WME Security Briefing 30 October 2024

WME Cybersecurity Briefings No. 032

Chinese Nation-State Hackers APT41 Target Gambling Industry for Financial Gain

Overview

The Gambling and Poker industry experienced a sophisticated cyber attack last month, orchestrated by the notorious Chinese nation-state group APT41 ( AKA Brass Typhoon, Earth Baku, Wicked Panda or Winnti). This extended operation, which spanned nearly nine months, was a beachhead to steal information of value and perhaps make financial gains. According to security folks, APT41 is known for its stealth-hiding tactics and for always updating its tools, which may make it difficult to detect.

Impact

The intruders behind APT41 had access to valuable information i.e. configurations, passwords, admin credentials, etc. The adversaries utilized a DCSync attack to further establish their presence. Primarily, they targeted service and admin accounts. This kept the attackers’ persistent access to these networks and allowed them time to deploy other harmful payloads over longer periods.

The attack was very sophisticated as it used advanced techniques like Phantom DLL Hijacking, which makes use of legitimate utilities like wmic.exe to evade detection. As malicious actors interfered with the core functioning of organizations by committing these crimes, these events raise questions as to how well these organizations safeguard sensitive customer information and financial security. Their hard-coded command-and-control (C2) server served as a gateway for remote access and facilitated the creation of hidden channels. And hackers use them to enhance their control over compromised systems.

Recommendation

Organizations in the gambling and gaming industries should put better cybersecurity policies to prevent these sorts of attacks. They need to implement multiple layers of defenses, keeping software up to date as best as they can and using measures like early threat detection, etc. Furthermore, the network admins need to look out for any unusual activities, mainly on the privileged accounts and enforce multi-factor authentication (MFA).

Moreover, it is important to periodically review systems and network activity for indicators of compromise in case services like SSH, or even admin accounts have something suspicious going on. For example, improving detection coverage for DLL hijacking and system command abuse tactics significantly reduces the attack surface that attackers can leverage to achieve network persistence.

Critical Vulnerabilities Found in E2EE Cloud Storage Providers

Overview

Three severe security flaws have been discovered in several major end-to-end encrypted (E2EE) cloud storage platforms. If exploited, these vulnerabilities have the potential to expose sensitive user data, making these services unsecure. This finding has broad implications for popular platforms, including Sync, pCloud, and IcedriveSeafile and Tresorit are also on the list, as they appear to have built their ecosystems on weak encryption protocols.

The researchers said this discovery showcased how malicious servers run by attackers could tamper with file data, create rogue files, and even decrypt encrypted information in certain cases.

Impact

These cloud storage platforms now hold a significant risk due to the exposure of these vulnerabilities:

  • Sync & pCloud: Attackers could bypass file confidentiality, tamper with data on user storage as well as inject arbitrary files.
  • Seafile: Password Brute Forcing, File Data Tampering
  • Icedrive: Attackers reportedly could modify files during upload due to integrity issues.
  • Tresorit: A malicious server could manipulate metadata (e.g. while sharing files, making up arbitrary keys).

These vulnerabilities illustrate familiar patterns of cryptographic design failures across the providers, meaning that attackers with even relatively limited resources can take advantage.

Overall, these vulnerabilities illustrate the necessity of upholding strong security mandates on E2EE services to avoid compromising user data.

Recommendation

Cloud storage providers are urged to improve their encryption protocols immediately and patch these vulnerabilities before they can be exploited.

Users should:

Review provider updates: Check with the cloud services providers on a regular basis to get patches and security updates.

Find other storage options: If your provider is slow to address these vulnerabilities, switching to a more secure option might be appropriate.

Checking file integrity: When possible, users should manually verify the integrity of their files hosted on the cloud.

Roundcube Webmail Exploit Allows Hackers to Steal User Credentials

Overview

A new security vulnerability has been found in Roundcube, one of the most common open-source webmail platforms used worldwide. Cybercriminals have abused it to conduct phishing attacks that target and respond to login credentials. The vulnerability, tracked as CVE-2024-37383, is a stored cross-site scripting (XSS) flaw.

It lets attackers embed malicious JavaScript into users’ web browsers, where it can run with access to their private data. The vulnerability was used in phishing campaigns targeting governmental institutions in CIS countries.

Impact

The Roundcube vulnerability could be very dangerous if exploited. An attacker can simply embed malicious JavaScript code in the message of a crafted email and get users to open it, which will cause the script to be executed automatically by their browser without them noticing.

This permits the attacker to steal login information and other sensitive information. Hackers already used the vulnerability to leak user information i.e. Password data, etc. from a remote server hosted on Cloudflare.

This kind of attack can be extremely damaging for those using Roundcube as an email service provider, especially governmental bodies and other types of high-profile organizations.

Recommendation

Companies using Roundcube webmail software need to update their systems now with the latest patched versions 1.5.7 and 1.6.7. These were released to the market in May 2024 and address the above-mentioned XSS flaw.

Organizations should also not limit themselves to upgrading the software. They should revisit the email security policies and update them so that they are immune to any future phishing attacks. They also need to use web application firewalls (WAFs) to track and block any potentially malignant scripts.

North Korean IT Workers Exploiting Western Firms for Financial Gains

Overview

New cybersecurity reports disclose a chilling new development in the North Korean cyberworkers masquerading as legitimate employees at businesses in Western countries. Never mind the IP theft; now, these fake workers are demanding ransom for data! It is a clear escalation of the financial and espionage attacks they have been launching for years.

These workers are able to infiltrate organizations and access the most sensitive systems, all while maintaining their anonymity. A related trend increasingly on the radar is workers demanding money not to leak what they have stolen. The change in behavior was first observed around mid-2024, when a contractor stole proprietary data shortly after being hired.

Impact

It is part of a wider push by North Korea to raise cash amid global sanctions. These tactics are consistent with the tactics of a threat group, Nickel Tapestry (aka Famous Chollima and UNC5267). Using the stolen information and identity of U.S. citizens, they mostly go abroad to different regions in China and Russia. They work either under fake a freelance cover or on a contract basis in various firms.

This new method of ransomware is now jeopardizing the financial system and compromise their intellectual property. Some workers have even gone as far as manipulating shipping processes for corporate laptops or rerouting equipment to avoid leaving any traces.

Also, such escalation makes things increasingly dangerous for organizations, especially those with remote workers, as these contractors can walk away with confidential data and ask for hundreds of thousands in ransom not to reveal the information.

Recommendation

Organisations are recommended to implement strong security and recruitment processes in order to protect themselves from this evolving threat:

  • Background checks: Verifying Identities, conducting in-person or video interviews.
  • Corporate IT Equipment: Watch for unusual requests to redirect the shipment of an organization’s equipment or alternative ways to access corporate IT.
  • Secure access to networks: Do not allow the use of personal laptops or unauthorized remote desktop tools that could create entry points for hackers.
  • Create ransomware prevention strategies: Be proactive about potential ransoms by having procedures in place to preempt data exfiltration.

The rise of this new danger only reinforces the necessity for all-inclusive cybersecurity methods and a deeper collective look into recruitment. As North Korean IT workers evolve their tactics, a major problem facing businesses today is how to guard against these insider threats.

Crypt Ghouls Ransomware Attacks on Russian Firms

Overview

A new actor in the ransom game, Crypt Ghouls, has been implicated in a spree of ransomware attacks aimed at Russian businesses and government agencies.

They employ ransomware variants like LockBit 3.0 and Babuk to disrupt operations and seek financial gain. These attacks have targeted government agencies, as well as energy, mining, finance, and retail companies in Russia.

Crypt Ghouls tactics involve leveraging various tools and strategies to infiltrate targeted networks. They often use VPN services with hijacked logins, typically from contractors, to gain initial access. Once installed, they use a range of tools to stay on the network and finally encrypt data in such a way that demands an exorbitant ransom.

Impact

The Crypt Ghouls attacks are widespread and strategic. They have used several well-known hacking utilities i.e. Mimikatz, PingCastle, AnyDesk, etc. to steal credentials and maintain access. In two instances, the initial entry was traced back to a contractor’s credentials, which were exploited through VPN connections from trusted sources. That means more complications in detection efforts.

Crypt Ghouls then utilizes tools like XenAllPasswordPro and the CobInt backdoor to steal authentication data. Their ultimate goal is to encrypt system data using the widely recognized LockBit 3.0 ransomware for Windows and Babuk for Linux/ESXi systems. Furthermore, they take extra steps to encrypt files in the Recycle Bin to hinder recovery efforts. Doing so, they leave behind a ransom note with a link for future contact.

The ability of Crypt Ghouls to blend in with similar attacks from other Russian threat groups i.e. MorLock and BlackJack, etc. makes it particularly challenging to pinpoint their exact identity. Their use of shared toolkits and compromised credentials complicates attribution further.

Recommendation

Russian organizations, especially in critical sectors like government, mining and energy, must secure their networks against this ransomware.

Key steps include:

  • Patch Management: Update all systems and applications (paying particular attention to VPN services) where patches are available for newly discovered vulnerabilities.
  • Secure Credentials: Review contractor networks and tighten the logins. Use MFA (Multi-Factor Authentication) to protect from access with stolen credentials.
  • Incident Response Planning: Create and implement an incident response plan based on ransomware threats, including a series of defensive actions to contain the attack.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=