Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Mac Infostealer Advertised on Telegram
Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered a Telegram channel advertising a new infostealer which is particularly aimed at Mac users. Despite all evidence to the contrary - and yes, there is some merit to the argument that the Mac's UNIX-derived security architecture is simpler and more mature than that of Windows - there is still a large range of MacOS malware out there, including MacStealer, RustBucket, DazzleSpy and others.
The new stealer, which its authors christened Atomic MacOS Stealer (AMOS), is continually being improved and extended with new capabilities. AMOS can steal a variety of information from an infected machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the user's MacOS password. Even more worryingly, it targets multiple browsers and can extract auto-fill strings - including passwords - cookies and credit card information. It also attacks cryptowallets such as Atomic, Binance, Coinomi and Electrum.
Customers who sign up for the stealer - at the bargain price of $US1000/month - are provided with a web dashboard for managing their attacks, meta mask brute forcing for stealing seeds and private keys, a crypto checker and DMG (disk image file) installer, which can be used to trick victims into installing the malware.
Uncredited, Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram, blog post, 26 April 2023. Available online at https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/.
WithSecure Detects Veeam Backup Vulnerability Exploitation in the Wild
Researchers at WithSecure - formerly the Finnish security firm F-Secure for Business - have identified attacks against Internet-accessible servers which run Veeam Backup and Replication software. The attacks possibly exploited a recently-patched vulnerability, CVE-2023-27532, which allows the theft of credentials from the Veeam configuration database.
The activity was initially observed on 28 March 2023, when an SQL server process, sqlservr.exe, related to the Veeam Backup instance, executed a shell command to perform a download and in-memory execution of a PowerShell script. The script turned out to be a loader called POWERTRASH, written in obfuscated PowerShell code, attributed to the long-standing FIN7 malware group. This loader then executed its payload through the reflective PE injection technique, with filenames that also adhered to FIN7's naming conventions.
(The FIN7 group has been around for many years, using a variety of techniques, such as mailing malware-infected USB keys with supporting documentation, to commit financially-motivated cybercrime. Although three of their members were arrested in 2018, this does not seem to have slowed their activities significantly.)
The threat actor then used a number of commands, such as netstat, tasklist and ipconfig, as well as custom scripts to enumerate system and network information. A number of SQL commands were also used to steal information from the Veeam backup database, including stored passwords. From there, a custom PowerShell script was used to gather further system information via the Windows Management Interface (WMI) API - again, a favourite tactic of FIN7.
Following this, persistence was achieved by creating a registry entry to execute DICELOADER on each system restart. This was followed by lateral movement, using remote WMI method invocations and net share commands, and an attempt to install another backdoor, probably a Cobalt Strike beacon.
The attack illustrates the dangers of leaving the Veeam port (TCP port 9401) publicly exposed, so the obvious mitigation is to close that at the firewall. And obviously, reactive patching will fix the vulnerability that was likely used by the attackers.
Singh, Neeraj and Mohammad Kazem Nejad, FIN7 tradecraft seen in attacks against Veeam backup servers, blog post, 26 April 2023. Available online at https://labs.withsecure.com/publications/fin7-target-veeam-servers.
Rapture Ransomware Analysis
Sticking with the theme of Powershell scripts being used in attacks: Trend Micro researchers provide an interesting analysis of a new ransomware variant they dub Rapture, primarily on account of its code similarities to the earlier Paradise ransomware.
This ransomware infection chain takes around three to five days, during which its operators inspect firewall policies, check the target PowerShell version and check for vulnerable Log4j applications. If all of this checks out, they then download and execute a PowerShell script to install Cobalt Strike onto the target system. From there, they will further penetrate the target network, using a unique method of privilege elevation to download and install an encrypted Cobalt Strike beacon payload from their C2 infrastructure. This then connects to the same C2 server in order to perform its ransomware activities.
The Trend Micro blog post provides full details, as well as a useful list of suggested mitigations.
Ladores, Don Ovid, Ian Kenefick and Earle Maui Earnshaw, Rapture, a Ransomware Family With Similarities to Paradise, blog post, 28 April 2023. Available online at https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.