Karakurt: A New Emerging Data Theft And Cyber Extortion Hacking Group.

 

A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021.

The hacker collective, which goes by the self-proclaimed name Kaeakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, Accenture's Cyber Investigations, Forensics and Response (CIFR) team said in a report published on December 10.

"The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach," the CIFR team said. "Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment."

95% of the known victims are based in North America, while the remaining 5% are in Europe. Professional services, healthcare, industrial, retail, technology, and entertainment verticals have been the most targeted.

The goal, the researchers noted, is to avoid drawing attention to its malicious activities as much as possible by relying on living off the land (LotL) techniques, wherein the attackers abuse legitimate software and functions available in a system such as operating system components or installed software to move laterally and exfiltrate data, as opposed to deploying post-exploitation tools like Cobalt Strike.

 

 

 With ransomware attacks gaining worldwide attention in the wake of incidents aimed at Colonial Pipeline, JBS, and Kaseya as well as the subsequent law enforcement actions that have caused actors like DarkSide, BlackMatter, and REvil to shutter their operations, Karakurt appears to be trying a different tack.

Rather than deploy ransomware after gaining initial access to victims' internet-facing systems via legitimate VPN credentials, the actor focuses almost exclusively on data exfiltration and extortion, a move that's less likely to bring the targets' business activities to a standstill and yet enable Karakurt to demand a "ransom" in return for the stolen information.

Besides encryption data at rest wherever applicable, organizations are recommended to turn on multiple-factor authentication (MFA) to authenticate accounts, disable RDP on external-facing devices, and update the infrastructure to the latest versions to prevent adversaries from exploiting unpatched systems with publicly-known vulnerabilities.

 

SolarWinds Hackers Targeting Government And Business Entities Worldwide.

 

Nobelium, the threat actor attributed to the massive SolarWinds supply chain compromise, has been once again linked to a series of attacks targeting multiple cloud solution providers, services, and reseller companies, as the hacking group continues to refine and retool its tactics at an alarming pace in response to public disclosures.

The intrusions, which are being tracked by Mandiant under two different activity clusters UNC3004 and UNC2652, are both associated with UNC2452, an uncategorized threat group that has since been tied to the Russian intelligence service. UNC2652, in particular, has been observed targeting diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike Beacon onto the infected devices.

"In most instances, post compromise activity included theft of data relevant to Russian interests," Mandiant researchers Luke Jenkins, Sarah Hawley, Parnian Najafi, and Doug Bienstock said in a new report. "In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments."

The revelations come exactly a year after details emerged of a Kremlin-backed hacking campaign that breached the servers of network management provider SolarWinds to distribute tainted software binaries to a number of high-profile customers, including nine U.S. federal agencies.

If anything, the development is yet another indication of the threat actor's capacity to continually "innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," while also highlighting the "effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations."

Microsoft had previously dubbed Nobelium as "skillful and methodic operators who follow operations security (OpSec) best practices."

Ever since the SolarWinds incident came to light, the APT group has been connected to a string of attacks aimed at think tanks, businesses, and government entities around the globe, even as an ever-expanding malware toolbox has been put to use with the goal of establishing a foothold in the attacked system and downloading other malicious components.

In late October 2021, Microsoft took the wraps off an intrution campaign that compromised as many as 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations. The poisoning attacks worked by breaking into the service providers, subsequently using the privileged access and credentials belonging to these providers to strike a wide range of organizations that relied on the CSPs.

Top-notch Operational Security And Advanced Tradecraft.

Some of the other techniques incorporated by the group into its playbook involve the use of credentials potentially obtained from an info-stealer malware campaign staged by a third-party actor to gain initial access to organizations, an infection chain that resulted in the victims' workstations infected with CryptBot malware after browsing to low reputation websites offering cracked software, corroborating a similar report from Red Canary published last week.

Also employed by Nobelium is a new tool dubbed Ceeloader, a bespoke downloader that's designed to decrypt a shellcode payload to execute in memory on the compromised system, as well as the abuse of push notifications on smartphones to circumvent multi-factor authentication (MFA) protections.

"In these cases, the threat actor had a valid username and password combination," the researcher said. "Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user's legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account."

Other tactics of note include —

• Compromising multiple accounts within an environment and using each of those accounts for different functions to limit exposure,
• Using a combination of Tor, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments,
• Hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and
• Using residential IP address ranges to authenticate to victim environments.

"This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security," the researchers said. "The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise."

 

 

 

Critical Bug In Mozilla's NSS Crypto Library Potentially Affects Several Other Software.

 

Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services (NSS) cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code.

Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a heap overflow vulnerability when verifying digital signatures such as DSA and RSA-PSS algorithms that are encoded using the DER binary format. Credited with reporting the issue is Tavis Ormandy of Google Project Zero, who codenamed it "BigSig."

"NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla said in an advisory published Wednesday. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted."

NSS is a collection of open-source cryptographic computer libraries designed to enable cross-platform development of client-server applications, with support for SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

The bug, the consequence of missing bounds check that could allow the execution of arbitrary attacker-controlled code, is said to have been exploitable dating all the way back to June 2012, "The striking thing about this vulnerability is just how simple it is,"  

While the BigSig shortcoming doesn't affect Mozilla's Firefox web browser itself, email clients, PDF viewers, and other applications that rely on NSS for signature verification, such as Red Hat, Thunderbird, LibreOffice, Evolution, and Evince, are believed to be vulnerable.

 

Russian Man Gets 60 Months Jail For Providing Bulletproof Hosting To Cyber Criminals.

 

        

A Russian national charged with providing bulletproof hosting services for cybercriminals, who used the platform to spread malware and attack U.S. organizations and financial institutions between 2009 to 2015, has received a 60-month prison sentence.

34-year-old Aleksandr Grichishkin, along with Andrei Skvortsov, founded the bulletproof hosting service and rented its infrastructure to other criminal clientele for distributing a wide range of malware and attempted to cause millions of dollars in losses to U.S. victims. 

Skvortsov is pending sentencing and faces a maximum penalty of 20 years in prison.

Bulletproof hosting operations are similar to regular web hosting, but are a lot more lenient about what can be hosted on their servers. They are known for providing secure hosting for malicious content and activity and assuring anonymity to threat actors.

Grichishkin, in May, pleaded guilty to conspiracy to engage in a racketeer-influenced corrupt organization (RICO). Acting as the firm's "day-to-day-leader," he is also said to have helped customers evade detection by law enforcement and continue their crimes uninterrupted by monitoring sites used to blocklist IP addresses, servers, and domains and moving the affected clients' data to "clean" infrastructure that was registered under false or stolen identities.

"He oversaw efforts to advertise the organization's bulletproof hosting services in online cybercrime forums, set pricing for these services, negotiated and interfaced with clients seeking internet infrastructure to be used in spamming and malware operations, managed employee hiring and compensation, and supervised the systems administrators' and other employees' work," the U.S. Justice Department said in a statement.

The development is the latest in a long saga that ended in two of the scheme's co-conspirators — Pavel Stassi, 30, of Estonia, and Aleksandr Shorodumov, 33, of Lithuania — receiving a jail term of 24 months and 48 months in prison respectively in October for their roles as the lead systems administrator in the organization and for marketing its services to criminal actors as well as utilizing fraudulent information to register the web hosting and financial accounts.

 

.