacking on x64 machines. It is worth noting that there is no direct infection vector for x64 RapperBot samples, as they lack self-propagation capabilities. This suggests the possible use of an external loader operated by the threat actor, which utilizes credentials collected by other RapperBot samples with brute-forcing capabilities to infect only x64 machines.

The addition of the threat actor’s public SSH key on infected machines may provide another entry point for x64 samples. The RapperBot botnet operators are financially motivated and constantly seeking to extract maximum value from infected machines. Mitigation measures include enabling public key authentication or setting strong passwords for all devices connected to the internet, as the primary infection vector remains compromising SSH services with weak or default credentials.

Kimsuky Targeted Social Engineering Campaign

Researchers has been tracking a targeted social engineering campaign against experts in non-government sectors. The campaign focuses on theft of email credentials, delivery of reconnaissance malware, and theft of news subscription credentials. Based on the malware, infrastructure, and tactics used, the campaign has likely been orchestrated by the Kimsuky threat actor. Kimsuky, a suspected North Korean advanced persistent threat group whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals. Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information. Kimsuky focuses on establishing initial contact and developing a rapport with their targets prior to initiating malicious activities.

Once the target engages in a conversation, Kimsuky delivers a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials. The URL’s destination is spoofed by setting the href HTML property to direct to a website created by Kimsuky. This method, commonly employed in phishing attacks, creates a link that is perceived to be legitimate but is not.

This Kimsuky activity indicates the group’s continuing efforts to establish communication and foster trust with their targets prior to initiating malicious operations, including the delivery of malware. By creating a sense of rapport with the individuals they target, Kimsuky hopes to increase the success rate of their malicious activities.

Volt Typhoon

In late May 2023, cybersecurity authorities in the U.S. and other countries expressed concerns about an ongoing campaign conducted by a state-sponsored threat actor named Volt Typhoon, originating from China. This group has targeted critical infrastructure networks across the U.S., including in Guam where military bases are located. Various sectors such as government, maritime, education, and others have been compromised by Volt Typhoon. The threat actor employs living-off-the-land techniques and disguises its activities as normal Windows system operations, making it challenging to detect. Their primary motive appears to be espionage.

Volt Typhoon employs a range of tactics and techniques to carry out its operations. They exploit internet-facing Fortinet FortiGuard devices to gain initial access and extract credentials from compromised devices to authenticate themselves on other network systems. The threat actor also utilizes tools like wmic, ntdsutil, netsh, and PowerShell, as well as open-source tools such as Fast Reverse Proxy, Mimikatz, and Impacket. Volt Typhoon conceals its activities by routing traffic through compromised small office and home office (SOHO) network equipment like routers, firewalls, and VPN hardware. To protect against this threat, organizations should secure network management interfaces on SOHO devices, strengthen the security of domain controllers, and closely monitor event logs for suspicious activities.

As the attacks from Volt Typhoon continue, it is gradually becoming known which critical infrastructure entities in the U.S. have been breached, including the U.S. Navy. The recent breaches are believed to be part of China’s strategic efforts to gain access in preparation for future conflicts. Detecting and mitigating attacks from Volt Typhoon can be challenging due to their use of legitimate accounts and living-off-the-land techniques. To defend against this threat, compromised accounts should be closed or their credentials changed. Additionally, network management interfaces on SOHO devices should be secured, and best practices for securing domain controllers and monitoring event logs should be implemented.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.