Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments

 Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data.

The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts.

The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe.

"They focus on espionage, data theft, and credential access," Microsoft said. "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access."

The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company.

Microsoft said it notified all targeted or compromised organizations directly via their tenant admins. It did not name the organizations and agencies affected and the number of accounts that may have been hacked.

However, according to the Washington Post, the attackers also broke into a number of unclassified U.S. email accounts.

The access to customer email accounts, per Redmond, was facilitated through Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens.

"The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com," it explained. "MSA (consumer) keys and Azure AD (enterprise) keys are issued and managed from separate systems and should only be valid for their respective systems."

"The actor exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail."

There is no evidence that the threat actor used Azure AD keys or any other MSA keys to carry out the attacks. Microsoft has since blocked the usage of tokens signed with the acquired MSA key in OWA to mitigate the attack.

"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," Charlie Bell, executive vice president of Microsoft Security, said.

The disclosure comes more than a month after Microsoft exposed critical infrastructure attacks mounted by a Chinese adversarial collective called Volt Typhoon (aka Bronze Silhouette or Vanguard Panda) targeting the U.S.

Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting

 Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis.

"Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm said"If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million."

In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of VidiLook, which pays users VDL tokens in return for watching digital ads that then can be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops.

The development, following a decline in ransomware revenues in 2022, marks a reversal of sorts, with Chainalysis attributing it to the return of big game hunting after a downturn last year and the increasing number of successful small attacks carried by groups like Dharma and Phobos.

On the other end of the spectrum lie advanced groups like Cl0p (or Clop), BlackCat, and Black Basta, which tend to be more selective in their targeting, while also striking bigger organizations to demand higher ransoms. Cl0p's average payment size for the first half of 2023 stands at $1,730,486, in contrast to Dharma's $275.

Cl0p, in particular, has been on a rampage in recent months, exploiting security flaws in MOVEit Transfer application to breach 257 organizations across the world to date, per Emsisoft researcher Brett Callow. More than 17.7 million individuals are said to be impacted as a result of the ransomware attacks.

"Clop's preference for targeting larger companies (>$5 million/year revenue) and capitalizing on newer-but-disclosed vulnerabilities has been the primary driver of its success in the first half of 2023," Sophos researcher David Wallace said in a report earlier this week, calling the group a "loud, adaptable, persistent player."

While law enforcement efforts to actively pursue ransomware groups and sanction services offering cashout services, coupled with the availability of decryptors, have emboldened victims to not pay up, it's suspected that the trend "may be prompting ransomware attackers to increase the size of their ransom demands" to extract funds from companies who are still willing to settle.

Last but not least, the Russia-Ukraine War is also said to have been a contributing factor to the decline in ransomware attacks in 2022, causing the Conti operation to shut shop after declaring support for Russia.

"The conflict likely displaced ransomware operators and diverted them away from financially inspired cyber intrusions," Chainalysis said. "It stands to reason that the conflict disrupted ransomware operators' ability to conduct attacks or perhaps even their mandate for such attacks," especially considering that a majority of ransomware actors are tied to Russia.

Beware of Big Head Ransomware: Spreading Through Fake Windows Updates

 A developing ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers.

Big Head was first documented by Fortinet FortiGuard Labs last month when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment.

"One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software."

Most of the Big Head samples have been submitted from the U.S., Spain, France, and Turkey.

In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagate the malware, archive.exe to facilitate communications over Telegram, and Xarch.exe to encrypt the files and display a fake Windows update.

"The malware displays a fake Windows Update UI to deceive the victim into thinking that the malicious activity is a legitimate software update process, with the percentage of progress in increments of 100 seconds," the cybersecurity company said.

Big Head is no different from other ransomware families in that it deletes backups, terminates several processes, and performs checks to determine if it's running within a virtualized environment before proceeding to encrypt the files.

In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine's language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. It also incorporates a self-delete function to erase its presence.

Trend Micro said it detected a second Big Head artifact with both ransomware and stealer behaviors, the latter of which leverages the open-source WorldWind Stealer to harvest web browser history, directory lists, running processes, product keys, and network information.

Also discovered is a third variant of Big Head that incorporates a file infector called Neshta, which is used to insert malicious code into executables on the infected host.

"Incorporating Neshta into the ransomware deployment can also serve as a camouflage technique for the final Big Head ransomware payload," Trend Micro researchers said.

"This technique can make the piece of malware appear as a different type of threat, such as a virus, which can divert the prioritization of security solutions that primarily focus on detecting ransomware."

The identity of the threat actor behind Big Head is currently not known, but Trend Micro said it identified a YouTube channel with the name "aplikasi premium cuma cuma," suggesting an adversary likely of Indonesian origin.

"Security teams should remain prepared given the malware's diverse functionalities," the researchers concluded. "This multifaceted nature gives the malware the potential to cause significant harm once fully operational, making it more challenging to defend systems against, as each attack vector requires separate attention."

Hackers Steal $20 Million by Exploiting Flaw in Revolut's Payment Systems

 Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022.

The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly.

The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined.

The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs.

The exact technical details associated with the flaw are currently unclear.

About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The mass fraud scheme is said to have resulted in a net loss of about $20 million for the neobank and fintech firm.

The disclosure arrives less than a week after Interpol announced the arrest of a suspected senior member of a French-speaking hacking crew known as OPERA1ER, which has been linked to attacks aimed at financial institutions and mobile banking services with malware, phishing campaigns, and large-scale Business Email Compromise (BEC) scams.

BlackByte 2.0 Ransomware Infiltrate, Encrypt, and Extort in Just 5 Days

 Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify.

Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature.

The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.

This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations.

BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data.

To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—an approach that has proven highly successful. By exploiting this vulnerability, they gain initial access to the target networks and set the stage for their malicious activities.

The ransomware further employs process hollowing and antivirus evasion strategies to guarantee successful encryption and circumvent detection.

Furthermore, web shells equip them with remote access and control, enabling them to maintain a presence within the compromised systems.

The report also highlighted the deployment of Cobalt Strike beacons, which facilitate command and control operations. These sophisticated tools give attackers a wide range of skills, making it more difficult for organizations to defend against them.

Alongside these tactics, the investigation uncovered several other troubling practices cybercriminals use. They utilize "living-off-the-land" tools to blend in with legitimate processes and escape detection.

The ransomware modifies volume shadow copies on infected machines to prevent data recovery through system restore points. The attackers also deploy specially-crafted backdoors, ensuring continued access for the attackers even after the initial compromise.

The disturbing upsurge in ransomware attacks requires immediate action from organizations worldwide. In response to these findings, Microsoft has provided some practical recommendations.

Organizations are primarily urged to implement robust patch management procedures, ensuring they timely apply critical security updates. Enabling tamper protection is another essential step, as it strengthens security solutions against malicious attempts to disable or bypass them.