Anomali Cyber Watch: Massive Growth of DDoSia Project, Proxyjacking Joins Cryptomining, 8Base Ransomware Became 2d Most Prolific, and More
Anomali Threat Research
July 3, 2023
Share:
Table of contents
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Bootkits, Cyberespionage, DDoS, Iran, Ransomware, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
The pro-Russia DDoS project, DDoSia, has seen a massive 2,400% growth in less than a year, with over 10,000 people helping conduct attacks on Western organizations. The project was launched by a pro-Russian hacktivist group known as NoName057(16) in early 2022. The registration of new users is automated thanks to a Telegram bot, and DDoSia payloads are available for Linux, macOS, and Windows. Sekoia researchers decrypted DDoSia C2 traffic to find a large number of targeted countries dominated by Lithuania, Ukraine, Poland, Italy, and Czech Republic. NoName057(16) is very sensitive to news cycles: on 21 June 2023, it DDoSed French transportation targets following the announced delivery of a French air defense system to Kiev. And on June 24, 2023, the actors singled out two Wagner sites just as that private paramilitary group attempted a mutiny in Russia.
Analyst Comment: Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.
The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6, that were installed on over 200,000 sites. This newly-discovered vulnerability was registered as CVE-2023-3460 and is considered critical (CVSSv3.1 score: 9.8). Wordfence researchers have identified network indicators for the ongoing zero-day exploitation, but do not provide any attribution.
Analyst Comment: Until a security patch for CVE-2023-3460 is developed, site administrators should uninstall the Ultimate Member plugin. Check for new user accounts created with administrator privileges. Check for plugins and themes that may not have been installed previously. All known network indicators associated with this Ultimate Member plugin exploitation campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
Akamai researchers have discovered a proxyjacking campaign that is targeting vulnerable SSH servers, then launching Docker services that share the victims bandwidth for money. This campaign uses a compromised web server to distribute necessary dependencies, actively searches for and removes competing instances, and employs obfuscation techniques to evade detection. The attack chain involves a bash script downloading and executing a curl binary and continuing with an otherwise fileless attack. Proxyjacking is a stealthier alternative to cryptojacking and it can enable cybercriminals to leverage proxies to obfuscate their attack origins.
Analyst Comment: Network defenders should isolate all unusual artifacts, not just those that are considered malicious, to prevent malicious actors from exploiting the system. Check for unwanted proxyjackin by grepping for strings related to companies like Peer2Profit and Honeygain that indiscriminately pay for contributing to proxy networks.
In May 2023, the Iran-sponsored group dubbed Charming Kitten was observed using a new delivery method for its custom POWERSTAR framework. The observed spearphishing attack involved multiple benign email exchanges before delivering a password-protected RAR file containing a malicious LNK file, with the password being provided in a subsequent email. Volexity researchers have also observed Charming Kitten moving their malware distribution to Backblaze B2 buckets, IPFS, and privately hosted infrastructure. The new POWERSTAR version has improved operational security measures and is believed to be supported by a custom server-side component. The POWERSTAR backdoor has received at least four additional modules. It raises the total number of known optional modules to nine, with functionality varying from information gathering to removing forensic artifacts.
Analyst Comment: Defense-in-depth is the best way to ensure safety from advanced government-sponsored groups like Charming Kitten. Defense-in-depth can include network and endpoint security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. YARA rules and indicators associated with the new POWERSTAR usage are available in the Anomali platform for detection and prevention.
The 8Base ransomware group has been active since March 2022 with a significant spike in activity in June of 2023 making it one of the most prolific ransomware threats, second only to LockBit. VMware researchers have revealed similarities between 8Base and the RansomHouse ransomware group. They have also discovered a second 8Base crypter variant based on Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. 8Base is targeting smaller businesses with the top five targeted industries being business services, finance, manufacturing, information technology, and health care, in that order.
Analyst Comment: One of the best defenses against Smokeloader is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Indicators associated with the 8Base ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.
BlackLotus is a sophisticated malware that targets UEFI-booting versions of Windows such as Windows 10 and 11, including virtual machines. BlackLotus starts by acting as a boot software. It exploits a CVE-2022-21894 Secure Boot bypass vulnerability (Baton Drop). In Secure Boot-signed copies of the Windows Boot Manager it truncates the Secure Boot policy values. The vulnerable boot manager versions allow boot to continue. BlackLotus injects a version of shim utilizing its own Machine Owner Key to vouch for signatures on its own malicious binaries. According to the US National Security Agency, the vulnerable boot loaders are not revoked, so attackers can often substitute fully patched boot loaders with vulnerable versions to execute BlackLotus.
Analyst Comment: Patches are available for Windows 8.1, 10, and 11. Network defenders should enable the optional software mitigation from May 2023 Microsoft patches that prevent these rollbacks of the boot manager and kernel versions. After the BlackLotus malicious stack was fully installed it can not be deleted from the infected machine without full system reimagining.
<p id="">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<strong id=""> APT, Backdoors, Bootkits, Cyberespionage, DDoS, Iran, Ransomware, Russia, Spearphishing, and Vulnerabilities</strong>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p><figure class="w-richtext-figure-type-image w-richtext-align-fullwidth" data-rt-align="fullwidth" data-rt-max-width="1751px" data-rt-type="image" id="" style="max-width:1751px"><div id=""><img height="auto" id="" loading="lazy" src="https://cdn.filestackcontent.com/lPUAolXcSNS6chwkCjEU" width="auto"/></div><figcaption id="">Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</figcaption></figure><h2 id="">Trending Cyber News and Threat Intelligence</h2><h3 id=""><a href="https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/" id="" target="_blank">Following NoName057(16) DDoSia Project’s Targets</a></h3><p id="">(published: June 29, 2023)</p><p id="">The pro-Russia DDoS project, DDoSia, has seen a massive 2,400% growth in less than a year, with over 10,000 people helping conduct attacks on Western organizations. The project was launched by a pro-Russian hacktivist group known as NoName057(16) in early 2022. The registration of new users is automated thanks to a Telegram bot, and DDoSia payloads are available for Linux, macOS, and Windows. Sekoia researchers decrypted DDoSia C2 traffic to find a large number of targeted countries dominated by Lithuania, Ukraine, Poland, Italy, and Czech Republic. NoName057(16) is very sensitive to news cycles: on 21 June 2023, it DDoSed French transportation targets following the announced delivery of a French air defense system to Kiev. And on June 24, 2023, the actors singled out two Wagner sites just as that private paramilitary group attempted a mutiny in Russia.</p><p id=""><strong id="">Analyst Comment: </strong>Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9990" id="">[MITRE ATT&CK] T1498 - Network Denial Of Service</a> | <a href="https://ui.threatstream.com/attackpattern/9716" id="">[MITRE ATT&CK] T1573 - Encrypted Channel</a><a href="https://ui.threatstream.com/attackpattern/10173" id=""></a></p><p id=""><strong id="">Tags:</strong> actor:NoName057(16), source-country:Russia, malware:DDoSia, malware-type:DDoS tool, technique:DDoS, target-country:Lithuania, target-country:Ukraine, target-country:Poland, target-country:Italy, target-country:Czechia, target-country:France, abused:AES-GCM</p><h3 id=""><a href="http://tps://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/" id="" target="_blank">PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited</a></h3><p id="">(published: June 29, 2023)</p><p id="">The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6, that were installed on over 200,000 sites. This newly-discovered vulnerability was registered as CVE-2023-3460 and is considered critical (CVSSv3.1 score: 9.8). Wordfence researchers have identified network indicators for the ongoing zero-day exploitation, but do not provide any attribution.</p><p id=""><strong id="">Analyst Comment: </strong>Until a security patch for CVE-2023-3460 is developed, site administrators should uninstall the Ultimate Member plugin. Check for new user accounts created with administrator privileges. Check for plugins and themes that may not have been installed previously. All known network indicators associated with this Ultimate Member plugin exploitation campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10012" id="">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9642" id="">[MITRE ATT&CK] T1136 - Create Account</a></p><p id=""><strong id="">Tags:</strong> target-software:Ultimate Member, vulnerability:CVE-2023-3460, vulnerability-type:Privilege escalation, target-identity:WordPress user</p><h3 id=""><a href="https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle" id="" target="_blank">Proxyjacking: The Latest Cybercriminal Side Hustle</a></h3><p id="">(published: June 29, 2023)</p><p id="">Akamai researchers have discovered a proxyjacking campaign that is targeting vulnerable SSH servers, then launching Docker services that share the victims bandwidth for money. This campaign uses a compromised web server to distribute necessary dependencies, actively searches for and removes competing instances, and employs obfuscation techniques to evade detection. The attack chain involves a bash script downloading and executing a curl binary and continuing with an otherwise fileless attack. Proxyjacking is a stealthier alternative to cryptojacking and it can enable cybercriminals to leverage proxies to obfuscate their attack origins.</p><p id=""><strong id="">Analyst Comment: </strong>Network defenders should isolate all unusual artifacts, not just those that are considered malicious, to prevent malicious actors from exploiting the system. Check for unwanted proxyjackin by grepping for strings related to companies like Peer2Profit and Honeygain that indiscriminately pay for contributing to proxy networks.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10012" id="">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/22938" id="">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/10023" id="">[MITRE ATT&CK] T1496 - Resource Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9628" id="">[MITRE ATT&CK] T1090 - Proxy</a><a href="https://ui.threatstream.com/attackpattern/9916" id=""></a></p><p id=""><strong id="">Tags:</strong> technique:Proxyjacking, technique:Compromised website, technique:Proxy, abused:Peer2Profit, abused:Honeygain, target-system:Web server, target-system:SSH server</p><h3 id=""><a href="https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/" id="" target="_blank">Charming Kitten Updates POWERSTAR with an InterPlanetary Twist</a></h3><p id="">(published: June 28, 2023)</p><p id="">In May 2023, the Iran-sponsored group dubbed Charming Kitten was observed using a new delivery method for its custom POWERSTAR framework. The observed spearphishing attack involved multiple benign email exchanges before delivering a password-protected RAR file containing a malicious LNK file, with the password being provided in a subsequent email. Volexity researchers have also observed Charming Kitten moving their malware distribution to Backblaze B2 buckets, IPFS, and privately hosted infrastructure. The new POWERSTAR version has improved operational security measures and is believed to be supported by a custom server-side component. The POWERSTAR backdoor has received at least four additional modules. It raises the total number of known optional modules to nine, with functionality varying from information gathering to removing forensic artifacts.</p><p id=""><strong id="">Analyst Comment: </strong>Defense-in-depth is the best way to ensure safety from advanced government-sponsored groups like Charming Kitten. Defense-in-depth can include network and endpoint security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. YARA rules and indicators associated with the new POWERSTAR usage are available in the Anomali platform for detection and prevention.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10001" id="">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/22938" id="">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" id="">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9671" id="">[MITRE ATT&CK] T1113 - Screen Capture</a></p><p id=""><strong id="">Signatures:</strong> YARA Rules by Volexity: <a href='https://ui.threatstream.com/signature/109283"' id="">apt_win_powerstar_persistence_batch</a> | <a href="https://ui.threatstream.com/signature/109284" id="">apt_win_powerstar_memonly</a> | <a href="https://ui.threatstream.com/signature/109285" id="">apt_win_powerstar_logmessage </a>| <a href="https://ui.threatstream.com/signature/109286" id="">apt_win_powerstar_lnk</a> | <a href="https://ui.threatstream.com/signature/109287" id="">apt_win_powerstar_decrypt_function </a>| <a href="https://ui.threatstream.com/signature/109288" id="">apt_win_powerstar</a></p><p id=""><a href="https://ui.threatstream.com/attackpattern/10105" id=""></a><strong id="">Tags:</strong> actor:Charming Kitten, malware:POWERSTAR, malware-type:Backdoor, source-country:Iran, abused:PowerShell, abused:C#, abused:Backblaze B2, abused:IPFS, file-type:RAR, file-type:LNK, target-system:Windows</p><h3 id=""><a href="https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html" id="" target="_blank">8Base Ransomware: A Heavy Hitting Player</a></h3><p id="">(published: June 28, 2023)</p><p id="">The 8Base ransomware group has been active since March 2022 with a significant spike in activity in June of 2023 making it one of the most prolific ransomware threats, second only to LockBit. VMware researchers have revealed similarities between 8Base and the RansomHouse ransomware group. They have also discovered a second 8Base crypter variant based on Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. 8Base is targeting smaller businesses with the top five targeted industries being business services, finance, manufacturing, information technology, and health care, in that order.</p><p id=""><strong id="">Analyst Comment: </strong>One of the best defenses against Smokeloader is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Indicators associated with the 8Base ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9933" id="">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9930" id="">[MITRE ATT&CK] T1135 - Network Share Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9719" id="">[MITRE ATT&CK] T1134.001 - Access Token Manipulation: Token Impersonation/Theft</a> | <a href="https://ui.threatstream.com/attackpattern/3713" id="">[MITRE ATT&CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9592" id="">[MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/3720" id="">[MITRE ATT&CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/3714" id="">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a></p><p id=""><strong id="">Tags:</strong> actor:8Base, malware:8Base, malware-type:Ransomware, malware:SmokeLoader, malware:Phobos, abused:SystemBC, file-type:8base, file-type:EXE, target-system:Windows</p><h3 id=""><a href="https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF" id="" target="_blank">BlackLotus Mitigation Guide</a></h3><p id="">(published: June 22, 2023)</p><p id="">BlackLotus is a sophisticated malware that targets UEFI-booting versions of Windows such as Windows 10 and 11, including virtual machines. BlackLotus starts by acting as a boot software. It exploits a CVE-2022-21894 Secure Boot bypass vulnerability (Baton Drop). In Secure Boot-signed copies of the Windows Boot Manager it truncates the Secure Boot policy values. The vulnerable boot manager versions allow boot to continue. BlackLotus injects a version of shim utilizing its own Machine Owner Key to vouch for signatures on its own malicious binaries. According to the US National Security Agency, the vulnerable boot loaders are not revoked, so attackers can often substitute fully patched boot loaders with vulnerable versions to execute BlackLotus.</p><p id=""><strong id="">Analyst Comment: </strong>Patches are available for Windows 8.1, 10, and 11. Network defenders should enable the optional software mitigation from May 2023 Microsoft patches that prevent these rollbacks of the boot manager and kernel versions. After the BlackLotus malicious stack was fully installed it can not be deleted from the infected machine without full system reimagining.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9876" id="">[MITRE ATT&CK] T1542.003 - Pre-OS Boot: Bootkit</a> | <a href="https://ui.threatstream.com/attackpattern/9584" id="">[MITRE ATT&CK] T1553 - Subvert Trust Controls</a></p><p id=""><strong id="">Tags:</strong> malware:BlackLotus, malware-type:Bootkit, vulnerability:CVE-2022-21894, vulnerability:Baton Drop, target-system:UEFI, target-system:VM, target-system:Windows 10, target-system:Windows 10, target-system:Windows</p>
Anomali Threat Research
Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.
Read more by ANTHONY
Discover More About Anomali
Get the latest news about Anomali's Security and IT Operations platform,
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Bootkits, Cyberespionage, DDoS, Iran, Ransomware, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
The pro-Russia DDoS project, DDoSia, has seen a massive 2,400% growth in less than a year, with over 10,000 people helping conduct attacks on Western organizations. The project was launched by a pro-Russian hacktivist group known as NoName057(16) in early 2022. The registration of new users is automated thanks to a Telegram bot, and DDoSia payloads are available for Linux, macOS, and Windows. Sekoia researchers decrypted DDoSia C2 traffic to find a large number of targeted countries dominated by Lithuania, Ukraine, Poland, Italy, and Czech Republic. NoName057(16) is very sensitive to news cycles: on 21 June 2023, it DDoSed French transportation targets following the announced delivery of a French air defense system to Kiev. And on June 24, 2023, the actors singled out two Wagner sites just as that private paramilitary group attempted a mutiny in Russia.
Analyst Comment: Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.
The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6, that were installed on over 200,000 sites. This newly-discovered vulnerability was registered as CVE-2023-3460 and is considered critical (CVSSv3.1 score: 9.8). Wordfence researchers have identified network indicators for the ongoing zero-day exploitation, but do not provide any attribution.
Analyst Comment: Until a security patch for CVE-2023-3460 is developed, site administrators should uninstall the Ultimate Member plugin. Check for new user accounts created with administrator privileges. Check for plugins and themes that may not have been installed previously. All known network indicators associated with this Ultimate Member plugin exploitation campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
Akamai researchers have discovered a proxyjacking campaign that is targeting vulnerable SSH servers, then launching Docker services that share the victims bandwidth for money. This campaign uses a compromised web server to distribute necessary dependencies, actively searches for and removes competing instances, and employs obfuscation techniques to evade detection. The attack chain involves a bash script downloading and executing a curl binary and continuing with an otherwise fileless attack. Proxyjacking is a stealthier alternative to cryptojacking and it can enable cybercriminals to leverage proxies to obfuscate their attack origins.
Analyst Comment: Network defenders should isolate all unusual artifacts, not just those that are considered malicious, to prevent malicious actors from exploiting the system. Check for unwanted proxyjackin by grepping for strings related to companies like Peer2Profit and Honeygain that indiscriminately pay for contributing to proxy networks.
In May 2023, the Iran-sponsored group dubbed Charming Kitten was observed using a new delivery method for its custom POWERSTAR framework. The observed spearphishing attack involved multiple benign email exchanges before delivering a password-protected RAR file containing a malicious LNK file, with the password being provided in a subsequent email. Volexity researchers have also observed Charming Kitten moving their malware distribution to Backblaze B2 buckets, IPFS, and privately hosted infrastructure. The new POWERSTAR version has improved operational security measures and is believed to be supported by a custom server-side component. The POWERSTAR backdoor has received at least four additional modules. It raises the total number of known optional modules to nine, with functionality varying from information gathering to removing forensic artifacts.
Analyst Comment: Defense-in-depth is the best way to ensure safety from advanced government-sponsored groups like Charming Kitten. Defense-in-depth can include network and endpoint security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. YARA rules and indicators associated with the new POWERSTAR usage are available in the Anomali platform for detection and prevention.
The 8Base ransomware group has been active since March 2022 with a significant spike in activity in June of 2023 making it one of the most prolific ransomware threats, second only to LockBit. VMware researchers have revealed similarities between 8Base and the RansomHouse ransomware group. They have also discovered a second 8Base crypter variant based on Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. 8Base is targeting smaller businesses with the top five targeted industries being business services, finance, manufacturing, information technology, and health care, in that order.
Analyst Comment: One of the best defenses against Smokeloader is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Indicators associated with the 8Base ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.
BlackLotus is a sophisticated malware that targets UEFI-booting versions of Windows such as Windows 10 and 11, including virtual machines. BlackLotus starts by acting as a boot software. It exploits a CVE-2022-21894 Secure Boot bypass vulnerability (Baton Drop). In Secure Boot-signed copies of the Windows Boot Manager it truncates the Secure Boot policy values. The vulnerable boot manager versions allow boot to continue. BlackLotus injects a version of shim utilizing its own Machine Owner Key to vouch for signatures on its own malicious binaries. According to the US National Security Agency, the vulnerable boot loaders are not revoked, so attackers can often substitute fully patched boot loaders with vulnerable versions to execute BlackLotus.
Analyst Comment: Patches are available for Windows 8.1, 10, and 11. Network defenders should enable the optional software mitigation from May 2023 Microsoft patches that prevent these rollbacks of the boot manager and kernel versions. After the BlackLotus malicious stack was fully installed it can not be deleted from the infected machine without full system reimagining.
<p id="">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<strong id=""> APT, Backdoors, Bootkits, Cyberespionage, DDoS, Iran, Ransomware, Russia, Spearphishing, and Vulnerabilities</strong>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p><figure class="w-richtext-figure-type-image w-richtext-align-fullwidth" data-rt-align="fullwidth" data-rt-max-width="1751px" data-rt-type="image" id="" style="max-width:1751px"><div id=""><img height="auto" id="" loading="lazy" src="https://cdn.filestackcontent.com/lPUAolXcSNS6chwkCjEU" width="auto"/></div><figcaption id="">Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</figcaption></figure><h2 id="">Trending Cyber News and Threat Intelligence</h2><h3 id=""><a href="https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/" id="" target="_blank">Following NoName057(16) DDoSia Project’s Targets</a></h3><p id="">(published: June 29, 2023)</p><p id="">The pro-Russia DDoS project, DDoSia, has seen a massive 2,400% growth in less than a year, with over 10,000 people helping conduct attacks on Western organizations. The project was launched by a pro-Russian hacktivist group known as NoName057(16) in early 2022. The registration of new users is automated thanks to a Telegram bot, and DDoSia payloads are available for Linux, macOS, and Windows. Sekoia researchers decrypted DDoSia C2 traffic to find a large number of targeted countries dominated by Lithuania, Ukraine, Poland, Italy, and Czech Republic. NoName057(16) is very sensitive to news cycles: on 21 June 2023, it DDoSed French transportation targets following the announced delivery of a French air defense system to Kiev. And on June 24, 2023, the actors singled out two Wagner sites just as that private paramilitary group attempted a mutiny in Russia.</p><p id=""><strong id="">Analyst Comment: </strong>Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9990" id="">[MITRE ATT&CK] T1498 - Network Denial Of Service</a> | <a href="https://ui.threatstream.com/attackpattern/9716" id="">[MITRE ATT&CK] T1573 - Encrypted Channel</a><a href="https://ui.threatstream.com/attackpattern/10173" id=""></a></p><p id=""><strong id="">Tags:</strong> actor:NoName057(16), source-country:Russia, malware:DDoSia, malware-type:DDoS tool, technique:DDoS, target-country:Lithuania, target-country:Ukraine, target-country:Poland, target-country:Italy, target-country:Czechia, target-country:France, abused:AES-GCM</p><h3 id=""><a href="http://tps://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/" id="" target="_blank">PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited</a></h3><p id="">(published: June 29, 2023)</p><p id="">The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6, that were installed on over 200,000 sites. This newly-discovered vulnerability was registered as CVE-2023-3460 and is considered critical (CVSSv3.1 score: 9.8). Wordfence researchers have identified network indicators for the ongoing zero-day exploitation, but do not provide any attribution.</p><p id=""><strong id="">Analyst Comment: </strong>Until a security patch for CVE-2023-3460 is developed, site administrators should uninstall the Ultimate Member plugin. Check for new user accounts created with administrator privileges. Check for plugins and themes that may not have been installed previously. All known network indicators associated with this Ultimate Member plugin exploitation campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10012" id="">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9642" id="">[MITRE ATT&CK] T1136 - Create Account</a></p><p id=""><strong id="">Tags:</strong> target-software:Ultimate Member, vulnerability:CVE-2023-3460, vulnerability-type:Privilege escalation, target-identity:WordPress user</p><h3 id=""><a href="https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle" id="" target="_blank">Proxyjacking: The Latest Cybercriminal Side Hustle</a></h3><p id="">(published: June 29, 2023)</p><p id="">Akamai researchers have discovered a proxyjacking campaign that is targeting vulnerable SSH servers, then launching Docker services that share the victims bandwidth for money. This campaign uses a compromised web server to distribute necessary dependencies, actively searches for and removes competing instances, and employs obfuscation techniques to evade detection. The attack chain involves a bash script downloading and executing a curl binary and continuing with an otherwise fileless attack. Proxyjacking is a stealthier alternative to cryptojacking and it can enable cybercriminals to leverage proxies to obfuscate their attack origins.</p><p id=""><strong id="">Analyst Comment: </strong>Network defenders should isolate all unusual artifacts, not just those that are considered malicious, to prevent malicious actors from exploiting the system. Check for unwanted proxyjackin by grepping for strings related to companies like Peer2Profit and Honeygain that indiscriminately pay for contributing to proxy networks.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10012" id="">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/22938" id="">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/10023" id="">[MITRE ATT&CK] T1496 - Resource Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9628" id="">[MITRE ATT&CK] T1090 - Proxy</a><a href="https://ui.threatstream.com/attackpattern/9916" id=""></a></p><p id=""><strong id="">Tags:</strong> technique:Proxyjacking, technique:Compromised website, technique:Proxy, abused:Peer2Profit, abused:Honeygain, target-system:Web server, target-system:SSH server</p><h3 id=""><a href="https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/" id="" target="_blank">Charming Kitten Updates POWERSTAR with an InterPlanetary Twist</a></h3><p id="">(published: June 28, 2023)</p><p id="">In May 2023, the Iran-sponsored group dubbed Charming Kitten was observed using a new delivery method for its custom POWERSTAR framework. The observed spearphishing attack involved multiple benign email exchanges before delivering a password-protected RAR file containing a malicious LNK file, with the password being provided in a subsequent email. Volexity researchers have also observed Charming Kitten moving their malware distribution to Backblaze B2 buckets, IPFS, and privately hosted infrastructure. The new POWERSTAR version has improved operational security measures and is believed to be supported by a custom server-side component. The POWERSTAR backdoor has received at least four additional modules. It raises the total number of known optional modules to nine, with functionality varying from information gathering to removing forensic artifacts.</p><p id=""><strong id="">Analyst Comment: </strong>Defense-in-depth is the best way to ensure safety from advanced government-sponsored groups like Charming Kitten. Defense-in-depth can include network and endpoint security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. YARA rules and indicators associated with the new POWERSTAR usage are available in the Anomali platform for detection and prevention.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/10001" id="">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/22938" id="">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" id="">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9671" id="">[MITRE ATT&CK] T1113 - Screen Capture</a></p><p id=""><strong id="">Signatures:</strong> YARA Rules by Volexity: <a href='https://ui.threatstream.com/signature/109283"' id="">apt_win_powerstar_persistence_batch</a> | <a href="https://ui.threatstream.com/signature/109284" id="">apt_win_powerstar_memonly</a> | <a href="https://ui.threatstream.com/signature/109285" id="">apt_win_powerstar_logmessage </a>| <a href="https://ui.threatstream.com/signature/109286" id="">apt_win_powerstar_lnk</a> | <a href="https://ui.threatstream.com/signature/109287" id="">apt_win_powerstar_decrypt_function </a>| <a href="https://ui.threatstream.com/signature/109288" id="">apt_win_powerstar</a></p><p id=""><a href="https://ui.threatstream.com/attackpattern/10105" id=""></a><strong id="">Tags:</strong> actor:Charming Kitten, malware:POWERSTAR, malware-type:Backdoor, source-country:Iran, abused:PowerShell, abused:C#, abused:Backblaze B2, abused:IPFS, file-type:RAR, file-type:LNK, target-system:Windows</p><h3 id=""><a href="https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html" id="" target="_blank">8Base Ransomware: A Heavy Hitting Player</a></h3><p id="">(published: June 28, 2023)</p><p id="">The 8Base ransomware group has been active since March 2022 with a significant spike in activity in June of 2023 making it one of the most prolific ransomware threats, second only to LockBit. VMware researchers have revealed similarities between 8Base and the RansomHouse ransomware group. They have also discovered a second 8Base crypter variant based on Phobos ransomware version 2.9.1 with SmokeLoader for initial obfuscation on ingress, unpacking, and loading of the ransomware. 8Base is targeting smaller businesses with the top five targeted industries being business services, finance, manufacturing, information technology, and health care, in that order.</p><p id=""><strong id="">Analyst Comment: </strong>One of the best defenses against Smokeloader is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Indicators associated with the 8Base ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9933" id="">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9930" id="">[MITRE ATT&CK] T1135 - Network Share Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9719" id="">[MITRE ATT&CK] T1134.001 - Access Token Manipulation: Token Impersonation/Theft</a> | <a href="https://ui.threatstream.com/attackpattern/3713" id="">[MITRE ATT&CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9592" id="">[MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/3720" id="">[MITRE ATT&CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/3714" id="">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a></p><p id=""><strong id="">Tags:</strong> actor:8Base, malware:8Base, malware-type:Ransomware, malware:SmokeLoader, malware:Phobos, abused:SystemBC, file-type:8base, file-type:EXE, target-system:Windows</p><h3 id=""><a href="https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF" id="" target="_blank">BlackLotus Mitigation Guide</a></h3><p id="">(published: June 22, 2023)</p><p id="">BlackLotus is a sophisticated malware that targets UEFI-booting versions of Windows such as Windows 10 and 11, including virtual machines. BlackLotus starts by acting as a boot software. It exploits a CVE-2022-21894 Secure Boot bypass vulnerability (Baton Drop). In Secure Boot-signed copies of the Windows Boot Manager it truncates the Secure Boot policy values. The vulnerable boot manager versions allow boot to continue. BlackLotus injects a version of shim utilizing its own Machine Owner Key to vouch for signatures on its own malicious binaries. According to the US National Security Agency, the vulnerable boot loaders are not revoked, so attackers can often substitute fully patched boot loaders with vulnerable versions to execute BlackLotus.</p><p id=""><strong id="">Analyst Comment: </strong>Patches are available for Windows 8.1, 10, and 11. Network defenders should enable the optional software mitigation from May 2023 Microsoft patches that prevent these rollbacks of the boot manager and kernel versions. After the BlackLotus malicious stack was fully installed it can not be deleted from the infected machine without full system reimagining.</p><p id=""><strong id="">MITRE ATT&CK</strong>: <a href="https://ui.threatstream.com/attackpattern/9876" id="">[MITRE ATT&CK] T1542.003 - Pre-OS Boot: Bootkit</a> | <a href="https://ui.threatstream.com/attackpattern/9584" id="">[MITRE ATT&CK] T1553 - Subvert Trust Controls</a></p><p id=""><strong id="">Tags:</strong> malware:BlackLotus, malware-type:Bootkit, vulnerability:CVE-2022-21894, vulnerability:Baton Drop, target-system:UEFI, target-system:VM, target-system:Windows 10, target-system:Windows 10, target-system:Windows</p>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.