Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments

 Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data.

The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts.

The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe.

"They focus on espionage, data theft, and credential access," Microsoft said. "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access."

The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company.

Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the organizations and agencies affected and the number of accounts that may have been hacked.

However, according to the Washington Post, the attackers also broke into a number of unclassified U.S. email accounts.

The access to customer email accounts, per Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.

"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com," it explained. "MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems."

"The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."

There is no evidence that the threat actor used Azure AD keys or any other MSA keys to carry out the attacks. Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.

"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," Charlie Bell, executive vice president of Microsoft Security, said.

The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks mounted by a Chinese adversarial collective called Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) targeting the U.S.

Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting

 Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis.

"Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm said"If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million."

In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of VidiLook, which pays users VDL tokens in return for watching digital ads that then can be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops.

The development, following a decline in ransomware revenues in 2022, marks a reversal of sorts, with Chainalysis attributing it to the return of big game hunting after a downturn last year and the increasing number of successful small attacks carried by groups like Dharma and Phobos.

On the other end of the spectrum lie advanced groups like Cl0p (or Clop), BlackCat, and Black Basta, which tend to be more selective in their targeting, while also striking bigger organizations to demand higher ransoms. Cl0p's average payment size for the first half of 2023 stands at $1,730,486, in contrast to Dharma's $275.

Cl0p, in particular, has been on a rampage in recent months, exploiting security flaws in MOVEit Transfer application to breach 257 organizations across the world to date, per Emsisoft researcher Brett Callow. More than 17.7 million individuals are said to be impacted as a result of the ransomware attacks.

"Clop's preference for targeting larger companies (>$5 million/year revenue) and capitalizing on newer-but-disclosed vulnerabilities has been the primary driver of its success in the first half of 2023," Sophos researcher David Wallace said in a report earlier this week, calling the group a "loud, adaptable, persistent player."

While law enforcement efforts to actively pursue ransomware groups and sanction services offering cashout services, coupled with the availability of decryptors, have emboldened victims to not pay up, it's suspected that the trend "may be prompting ransomware attackers to increase the size of their ransom demands" to extract funds from companies who are still willing to settle.

Last but not least, the Russia-Ukraine War is also said to have been a contributing factor to the decline in ransomware attacks in 2022, causing the Conti operation to shut shop after declaring support for Russia.

"The conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions," Chainalysis said. "It stands to reason that the conflict disrupted ransomware operators' ability to conduct attacks or perhaps even their mandate for such attacks," especially considering that a majority of ransomware actors are tied to Russia.

Beware of Big Head Ransomware: Spreading Through Fake Windows Updates

 A developing ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.

Big Head was first documented by Fortinet FortiGuard Labs last month when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment.

"One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software."

Most of the Big Head samples have been submitted from the U.S., Spain, France, and Turkey.

In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and display a fake Windows update.

"The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds," the cybersecurity company said.

Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it's running within a virtualized environment before proceeding to encrypt the files.

In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine's language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.

Trend Micro said it detected a second Big Head artifact with both ransomware and stealer behaviors, the latter of which leverages the open-source WorldWind Stealer to harvest web browser history, directory lists, running processes, product keys, and network information.

Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host.

"Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload," Trend Micro researchers said.

"This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware."

The identity of the threat actor behind Big Head is currently not known, but Trend Micro said it identified a YouTube channel with the name "aplikasi premium cuma cuma," suggesting an adversary likely of Indonesian origin.

"Security teams should remain prepared given the malware's diverse functionalities," the researchers concluded. "This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention."

Hackers Steal $20 Million by Exploiting Flaw in Revolut's Payment Systems

 Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022.

The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly.

The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined.

The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs.

The exact technical details associated with the flaw are currently unclear.

About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The mass fraud scheme is said to have resulted in a net loss of about $20 million for the neobank and fintech firm.

The disclosure arrives less than a week after Interpol announced the arrest of a suspected senior member of a French-speaking hacking crew known as OPERA1ER, which has been linked to attacks aimed at financial institutions and mobile banking services with malware, phishing campaigns, and large-scale Business Email Compromise (BEC) scams.

BlackByte 2.0 Ransomware Infiltrate, Encrypt, and Extort in Just 5 Days

 Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify.

Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature.

The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.

This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations.

BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data.

To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—an approach that has proven highly successful. By exploiting this vulnerability, they gain initial access to the target networks and set the stage for their malicious activities.

The ransomware further employs process hollowing and antivirus evasion strategies to guarantee successful encryption and circumvent detection.

Furthermore, web shells equip them with remote access and control, enabling them to maintain a presence within the compromised systems.

The report also highlighted the deployment of Cobalt Strike beacons, which facilitate command and control operations. These sophisticated tools give attackers a wide range of skills, making it more difficult for organizations to defend against them.

Alongside these tactics, the investigation uncovered several other troubling practices cybercriminals use. They utilize "living-off-the-land" tools to blend in with legitimate processes and escape detection.

The ransomware modifies volume shadow copies on infected machines to prevent data recovery through system restore points. The attackers also deploy specially-crafted backdoors, ensuring continued access for the attackers even after the initial compromise.

The disturbing upsurge in ransomware attacks requires immediate action from organizations worldwide. In response to these findings, Microsoft has provided some practical recommendations.

Organizations are primarily urged to implement robust patch management procedures, ensuring they timely apply critical security updates. Enabling tamper protection is another essential step, as it strengthens security solutions against malicious attempts to disable or bypass them.

Tonto Team Uses Anti-Malware File to Launch Attacks on South Korean Institutions

 South Korean education, construction, diplomatic, and political institutions are at the receiving end of new attacks perpetrated by a China-aligned threat actor known as the Tonto Team.

"Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks," the AhnLab Security Emergency Response Center (ASEC)  in a report published this week.

Tonto Team, active since at least 2009, has a track record of targeting various sectors across Asia and Eastern Europe. Earlier this year, the group was attributed to an unsuccessful phishing attack on cybersecurity company Group-IB.

The attack sequence discovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to side-load a malicious DLL file (slc.dll) and launch ReVBShell, an open source VBScript backdoor also put to use by another Chinese threat actor called Tick.

ReVBShell is subsequently leveraged to download a second executable, a legitimate Avast software configuration file (wsc_proxy.exe), to side-load a second rogue DLL (wsc.dll), ultimately leading to the deployment of the Bisonal remote access trojan.

"The Tonto Team is constantly evolving through various means such as using normal software for more elaborate attacks," ASEC said.

The use of CHM files as a distribution vector for malware is not limited to Chinese threat actors alone. Similar attack chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted hosts.

The adversary, also known as APT37, Reaper, and Ricochet Chollima, has since also utilized LNK files to distribute the RokRAT malware, which is capable of collecting user credentials and downloading additional payloads.

Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The two flaws are listed below -

• CVE-2023-20963 (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability
• CVE-2023-29492 (CVSS score: TBD) - Novi Survey Insecure Deserialization Vulnerability

"Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA said in an advisory for CVE-2023-20963.

Google, in its monthly Android Security Bulletin for March 2023, acknowledged "there are indications that CVE-2023-20963 may be under limited, targeted exploitation."

The development comes as tech news site Ars Technica disclosed late last month that Android apps digitally signed by China's e-commerce company Pinduoduo weaponized the flaw to seize control of the devices and steal sensitive data, citing analysis from mobile security firm Lookout.

Chief among the capabilities of the malware-laced app includes inflating the number of Pinduoduo daily active users and monthly active users, uninstalling rival apps, accessing notifications and location information, and preventing itself from being uninstalled.

CNN, in a follow-up report published at the start of the month, said an analysis of the 6.49.0 version of the app revealed code designed to achieve privilege escalation and even track user activity on other shopping apps.

The exploits allowed the malicious app to access users' contacts, calendars, and photo albums without their consent and requested a "large number of permissions beyond the normal functions of a shopping app," the news channel said.

It's worth pointing out that Google suspended Pinduoduo's official app from the Play Store in March, citing malware identified in "off-Play versions" of the software.

That said, it's still not clear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This either point to a key leak, the work of a rogue insider, a compromise of Pinduoduo's build pipeline, or a deliberate attempt by the Chinese company to distribute malware.

The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of the service account.

The issue, which impacts Novi Survey versions prior to 8.9.43676, was addressed by the Boston-based provider earlier this week on April 10, 2023. It's currently not known how the flaw is being abused in real-world attacks.

To counter the risks posed by the vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are advised to apply necessary patches by May 4, 2023.