This Week in Cyber 14th July 2023

Foreign-Backed Cyber Attack Detected: New Espionage Campaign Targets U.S. Organizations

A joint cybersecurity advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) has revealed a foreign-backed espionage campaign targeting a range of organizations. The campaign came to light after an unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected suspicious email activity in their Microsoft 365 (M365) cloud environment in mid-June 2023. Microsoft subsequently confirmed that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data. The affected organizations include the U.S. State Department, Commerce Department, as well as the email accounts of a congressional staffer, a U.S. human rights advocate, and U.S. think tanks. While the origin of the attack has not been officially disclosed, Microsoft has attributed the campaign to a threat actor known as Storm-0558, which primarily targets government agencies in Western Europe. The attack involved forged authentication tokens and the use of custom malware tools named Bling and Cigril.

Rising TrueBot Malware Attacks Prompt Alarm from Cybersecurity Agencies

Cybersecurity agencies have issued warnings about the emergence of new variants of the TrueBot malware, which are now specifically targeting companies in the United States and Canada. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) found in the widely used Netwrix Auditor server and its associated agents. By leveraging this vulnerability, unauthorized attackers can execute malicious code with elevated privileges, granting them unrestricted access to compromised systems. The TrueBot malware, associated with cybercriminal groups Silence and FIN11, is being deployed to extract sensitive data and spread ransomware, posing a significant threat to infiltrated networks. The attackers first exploit the identified vulnerability to gain initial access and then proceed to install TrueBot. They further escalate their privileges by installing the FlawedGrace Remote Access Trojan (RAT) and establishing persistence on compromised systems. The attackers utilize Cobalt Strike beacons for post-exploitation tasks, including data theft and the installation of ransomware or other malware payloads. Unlike previous versions, the updated TrueBot malware leverages the CVE-2022-31199 vulnerability instead of relying on malicious email attachments, enabling broader attacks within infiltrated environments. Notably, the Netwrix Auditor software is utilized by over 13,000 organizations worldwide. The advisory urges organizations to promptly implement recommended security measures, such as installing necessary updates to mitigate the vulnerability, deploying multi-factor authentication (MFA), actively monitoring networks for signs of TrueBot contamination, and reporting any incidents to the appropriate authorities.

RedEnergy: A Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors

A sophisticated ransomware threat called RedEnergy has been discovered targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The .NET malware can steal information from browsers, exfiltrate sensitive data, and carry out ransomware activities. The attackers aim to combine data theft with encryption to cause maximum harm to victims. The attack begins with a campaign known as FakeUpdates, tricking users into downloading JavaScript-based malware disguised as web browser updates. What makes this attack unique is the use of legitimate LinkedIn pages to redirect users to a fake landing page, where they are prompted to update their web browsers, resulting in the download of a malicious executable. Once the breach is successful, the malware establishes persistence, updates the browser, and deploys a stealer to harvest sensitive information and encrypt files. Zscaler observed suspicious FTP connections, suggesting that valuable data is being exfiltrated. In the final stage, RedEnergy's ransomware encrypts the user's data, deletes backups, and leaves a ransom note demanding a payment of 0.005 BTC (about $151). RedEnergy represents an evolution in the cybercrime landscape, combining the functionalities of a stealer and ransomware. Users and organizations are advised to exercise caution when accessing websites, especially those linked from LinkedIn profiles, and to be vigilant about verifying browser updates and avoiding unexpected file downloads to protect against such malicious campaigns.

Privacy Threat: Spyware Apps Target 1.5 Million Android Users

Two file management apps on the Google Play Store have been identified as spyware, putting the privacy and security of 1.5 million Android users at risk. Pradeo, a leading mobile security company, uncovered this alarming discovery, revealing that the apps named File Recovery and Data Recovery (com.spot.music.filedate) and File Manager (com.file.box.master.gkd) are developed by the same group. Despite their claims on the Google Play Store that no data is collected, these apps engage in deceptive behaviour and secretly collect various personal information without user consent. Contact lists, media files, real-time location, device details, and more are stolen and sent to malicious servers operated by foreign threat actors. Furthermore, these spyware apps employ tactics to appear legitimate and evade detection, such as artificially inflating their download numbers and hiding their icons on the home screen. Pradeo advises individuals to exercise caution when downloading apps, read and understand permissions, and businesses to educate employees about mobile threats and implement robust mobile detection and response systems. This incident underscores the ongoing battle between cybersecurity experts and malicious actors, highlighting the need for users to stay vigilant and rely on trusted sources for software.