Five Cybersecurity Threats Affecting Businesses in March 2023
Cybersecurity threats are increasing rapidly. As a result, companies need to be more aware of potential deficiencies in their overall cybersecurity strategy. Threat hunt queries, offered as part of Marcum Technology’s SOC services, are key to identifying potential threats in an organization’s environment.
Below are the top five threats that emerged over the past month.
Silver as Malware
Penetration testing tools Cobalt Strike, Metasploit, and now Silver – an open-source tool developed in the Go language – are being used by Threat actors to attack targets with unpatched vulnerabilities or misconfigured settings. These tools are normally used legitimately to check for network and endpoint vulnerabilities to improve security. Unfortunately, Sliver is now being used to create a backdoor by exploiting certain software and allowing BYOVD (Bring Your Own Vulnerable Driver) malware to be used to install reverse shells and circumvent security software.
Sliver is favored by some threat actors because it is less likely to be detected by security products than alternatives like Cobalt Strike. Its features are typical of backdoors and RAT malware, allowing it to take screenshots, execute commands, upload and/or download files, and process or handle them. It also offers the ability to execute privilege escalation, lateral movement, and process memory dumps. To evade network detection, it supports mTLS, WireGuard, HTTP(S), and DNS to communicate with a C2 server using encryption of network communication.
With unpatched targets most vulnerable, a proper threat and vulnerability management program will help mitigate most of the risk these programs pose by keeping systems and networks up-to-date. An appropriate penetration test by a reputable company will also assist in finding misconfigured software, open ports, and depreciated protocols that should be remedied for a healthy network system.
A new ransomware campaign called TZW has been observed primarily affecting organizations in South Korea. The campaign is associated with the well-known malware family GlobeImposter, implying that the people behind GlobeImposter are rebranding and upgrading their payloads to conceal their identities and avoid detection.
On an infected PC, the version details of the new variant will be labeled “System Boot Info,” to masquerade as a standard program file related to boot information. The file encryption procedure consists of two threads: one that encrypts shared files and one that encrypts the local environment. All folders are encrypted, except for the Windows folder, and disk shadows are erased after encryption to prevent system recovery. The ransom note appears as ‘ReadMe.txt’ in the place where the files were encrypted and the “CRYPTO LOCKER” string is added to the end of the encrypted files.
This is yet another example of a dynamic, ever-evolving family of malware and underscores the importance of strong security controls in combination with effective security tools. In combination, these solutions detect potentially problematic behaviors rather than just static indicators.
Recently, there have been Excel documents in the wild written in the Microsoft OLE Compound File format that contain malicious VBA Macros. There are different versions of the spreadsheet, but they all belong to the same campaign which cryptojacks systems and exploits them. For the unfamiliar, cryptojacking is the hijacking of a computer to use it to mine for the cryptocurrency, in this case Monero (XMR). The campaign appears to only target Spanish speakers at this time, as all the content in the malicious documents is written in Spanish.
By opening the Excel document, the crypto miner software infects the victim’s system, prevents its code from being analyzed, gains persistence and begins executing the Monero miner-XMrig through process hollowing. Able to support multiple algorithms, the miner is a high-performance, cross-platform-capable open-source software package. It can utilize both the CPU and GPU for mining purposes. Splitting the load in this way will, in addition to allowing for more and faster mining, potentially aids the malware in remaining undetected by the user.
As these are documents that are being transmitted either as attachments or as links within phishing emails, the first line of defense is data sanitization. Next, ensuring that macros are disabled on Microsoft Office products through group policy provides a technical control and will not prevent employees within the organization from being productive. The last line of defense is properly educated users. Training users to scrutinize attachments and embedded links can help prevent the threat actor to gain a foothold.
Mac Ransomware Techniques
Ransomware remains one of the most lucrative, prevalent, and devastating methods for attacking organizations globally. With constantly evolving techniques, and the prevalence of Apple computers in the workforce now, the long-anticipated mass targeting of macOS systems has come to fruition.
- File enumeration, the first step post-access, is used by an attacker to decide which files to target. The find utility is a common Unix utility used to search for files, and by attackers with FileCoder and MacRansom with the output passed as an argument to the encryption binary. FileCoder searches in /Volumes and the current user’s directory. MacRansom looks for files larger than 8 bytes.
- Opendir, readdir, and closedir are used by KeRanger and Evilquest to get directory and file listings. The NSFileManager class is also shown via open-source proofs of concept to be usable via Objective-C functions and scripts. Gopher POC then uses the technique to retrieve .docx files from the User’s Documents directory.
- The MAC OUI (organizational unique identifier) of the en0 interface is checked by EvilQuest to determine whether it’s on a VM or not.
- Persistence is achieved with Launch Agents and Daemons, using a .plist. These files are specific to macOS and specify program configs and properties. EvilQuest can make both Launch Agents and Daemons, while MacRansom seems to stick to Agents.
- Kernel queues provide notifications based on set events or conditions being met. In the case of EvilQuest, this is used to restore itself if it is notified that files on the monitoring list were modified.
Now that attackers see it worth the time and effort to pursue Apple machines, the risks have become severe for Mac users.
Infostealers Distributed via Fake Crypto Job Offers
A campaign out of Russia has been observed using fake job offerings targeting Eastern Europeans in the cryptocurrency industry. Starting with an email appearing to be a job offer with fake crypto interview materials, a .rar archive is attached containing “interview questions.txt” and “interview conditions.word.exe.” The .txt contains interview questions in Cyrillic, which appear legitimate. If the victim launches the executable, a chain of payloads eventually downloads Enigma from Telegram.
The second-stage payload is interesting in that it abuses the “Bring Your Own Vulnerable Driver” technique to exploit Intel’s CVE-2015-2291, executing commands with Kernel privileges and disabling Defender. Stage 3 downloads Enigma Stealer. Sysinfo, passwords, tokens, info in Outlook, Signal, etc. are all targeted. Stolen data is then compressed in a .zip and sent back via Telegram. Various indicators such as the OS and timezone settings on the logging servers point to Russian origin.
As always, phishing can be defeated with proper training and awareness.
If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.