Cybersecurity Threats Affecting Businesses in October 2023

Cybersecurity threats are increasing rapidly. As a result, company leaders need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.

Below are the top four threats that emerged over the past month.

Rapid Reset DDoS Attacks

Distributed Denial of Service (DDoS) is one of the oldest and most well-known attack vectors in the age of the internet. Their mechanism is usually simple – commandeer an army of compromised machines and force them to work in unison to overload the target infrastructure with network requests so that the network is rendered inoperable. Attacks of this nature date back to as early as 1996 when Panix, a prominent ISP, was brought offline for multiple days in one of the earliest notable cases. Such downtime, even if detected early, can cause hundreds of thousands of dollars in damage to an organization. Their scope and prevalence has only increased since the 90’s, with DDoSs affecting major entities such as GitHub in 2018, and Google and AWS in 2020.

Until this year, the record for requests-per- second (RPS) in an attack was around 46 million from June 2022 using the tried-and-true HTTPS request method. This is roughly equivalent to the volume of requests a heavily trafficked website like Wikipedia usually receives in a day. More recently, however, mostly unknown threat groups have begun exploiting the vulnerability known as “Rapid Reset” CVE-2023-44487 to launch attacks that have shattered previous records. Abuse of an HTTP/2 feature called “stream cancellation” enables a request to be sent, then immediately cancelled before being re-sent, leading to significantly more voluminous DDoS attacks. Cloudflare, Google, and Amazon have all observed such attacks in recent months, with the requests peak at 398 million RPS, setting a new record.

With this exploit, DDoS attacks have become more frequent and accessible, with some now only requiring botnets of 50k or less compared to the usual 100k+ of the past. Due to it being in the wild for so long and its one-dimensional nature, defenses against DDoS are robust and most of these attacks have not inflicted much harm. To further fortify against this new threat, organizations should be sure to give extra scrutiny to any assets and services that have HTTP/2 capability and apply all vendor patches for CVE-2023-44487 as soon as they become available.

Open Source SapphireStealer

An open-source info stealer called SapphireStealer has recently gone open-source and spread across public malware repositories. With the increasing prevalence of info stealers across the threat landscape, the open-source nature of SapphireStealer, and the capabilities it offers, it is likely that SapphireStealer will continue to grow in prevalence. Infostealers are effective tools that frequently target passwords, corporate account credentials, access tokens, and other forms of data that can be leveraged to compromise networks or accounts.

Sapphirestealer primarily targets browser credential databases (like those in Chrome, Safari, etc.) and other files that are likely to contain sensitive information. Host info, screenshots, browser credential caches, and files with chosen extensions are all targeted specifically.

Upon execution, the malware will first look for running browsers: chrome, yandex, msedge, or opera. For every match, it terminates them. Next it uses Chromium.Get() to look for various browser database file directories in AppData or LocalAppData, with a hardcoded list of paths to check for cred databases. Among the locations it looks are for Epic Privacy, CentBrowser, Brave, Amigo, and the above browsers. It will make a working directory under %TEMP%\Sapphire\Work to stage the data for exfil, dumping databases under “Passwords.txt” there. Next it will try to get a screenshot, saving under Screenshot.png, create a subdirectory called “Files,” and execute a file grabber. This grabber looks for any files within the “Desktop” folder that match a list of extensions to include .txt, pdf, doc, xml, etc. It compiles these under log.zip.

This is all then sent back to the attacker via SMTP using credentials in the portion of the code that create and send the message. Host info such as IP address, hostname, screen resolution, and OS version and CPU architecture are all included. After this, the working directory is deleted and the process is ended.

Being open-source, there is now a continuous, concerted effort among organizations to improve the functionality of this stealer. This will eventually turn it into an even more formidable stealer. It has already been extended to include other exfil methods to include Discord and Telegram.

As always, however, the stealer itself must infiltrate a target system. The most common method for the stealer’s delivery remains phishing, which can be prevented through proper cyber hygiene and awareness/training.

OriginBotnet

In August, FortiGuard Labs uncovered a sophisticated cyberattack. It began with a malicious Word document sent via phishing emails, containing a deceptive URL, a blurred image and fake reCAPTCHA to lure victims. Clicking on the document activated a malicious link, prompting victims to download a malware loader that used binary padding to increase its size to 400 MB. The loader decrypted resource data, ensuring persistence in the system’s startup directory, and delivered various malicious payloads.

There are three different tools loaded to the victim’s machine. The first is RedLine Clipper, also known as ClipBanker, which specializes in stealing cryptocurrencies by manipulating clipboard activities. It continually monitors the clipboard for a copied coin wallet address and when a wallet address is detected on the clipboard, the malware secretly converts it to match the attacker’s wallet address.

Next is Agent Tesla, named “COPPER.exe”. It logs keystrokes, accesses the clipboard, and transmits data to a Command and Control (C2) server. It ensures persistence through replication to specified locations and configures itself as an auto-run entry in the registry. It also compiles a list of specified software, using SMTP as its C2 protocol.

Lastly is OriginBotnet, stored as “david.exe”. It collects data, communicates with a C2 server using TripleDES encryption, and executes various commands, including downloading files and loading plugins. Keylogger and PasswordRecovery plugins record keystrokes, monitor user activities, and retrieve credentials.

Overall, this cyber-attack campaign displayed sophistication and complexity, employing phishing, multiple malware stages, and advanced evasion techniques to persist on compromised systems.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.