Cybersecurity Threats Affecting Businesses in June 2023
Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are vital to identifying potential threats in an organization’s environment.
Below are the top four threats that emerged over the past month.
GUI-vil (pronounced “Goo-ee-vil”) is a financially motivated hacker group from Indonesia. Their primary objective is unauthorized cryptomining. Using compromised credentials, the group has been using AWS EC2 instances for their operations since 2021. The group’s name refers to the attackers’ preference for GUIs for performing their attacks.
Their usual attack lifecycle begins with monitoring public sources like Github and Pastebin and scanning for vulnerable GitLab instances. Known vulnerabilities are usually leveraged on GitLab instances such as CVE-2021-22205 if credentials aren’t in plain sight.
The S3 Browser is the primary tool, version 9.5.5, with AWS Management Console used along with the web browser once an IAM user with Console access is created or controlled. Privilege escalation may not be needed because cloud credentials are often overprivileged. In one event, there was only read permission, which was escalated with creds found after manual exploration in a Terraform file. Manual recon proceeds with a review of accessible S3 buckets and exploring what services are available via the AWS console.
Presence is maintained with the S3 browser creating new IAM users that conform to organizational naming standards. A common mistake is forgetting to remove the default name that S3 supplies when creating a new user. Otherwise, they might create a login profile for existing users to avoid the more conspicuous creation of a new user entirely. EC2 is also leveraged, whereby simply connecting to the EC2 instance directly via SSH, they can inherit whatever credentials the instance possessed. Once created, the required payload is installed.
When discovered, GUI-vil has been known to fight back to maintain access, creating one of the few real-life instances of two live operators racing each other at their computers so commonly portrayed in movies. Ironically, the value of the crypto that is mined is often a tiny fraction of the running costs of the victim servers.
Researchers are seeing a rise in attacks using EvilExtractor to exfiltrate user data in Europe and the United States. This malware is an attack tool designed to target Windows operating systems. Produced and sold by Kodex for $59/month, it claims to be an educational tool promoted primarily to threat actors boasting its seven attack modules, including ransomware, credential extraction, and Windows Defender bypassing.
According to Fortinet, the attacks they observed started with a phishing email disguised as an account confirmation request. The email carries a gzip-compressed executable attachment that masquerades as a legitimate file, such as an Adobe PDF or Dropbox file. Opening the attachment begins the infection.
Once the malware is on a victim host, it downloads three additional components. The first extracts cookies from popular browsers such as Google Chrome, Microsoft Edge, Opera, and Firefox. It also collects browsing history and saved passwords from an even broader set of programs. The next component is a keylogger that records and saves keyboard inputs to be exfiltrated. The last component is a webcam extractor which can activate the webcam, capture video or images, and upload them to the attacker’s FTP server, which Kodex rents. The malware also exfiltrates many document and media file types from the Desktop and Downloads folders, captures screenshots, and sends all stolen data to its operators.
Once again, as powerful and damaging as this malware is, it relies on phishing for initial access. Thus, vigilance when reviewing emails is advised to prevent this attack from being successful.
Legion: AWS Credential Harvester and SMTP Hijacker
Researchers recently encountered an emerging Python-based credential harvester and hack tool named Legion, aimed at exploiting various services for email abuse. The tool is sold via the Telegram messenger app. It includes modules dedicated to enumerating vulnerable SMTP servers, conducting Remote Code Execution (RCE), exploiting vulnerable versions of Apache, brute-forcing cPanel and WebHost Manager (WHM) accounts, interacting with Shodan’s API to retrieve a target list and additional utilities, most of which involve abusing AWS services.
Initial static analysis shows that the malware includes configurations for integrating with services such as Twilio and Shodan. Telegram support is also included, with the ability to pipe the results of each of the modules into a Telegram chat via the Telegram Bot API.
The tool uses a number of RegEx patterns to extract credentials for various web services. These include credentials for email providers, cloud service providers (AWS), server management systems, databases, and payment systems such as Stripe and PayPal. Typically, this type of tool would be used to hijack said services and use the infrastructure for mass spamming or opportunistic phishing campaigns. The malware also includes code to implant webshells, brute-force CPanel or AWS accounts, and send SMS messages to a list of dynamically generated US mobile numbers.
Legion contains several methods for retrieving credentials from misconfigured web servers. Depending on the web server software, scripting language, or framework the server is running, the malware will attempt to request resources known to contain secrets, parse them and save the secrets into results files sorted on a per-service basis. The simplest defense against this is to ensure that web servers are all configured properly, and credentials are stored securely.
APT37 ROKRAT Campaigns
North Korean cyber threat group APT 37 has been observed changing its methods, recently employing South Korean-themed lures to trick users into downloading malicious files that infect their computers. A recent Check Point Research (CPR) report revealed that the group had shifted its focus towards using Windows shortcut (LNK) files disguised as legitimate documents to deliver their malware. Previously, they relied on malicious Hangul Word Processor (HWP) or Microsoft Word documents containing exploits or macros. This change in tactics aligns with a larger trend observed in 2022, where attackers began using LNK files due to the increased security measures implemented by Microsoft to prevent the spread of malware through macros.
The main malware employed by APT37, called ROKRAT, is designed to infiltrate systems and execute additional payloads to steal sensitive data. It uses cloud infrastructure for command and control (C&C) functions, leveraging services such as Dropbox, pCloud, Yandex Cloud, and even Twitter. ROKRAT also gathers information about the infected machine to avoid infecting unintended victims.
One of the reasons APT37 has remained successful is its ability to evade detection and analysis. The malware employs in-memory execution, making it difficult to detect, and disguises its C&C communication as legitimate cloud communication. Additionally, it uses multiple layers of encryption to hinder network analysis and evade network signatures. As a result, there is a limited amount of publicly available information about ROKRAT, as its sophisticated techniques have made it challenging for security researchers to publish recent findings.
It is crucial for individuals and organizations to remain vigilant and implement robust security measures to protect against evolving cyber threats like APT37. Staying informed about the latest tactics used by threat actors and regularly updating security software are essential steps to safeguarding sensitive information and maintaining a secure digital environment.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.