Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks and phishing threats including malware and PowerPoint trojans, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


Ukraine hit by trojan attack prior to invasion

Microsoft have spotted a series of cyber attacks that were launched against Ukraine mere hours before Russia’s tanks and missiles hit the country last week.

“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Centre (MSTIC) detected a new round of offensive and destructive cyber attacks directed against Ukraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.

“We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package, and provided technical advice on steps to prevent the malware’s success.”

Smith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit. Microsoft also issued a Security Intelligence advisory about FoxBlade, which is a novel trojan. While the company shared neither technical specifics nor details about how FoxBlade achieves initial access on targeted machines, the advisory did explain that: “This trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.”

There were thousands of such attacks each day in Q3, and were expected to keep growing, researchers reported in November 2021. Beyond launching DDoS attacks, FoxBlade also downloads and installs other programs – including other malware – onto infected systems, Microsoft advised.

The cyber attacks – which were ongoing as of Monday, Smith said – have been “precisely targeted,” unlike the indiscriminate malware splattered in the NotPetya attack. The NotPetya cyber attack targeted hundreds of firms and hospitals worldwide in 2017, including Ukraine’s power grid.

Regardless of the targeted nature of the current cyber attacks on Ukraine, Smith said Microsoft is still “especially concerned” about recent cyber attacks aimed at Ukraine. Digital targets that have been far more wide-ranging, including those in the financial and agriculture sectors, emergency response services, humanitarian aid efforts, and energy enterprises.

Smith added: “These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them.”

Microsoft has also advised the Ukrainian government about recent cyber efforts to steal a range of personally identifiable information (PII), including PII related to health, insurance, transportation and other government data.

Microsoft’s news about FoxBlade comes as just one of a continuing barrage of cyber assaults targeting both Ukraine and Russia: a barrage that’s included the Conti ransomware gang proclaiming that it’s pro-Russia. Last week, it was, the extortionists blared out a warning on their blog, threatening to use Conti’s “full capacity” to retaliate in the face of “Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”

Then, as we will see later, a pro-Ukraine Conti ransomware gang member subsequently spilled 13 months of the ransomware group’s chats, with more information to come. As well, researchers have discovered a new data wiper malware dubbed HermeticWiper, that’s been used against hundreds of machines in Ukraine.

A destructive wiper malware – posing as ransomware attacks – named ‘WhisperGate’, began to target Ukrainian organisations: an attack that analysts said was likely part of Russia’s wider effort to undermine Ukraine’s sovereignty. As well, in mid-February, institutions central to Ukraine’s military and economy – including government and banking websites – were slammed with a wave of DDoS attacks.

Neuways advises following the current list of immediate actions, to protect against the wide range of cyber threats, which could target others as a result of this activity:

  • Patch vulnerabilities.
  • Use multi-factor authentication in every place possible.
  • Run antivirus programmes.
  • Enable strong spam filters to prevent phishing emails from reaching end users.
  • Disable ports and protocols that are not essential.
  • Strengthen controls for cloud services.

Microsoft Exchange bugs exploited by ‘Cuba’ ransomware gang

The ransomware gang known as ‘Cuba‘ is exploiting Microsoft Exchange bugs – including ProxyShell and ProxyLogon – as initial infection vectors. The group has been prying open these chinks in victims’ armour for many months, researchers reported.

Researchers noted that the group deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that uses COLDDRAW, or, at least, it’s the only group of cyber criminals using it among those tracked, “which may suggest it’s exclusively used by the group,” researchers said.

In December, the FBI attributed a spate of attacks to the group. At the time, it was noted that Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for a number of years.

This isn’t the first time that Cuba has shown a taste for Exchange vulnerabilities, either. They’re just one method that Hancitor operators use in order to gain initial access to target machines. Other routes include phishing emails, and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools.

True to form, researchers observed the group “frequently” picking apart vulnerabilities on public-facing Microsoft Exchange infrastructure as an initial compromise vector. “The threat actors likely perform initial reconnaissance activities to identify internet-facing systems that may be vulnerable to exploitation,” researchers said.

Next, Cuba deployed webshells to establish a foothold in the compromised network. Then, actors planted backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper. The operators have mainly used credentials from valid accounts to escalate privileges, researchers noted. It’s not always clear where they got the credentials from, but at least in some cases, they were stolen with credential-stealing tools such as Mimikatz and WICKER.

Researchers added: “We have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions. In one intrusion, the threat actor created a user account and added it to the admin and RDP groups.”

In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory.

Then, the crooks peek around to see what files might be of interest. They also routinely use a script to map all drives to network shares, “which may assist in user file discovery,” researchers noted.

Cuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, “frequently using BEACON to facilitate this movement,” researchers said. Then they deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper.

To finish their extortion work, the gang tries to steal files and encrypt networked machines, with the threat of publishing content to a shaming site hanging over companies who are encouraged to pay a ransom. According to researchers, Cuba is using webshells to load the TERMITE dropper: a password-protected, memory-only dropper with an encrypted shellcode payload. The payloads have included BEACON malware, the Metasploit stager or the group’s custom BUGHATCH downloader.

Cuba isn’t the only threat actor using the TERMITE dropper: Mandiant said that it’s apparently used by “a limited number” of threat actors. Over six months, collected TERMITE payloads show that its keepers have been grooming TERMITE, tweaking it so it burrows in and evades detection, researchers said.

Beyond common, mainstay malware tools such as Cobalt Strike and NetSupport, analysis showed that Cuba has some novel malware up its sleeve, including:

BURNTCIGAR: a utility that terminates endpoint security software.

WEDGECUT: a reconnaissance tool that checks to see whether a list of hosts or IP addresses are online.

BUGHATCH: a custom downloader that receives commands and code from a command-and-control (C2) server to execute on a compromised system.

The researchers noted that when COLDDRAW was deployed, Cuba used what they called “a multi-faceted extortion model” – i.e., besides encrypting data, the gang leaked it on the group’s shaming site.

Cuba’s favourite industry sector to strike is manufacturing, followed by financial services. The good news for organisations? At the time of writing, there is only a solitary victim listed on the shaming website.

Potent malware returns after break

The group behind the TrickBot malware is now back operating, but with far less activity. Researchers have speculated that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.

A report flagged a “strange” period of relative inactivity, where “from December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen [any] new TrickBot campaigns.”

Before the lull, an incident last November indicated that the TrickBot botnet was used to distribute Emotet. The report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers discussed that, this time around, “it’s likely that TrickBot operators have phased the malware out of their operations in favour of other platforms, such as Emotet.”

TrickBot was originally deployed as a banking trojan, in 2016. In the time since, it’s developed into a full-suite malware ecosystem, complete with tools for spying and stealing data, port scanning, anti-debugging – crashing researchers’ browsers before they have a chance to identify its presence – identifying and wiping firmware, and much more.

TrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a court order that allowed it to seize servers from the group behind the malware. Last year, multiple members of that group were arrested and handed charges carrying potential prison sentences. Despite all of these efforts, TrickBot remained active.

This was until late December 2021 when new attacks ground to a halt. According to the report, Trickbot’s most recent campaign “came on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.”

The report added: “While there have been lulls from time-to-time, the length of this break could be considered unusual.”

The decline in activity continues as well: TrickBot’s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, “have gone untouched for long periods of time,” researchers said.

These files “were once updated frequently, but are receiving fewer and fewer updates,” researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding “additional plugins, web injects and additional configurations to bots in the botnet.”

The researchers have now concluded with high confidence that “this break is partially due to a big shift from TrickBot’s operators, including working with the operators of Emotet.”

Some think the malware may be on its way out, with TrickBot now clocking five years – a lifetime in cybersecurity terms. Researchers wrote: “Perhaps, a combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.” Only time will tell, but, as ever, organisations are urged to remain vigilant as the threat level remains high.

Criminals attempt to harvest Microsoft account credentials

Malicious emails warning Microsoft users of “unusual sign-on activity” from Russia are looking to capitalise on the Ukrainian crisis.

While legitimate concerns about the Russian-Ukrainian conflict are sparking a far-reaching cyber warfare conversation around the world, small-time criminals are also ramping up their efforts amid the crisis. Phishing emails to Microsoft users warning of Moscow-led account hacking have started to make the rounds, as criminals attempt to lift credentials and other personal details.

That is following the work of researchers, who uncovered a spate of spam emails that name and shame Russian hacking efforts. The subject line for the messages reads “Microsoft account unusual sign-in activity,” while the body of the email reads as follows:

“Unusual sign-in activity

We detected something unusual about a recent sign-in to the Microsoft account

details

  • Country/region: Russia/Moscow
  • IP address:
  • Date: Sat, 26 Feb 2022 02:31:23 +0100
  • Platform: Kali Linux
  • Browser: Firefox

A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.

Report the user


The Microsoft account team”

The emails then provide a button to “report the user,” and an unsubscribe option. Clicking the button creates a new message with the to-the-point subject line of “Report the user.” The recipient’s email address references Microsoft account protection. Of course, using this email to respond could open up various risks, according to researchers.

“People sending a reply will receive a request for login details, and possibly payment information, most likely via a bogus phishing page,” the researchers explained. “It’s also entirely possible the scammers will keep everything exclusively to email communication. Either way, people are at risk from losing control of their account to the phishers. The best thing to do is not reply, as well as deleting and reporting the email.”

The spam gives red flags in the form of grammatical errors, including misspellings, such as “acount.” In other words, it’s not a particularly sophisticated effort, but it’s a savvy one. As is the case with any major world event, cresting interest (or fear) is catnip for social engineers.

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is more likely to attract people’s attention, making it perfect spam material for that very reason,” researchers said. “The emails (deliberate or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow.”

The mail explicitly targets Microsoft account holders, but the good news is that Outlook is sending the emails directly to the spam folder. However, researchers pointed out that: “Depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for users to lose their login information, and this mail is perhaps more salient than most for the time being.”

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.