The lead up to this year’s 4th of July has been chockful of cyber events, from cities getting extorted, through triple-threat ransomware, to state-sponsored APT activity. Here’s a recap of last month’s cyber threat highlights.
The month started with AMCA (an American billing collections service provider) announcing on June 3 that an unauthorized user had accessed its system containing personal information that AMCA had received from various entities. The personal data of 11.9 million customers, including some financial and medical data, was exposed.
Ransomware and the Triple-Play Trojan
Four days later, ASCO Industries, a Belgian company specializing in manufacturing components for both civilian and military aircrafts, was the victim of a ransomware attack that paralyzed its production worldwide. With all its IT systems disabled, 1,000 of its 1,400 employees were sent home. The hackers asked for ransom to release the blocked IT systems.
June was a hard month for municipalities in the United States - this time three cities in Florida. The city of Riviera Beach was hit by a cyberattack which was triggered by an employee from the police department opening an email attachment that contained malware. The malicious software quickly spread through the city's computer systems, affecting its email system and even its 911 dispatch operations. The hackers demanded ransom in the amount of $600,000 in bitcoin. The City decided to pay and will invest $1 million in new computer systems.
A few weeks later, Lake City was on the receiving end of a similar cyberattack. Lake City paid the hackers $460,000 in bitcoin, since it was the cheapest option. Lake City had a $10,000 deductible on its cyber insurance policy; the insurer paid the balance.
At the end of June, Key Biscayne was struck by a ransomware attack that used Ryuk as part of a "Triple Threat” attack:
- A malicious document used PowerShell script to download the Emotet Trojan.
- Once downloaded, Emotet installed additional malware (in case of Key Biscayne, the TrickBot Trojan).
- TrickBot contained a number of tools for moving laterally across the network from the initial point of compromise including Trickpassword grabbers (a PowerShell-based reconnaissance tool that uses the open sourced PowerShell Empire framework), and spreader_x64.dll (a lateral movement tool based on the leaked National Security Agency EternalBlue vulnerability in Windows' Server Message Block version 1 (SMB v. 1) file sharing protocol.
- dll included the Mimikatz credential-stealing tool to harvest credentials.
- Once TrickBot was installed, the attackers used it to examine where their malware had landed to determine their next steps.
- In case of Key Biscayne, TrickBot was used to compromise a Windows domain controller.
- The hackers gathered data on the victim's Active Directory structure and identified servers on the network.
- After connecting to the identified servers, the hackers infected these with the Ryuk ransomware.
State-Sponsored APT Activity
During the month of June, we noticed that state-sponsored cyberattacks reached a new high. These kinds of attacks have a dual purpose: gathering intelligence (espionage) and identifying weaknesses to abuse for future cyberattacks (reconnaissance).
- Chinese malware Nanshou infected machines by brute-forcing Microsoft SQL Server account passwords using known exploits. Once it had compromised the machine, Nanshou dropped one of 20 different malicious payloads. Each of these payloads contained versions of a coin-mining tool and a kernel-mode rootkit. This allowed the malware to remain obfuscated, avoiding detection. Infected machines included over 50,000 servers in the healthcare, telecommunications, media and IT sectors. The malware used cryptographically signed driver-level rootkits. The driver supported every version of Windows including Windows 7, Windows 10, and beta versions.
- An attack attributed to the Chinese group APT10 (dubbed the Soft Cell operation) would have allowed hackers to recover more than 100 GB of data from telecom operators worldwide. For this attack, the group used customized versions of known tools, many of which are regularly used in attacks attributed to hacker groups associated with China. These include a version of the Poison Ivy remote access tool, the China Chopper web shell, a modified nbtscan tool and a highly modified and customized version of Mimikatz, a password stealing tool.
- In an interesting “dog eats dog” twist, the Russian espionage group Turla hijacked the infrastructure of Iranian APT hacker group OilRig. Russian-backed Turla is also known as Waterbug, Snake, WhiteBear, Venomous Bear, and Kypton. Iran-backed OilRig is also known as Crambus, APT34, HelixKitten. Turla attacked a target in the Middle East three times, using Mimikatz as a post-exploitation tool for collecting passwords from the system memory. Turla used the hijacked C2 server of OilRig as well as a PowerShell Runner tool to execute PowerShell scripts eliminating the need to use powershell.exe.
Stealth Techniques detected in June
Threat actors keep on finding innovative ways to spread their malware, and June was no exception.
- For the first time, we saw that ISO disk images that were sent by phishing email were used for spreading LokiBot and NanoCore malware. Since ISO files are usually whitelisted, it is a clever way for hackers to embed their malware payload. LokiBot (information-stealing malware) used the IsDebuggerPresent function to determine if it was loaded inside a debugger. LokiBot also implemented a common anti-VM technique for measuring the computational time difference between CloseHandle and GetProcessHeap to find out if it was running inside a VM. NanoCore (a remote access Trojan) tried to detect the presence of a debugger, created a Mutex and performed process injection. NanoCore created persistence through registry modifications. It also captured clipboard data and monitoring keystrokes, collected data about document files on the system and connected to an FTP server to upload the stolen data.
- Old favorite Houdini malware made a comeback. A new variant of the Houdini Worm (aka WSH Remote Access Tool - RAT) targeted commercial banking customers with phishing e-mails. Those e-mails had an attached MHT file that contained a href link which when opened, directed victims to a .zip archive containing a version of WSH RAT. The C2 server used was similar to the Hworm one.
- Hackers also used the FlawedAmmy RAT for their phishing attacks. Once the e-mail attachment was opened, the macro function started running exe and downloading an MSI archive which contained a digitally signed file which was then extracted and run through the system. This file in turn decrypted and executed another executable in memory. This process continued until another file wsus.exe was executed.
- At the end of June, a new variant of the Dridex banking Trojan was detected which was able to avoid detection by traditional antivirus products. Banking Trojan Dridex specializes in the theft of online banking credentials. The latest version uses an Application Whitelisting technique to block elements of the Windows Script Host. The malware exploited the execution protection and policies in the Windows WMI command-line (WMIC) utility to employ XLS scripts in order to bypass AV solutions.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment or simulate real-world APT group attacks with our brand new Full Kill Chain APT simulation module. These simulations allow you to test and verify by yourself if your organization is exposed to these attacks. They also offer suggestions for mitigations in case it turns out that your organization is indeed vulnerable.