Cyber Pulse: Edition 171 | 18 January 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Threat group targets cryptocurrency start-ups

Kaspersky researchers have uncovered a series of attacks by an advanced persistent threat (APT) actor against small- and medium-sized companies worldwide, resulting in major cryptocurrency losses for the victims. BlueNoroff, an APT group that's part of the larger Lazarus Group associated with North Korea, is behind the attacks.

The campaign, dubbed SnatchCrypto, is aimed at various companies that, by the nature of their work, deal with cryptocurrencies and smart contracts, decentralised finance (DeFi), blockchain, and the FinTech industry. These companies were targeted for a reason, they said: Start-ups often receive messages and documents from unfamiliar senders.

"As most cryptocurrency businesses are small- or medium-sized start-ups, they cannot invest lots of money into their internal security system," researchers wrote in a blog post. "The actor understands this and takes advantage by using elaborate social engineering schemes."

In this campaign, the attackers attempt to manipulate the victim by pretending to be an existing venture capital firm. Researchers saw the names of more than 15 venture businesses used in these attacks but believe the actual organisations have nothing to do with the threat.

The malware sends the target's general information and PowerShell agent to the attackers, creating a backdoor. From there, BlueNoroff deploys additional tools, including a keylogger and screenshot taker, to monitor victims. After weeks or months of tracking, the attackers find a prominent target and use the data they've collected to steal large amounts of cryptocurrency from them.

Developers targeted using debugging tool dnSpy

Nobody is safe from cyberattacks – this was once again proven by threat actors as they conducted a malware campaign against developers and researchers. The campaign disseminated a trojanised version of the dnSpy .NET app. dnSpy is a renowned debugger and .NET assembly editor utilised to debug, decompile, and alter .NET programs. This application is typically used while examining .NET software and malware. The software is not in active development anymore, however, the original source code and a new actively developed version are available on GitHub.

This new marketing campaign was found by safety researchers 0day fanatic and MalwareHunterTeam who noticed the malicious dnSpy. This installs a cocktail of malware, together with clipboard hijackers, to steal cryptocurrency, the Quasar distant entry trojan, a miner, and quite a lot of unknown payloads.

Attacks on cybersecurity developers and researchers are not new and are increasing in intensity. In such attacks, the bad actors mostly aim to steal undisclosed bugs and source codes, as well as gain access to confidential networks. They need to be cautious of malicious clones of famous projects, which install malware on their devices. Presently, both the GitHub repository and the associated website are shut down. However, the risk of possible clones for projects remains. This current campaign poses a grave risk as it deploys a variety of payloads that can have severe consequences for victims.

Amazon fixes security flaw in AWS Glue and AWS CloudFormation service

Amazon Web Services (AWS) has fixed two flaws affecting AWS Glue and AWS CloudFormation.

The bug in AWS Glue could allow an attacker using the service to create resources and access data of other AWS Glue customers, according to Orca Security. Orca researchers say it was due to an internal misconfiguration within AWS Glue, which AWS today confirmed it has since fixed. Glue, which launched in 2017, is a managed serverless data integration service for connecting large databases, allowing developers to extract, transform and load (ETL) for machine-learning jobs. AWS said in a statement that Glue customers don't need to update systems and emphasised the bug could not have affected AWS customers who don't use Glue.

"Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the AWS Glue service," AWS said. 

Orca found a second bug in AWS that allowed an attacker to compromise a server within CloudFormation in a way that lets them run as an AWS infrastructure service. AWS customers can use CloudFormation to provision and manage cloud resources. The company identified an XML external entity injection (XXE) vulnerability that allowed it to read files and perform web requests on behalf of the server. The flaw could be used by an attacker to gain "privileged access to any resource in AWS," according to Orca. AWS has also remediated this flaw, according to Orca.  

Misconfigured Docker port leads to rise in Linux security threats

Linux-based systems are everywhere and are a core part of the internet infrastructure, but it's low-powered Internet of Things (IoT) devices that have become the main target for Linux malware. With billions of internet-connected devices like cars, fridges and network devices online, IoT devices have become a prime target for certain malware activity – namely distributed denial of service (DDoS) attacks, where junk traffic aim to flood a target and knock them offline.

Security vendor CrowdStrike says in a new report that the most prevalent Linux-based malware families in 2021 were XorDDoS, Mirai and Mozi, which collectively accounted for 22% of all Linux-based IoT malware that year. These were also a main driver of malware targeting all Linux-based systems, which grew 35% in 2021 compared with 2020. 

More recently, XorDDoS began targeting misconfigured Docker clusters in the cloud rather than its historical targets such as routers and internet-connected smart devices. Docker containers are attractive for cryptocurrency mining malware because they provide more bandwidth, CPU and memory but DDoS malware benefits from IoT devices because they provide more network protocols to abuse. However, since many IoT devices are already infected, Docker clusters became an alternative target. According to CrowdStrike, some XorDDoS variants are built to scan and search for Docker servers with the 2375 port open, offering an unencrypted Docker socket and remote root passwordless access to the host. This can give the attacker root access to the machine. XorDDoS malware samples have increased by almost 123% in 2021 compared to 2020. 

Critical SAP vulnerability disclosed

Critical vulnerability addressed recently in SAP NetWeaver AS ABAP and ABAP Platform could be abused to set up supply chain attacks, SAP security solutions provider SecurityBridge warns. Tracked as CVE-2021-38178 and featuring a CVSS score of 9.1, the critical vulnerability was addressed on the October 2021 SAP Patch Day. Described as an improper authorisation issue, the security error allows an attacker to tamper with transport requests, thus bypassing quality gates and transferring code artifacts to production systems.

However, SecurityBridge discovered that standard SAP deployments include a program that does allow employees with specific authorisation levels to change the header attributes of SAP transport requests. Because of that, an attacker or a malicious insider with sufficient permissions on a compromised system has a window of opportunity between the export of transport requests and their import into production units, when they could change the release status from ”Released” to ”Modifiable.” A transport request can be tampered with after it has passed all quality gates, and the attacker could add a payload to be executed after import into a target system, thus opening the door to supply chain attacks.

Newly found Sysjoker backdoor targets Windows, Linux and Mac devices

A previously undocumented malware has been uncovered by researchers. Called SysJoker, the backdoor is written in C++ and targets Windows, Linux and Mac systems. According to Intezer, the SysJoker malware was first spotted in December 2021. The malware is uploaded to VirusTotal with the suffix .ts that is used for TypeScript files and is possibly distributed via an infected npm package. 

Researchers claim that the attackers behind SysJoker are pretty much active and infecting machines. The development comes following the frequent changes observed in the C2 server used by the operators. Furthermore, based on victimology and malware behaviour, researchers assess that SysJoker is after specific targets. Its behavior is similar for all three operating systems, with the exception of the use of a first-stage dropper in the Windows version. 

Once it finds a target, SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. It uses Living off the Land (LotL) commands to gather system information such as mac address, usernames, physical media serial number, and IP address.

Users or admins can use memory scanners to detect SysJoker payload in memory.

Microsoft warn of data-wiping malware

Microsoft is warning of destructive data-wiping malware disguised as ransomware being used in attacks against multiple organisations in Ukraine. Microsoft calls this new malware family 'WhisperGate' and explains in a report that it is conducted through two different destructive malware components.

The first component, named stage1.exe, is launched from the C:\PerfLogs, C:\ProgramData, C:\, or C:\temp folders that overwrites the Master Boot Record to display a ransom note. An MBR locker is a program that replaces the 'master boot record', a location on a computer's hard drive that contains information on disk partitions and a small executable that is used to load the operating system. MBR lockers replace the loader in the master boot record with a program that commonly encrypts the partition table and displays a ransom note. This prevents the operating system from loading and data from being accessible until a ransom is paid and a decryption key is obtained.

The second component, named stage2.exe, is executed simultaneously to download a data-destroying malware named Tbopbh.jpg hosted on Discord that overwrites targeted files with static data.

"If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB), after overwriting the contents, the destructor renames each file with a seemingly random four-byte extension," says Microsoft.

As neither of the two malware components offer means to enter decryption keys to restore the original Master Boot Record and as the files are overwritten with static undecryptable data, Microsoft classifies this as a destructive attack rather than one used to generate a ransom payment.

Evolving crypto mining campaigns

A cryptomining campaign has been ongoing for years and is continuously evolving defence evasion tactics to stay undetected. The campaign is named Autom, owing to the shell script that started the attack. According to researchers, the campaign has been ongoing for the past three years and evolved to stay hidden. It was first detected in 2019 and since then 84 attacks have been discovered using the same shell script. In 2020, cybercriminals were evading defence by bypassing security features and then started using an obfuscating script in 2021. Attackers launched at least 125 attacks only in the third quarter of 2021.

The early attacks of the campaign in 2019 had no special obfuscating techniques, which it later developed. The malware can disable security mechanisms and obtain an obfuscated mining shell script that was Base64-encoded around five times to avoid security tools. Further, the attacker added concealment capabilities involving downloading log_rotate[.]bin script to launch cryptomining activity by creating a new cron job to start mining every 55 minutes. Threat actors driving the Autom campaign have displayed a high level of expertise in launching attacks while staying under the radar. Security teams must up their guards before such threats infect them.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.