Mortal Kombat is the news ransomware that is on the prowl and Cisco Talos says the new ransomware can wipe off data of the victim, if they fail to pay the demanded ransom on time.
Security firm of Cisco says the malware also can steal cryptocurrency, thanks to its add-on of Laplas, that has the ability to replace the crypto address on the Windows Clipboard and substitute it with the one dictated by the threat actor.
MortalKombat belongs to the Xorist Commodity Ransomware family, a malware that has been existing on the internet since 2016.
Mainly Talos researchers say that the attackers are focusing more on healthcare organizations based in the United States and were also seen hitting firms operating in Turkey, Philippines and the UK.
NOTE 1- Every month about 13-16 ransomware variants is developed by cyber crooks and are released into the wild. However, only 1 makes it to the top of the list as those developing or spreading it achieve immense success by earning over $10 million or much!
NOTE 2- FBI has already released a press update in 2019 by urging victims not to pay any ransom to hackers. As it not only encourages crime but also doesn’t guaranty a decryption key for sure. Additionally, there is a high probability that the criminals will attack the victim twice or thrice in the same year.
NOTE 3- Automation driven threat monitoring solutions play a vital role in securing networks from malware attacks. Keeping the software updated, fixing vulnerabilities on time, training staff on threats lurking in the present cyber landscape helps in keeping file encrypting malware attacks at bay.
A ransomware attack has again put the personal information of innocent parties at risk after it was revealed that a data breach has potentially exposed the medical records of more than three million people.
Read more in my article on the Hot for Security blog.
Pepsi Bottling Ventures PBV, a business unit of PepsiCo Beverages, suffered a malware attack leading to disruption of services in 18 of its bottling facilities spread across Maryland, Delaware, Virginia, South and North Carolina.
Unconfirmed sources state that the attack was caused by malware leading to data siphoning and encryption- hinting to us the attack was of ransomware variant.
Releasing a press statement to Montana’s Attorney General Office, the company stated that the incident occurred on December 23rd of last year. And was identified on January 10th,2023 or 18 days after occurrence.
Cybersecurity Insiders learnt that the beverage manufacturing firm lost details such as full names, home address of employees, their financial info, state and federal government IDs and cards along with social security numbers and Passport information along with digital signatures and employee related health insurance details n medical history.
The company is busy in reviewing the incident and news is out that all the recipients of the breach will be offered a free identity monitoring service through Kroll.
In the meantime, NATO websites were also targeted in the attack states a German news agency dpa and coincided with the digital invasion on Pepsi Cola Beverages. Suspicion finger is pointing towards Russian Hackers’ gang Killnet, as the alliance of the nation is strictly against the decision of Putin to wage war with Ukraine. The website belonging to NATO Special Operations Headquarters (NSHQ) is unavailable, and the incident is yet to make public on an official note.
A Dallas state agency has admitted to paying $170,000 to hackers after it suffered an attack from the Royal ransomware group.
Read more in my article on the Hot for Security blog.
For the first time in the history of law, 7 cyber criminals, apparently linked to Russian Intelligence, were slapped with sanctions. Additionally, the real world names, email address, photos and DoBs were also released to the press, to tarnish their image on an international note, thus making them eligible to be slapped with travel bans on all developed nations.
The names of the 7 gang members are Dmitry Pleshevskiy, Ivan Vakhromeyev, Valery Sedletski, Micheal Iskritskiy, Valentin Karyagin, Maksim Mikhailov, and Vitaly Kovalev. The idenitified members are linked to Trickbot malware spreading gang and Conti Ransomware groups, both being funded by Kremlin.
UK’s National Cyber Security Centre(NCSC) along with the US Treasury Department, has issued a warning that any country national, group and business supporting the identified men will be eligible for serious prosecution and harsh consequences, if/when founded guilty.
Cybersecurity Insiders has evidenced that the banned members were caught with evidence of spreading malware, ransomware development, laundering of finances, infiltrating corporate networks with malicious codes and then stealing intelligence.
US District Court of New Jersey also pronounced that Vitaliy Kovalev was also indicted for committing wire frauds and siphoning currency and data from 4 US financial institutions between 2009 and 2010.
So, all you criminals out there in the cyberspace, you better mend your ways or be prepared to face harsh consequences from the law enforcement around the world. As coming days are going to prove tough, to conduct crime and make monetary benefits.
NOTE- Google owned Mandiant security firm was the first to track down the criminals with their activities and based on its tip-off, the governments led by Rishi Sunak and Biden issued sanctions on the 7 member ransomware spreading criminals, linked to Putin led nation.
Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.
Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.
A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.
“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.
A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.
BOTNET, THE MOVIE
In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.
Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.
Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on summer travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.
Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.
Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reutersreported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.
TREASON
But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.
Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].
Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.
In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.
A WELL-OILED CYBERCRIME MACHINE
Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.
The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”
“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.
This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Postran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).
Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.
In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.
CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.
“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.
The prosecution of Kovalev and six other men named in today’s sanctions is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).
Last week, multiple organizations issued warnings that a ransomware campaign dubbed “ESXiArgs” was targeting VMware ESXi servers by leveraging CVE-2021-21974—a nearly two-year-old heap overflow vulnerability. Two years. And yet, Rapid7 research has found that a significant number of ESXi servers likely remain vulnerable. We believe, with high confidence, that there are at least 18,581 vulnerable internet-facing ESXi servers at the time of this writing.
That 18,581 number is based on Project Sonar telemetry. We leverage the TLS certificate Recog signature to determine that a particular server is a legitimate ESXi server. Then, after removing likely honeypots from the results, we checked the build ids of the scanned servers against a list of vulnerable build ids.
Project Sonar is a Rapid7 research effort aimed at improving security through the active analysis of public networks. As part of the project, we conduct internet-wide surveys across more than 70 different services and protocols to gain insights into global exposure to common vulnerabilities.
We have also observed additional incidents targeting ESXi servers, unrelated to the ESXiArgs campaign, that may also leverage CVE-2021-21974. RansomExx2—a relatively new strain of ransomware written in Rust and targeting Linux has been observed exploiting vulnerable ESXi servers. According to a recent IBM Security X-Force report, ransomware written in Rust has lower antivirus detection rates compared to those written in more common languages.
CISA issues fix, sort of
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a ransomware decryptor to help victims recover from ESXiArgs attacks. However, it's important to note the script is not a cure all and requires additional tools for a full recovery. Moreover, reporting suggests that the threat actor behind the campaign has modified their attack to mitigate the decryptor.
The script works by allowing users to unregister virtual machines that have been encrypted by the ransomware and re-register them with a new configuration file. However, you still need to have a backup of the encrypted parts of the VM to make a full restore.
The main benefit of the decryptor script is that it enables users to bring virtual machines back to a working state while data restore from backup occurs in the background. This is particularly useful for users of traditional backup tools without virtualization-based disaster recovery capabilities.
Rapid7 recommends
Deny access to servers. Unless a service absolutely needs to be on the internet, do not expose it to the internet. Some victims of these attacks had these servers exposed to the open internet, but could have gotten just as much business value out of them by restricting access to allowlisted IP addresses. If you are running an ESXi server, or any server, default to denying access to that server except from trusted IP space.
Patch vulnerable ESXi Servers. VMware issued a patch for CVE-2021-21974 nearly two years ago. If you have unpatched ESXi servers in your environment, click on that link and patch them now.
Develop and adhere to a patching strategy. Patching undoubtedly has challenges. However, this event illustrates perfectly why it’s essential to have a patching strategy in place and stick to it.
Back up virtual machines. Make sure you have a backup solution in place, even for virtual machines. As noted above, the decryptor script issued by the CIA is only a partial fix. The only way to completely recover from attacks associated with CVE-2021-21974 is via operational backups. There are a wide variety of backup solutions available to protect virtual machines today.
By Christiaan Beek, with special thanks to Matt Green
DLL search order hijacking is a technique used by attackers to elevate privileges on the compromised system, evade restrictions, and/or establish persistence on the system. The Windows operating system uses a common method to look for required dynamic link libraries (DLLs) to load into a program. Attackers can hijack this search order to get their malicious payload executed.
DLL sideloading is similar to the above mentioned technique; however, instead of manipulating the search order, attackers place their payload alongside the victim’s application or a trusted third-party application. Abusing trusted applications to load their payload may bypass restrictions and evade endpoint security detections since they are loaded into a trusted process.
Attribution remains a topic of significant subjectivity, especially when attempting to connect an attack to a nation state. A common approach in determining the source has been to evaluate the techniques used by the perpetrator(s). DLL search order hijacking (T1574.001) or DLL sideloading (T1574.002) are common approaches used by nation state sponsored attackers.
PlugX
The PlugX malware family, which has been around for more than a decade, is famous for using both techniques to bypass endpoint security and inject itself into trusted third party applications. PlugX is a remote access trojan with modular plugins. It is frequently updated with new functionalities and plugins.
Example of PlugX builder
Example of modules in the code
In recent years, MITRE ATT&CK, CISA, and others have associated the PlugX family with various Chinese actors. Builders of the PlugX malware have been leaked to the public and can be used by other actors having access to the builders.
In January 2023, we observed activity from a China-based group called Mustang Panda using PlugX in one of their campaigns. In this particular case, they used a virtual hard disk (VHD) file, to hide the malicious files from antivirus detection. The VHD, which automatically mounted when opened contained a single archive file (RAR) that extracted the typical three files associated with PlugX:
Trusted binary (executable .exe)
Hijacked driver (DLL file)
Encrypted payload file (often a DAT file)
The trusted binary ranged from compromised AV vendor files, operating system files, and third-party vendor files. These files are signed and therefore most of the time trusted by endpoint technology.
This approach is known as a Mark-of-the-Web bypass or MOTW (T1553.005). In short, container files that are downloaded from the Internet are marked with MOTW, but the files within do not inherit the MOTW after the container files are extracted and/or mounted. When files are marked with the MOTW, if they are not trusted or downloaded from the Internet, they will not be executed.
While we observed Mustang Panda using aVHD file to hide malicious files, it is worth noting that ISO files may also be used, as they are also automatically mounted.
Hunting with Velociraptor
Since PlugX is injecting itself into a trusted process, abusing a trusted executable, this threat is often detected when the outgoing Command & Control Server (C2) traffic is being discovered (usually by accident or that someone flagged the IP address as being malicious). One classic mistake I’ve observed over the years is that when companies see in their AV logs that malware has been removed, they often don’t look further into what type of malware it is, its capabilities, and whether it is nation-state related or cybercrime related. However, the appropriate incident response handling differs in approach for each.
Many nation-state actors want to be long term persistent into a network and have established ways of staying inside, even if a few of their open doors are being closed (think about valid accounts added, webshells, other backdoors, etc.). A dead C2 server can indicate this, as the actor may have used it as a first entry to the network.
For example, we recently observed what appeared to be an incident where some suspicious password dumping tools were discovered. Although the security team removed the tools, they seemed to come back into the network.
After meeting with the team and reviewing some of the logs of the incidents, it was time to grab one of my favorite (and free) tools: Velociraptor. Velociraptor is Rapid7’s advanced open-source endpoint monitoring, digital forensic and cyber response platform. It enables users to effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.
With a ton of forensic options and hunting possibilities, the first thing was to acquire live collections of data to investigate.
After investigating the initial memory dumps, remnants were discovered where a process was talking to an outside IP address. The process itself was using a DLL that was not located in a standard location on disk. After retrieving the folder from the victim’s machine and reversing the process, it became clear: PlugX was discovered.
There are several ways Velociraptor can be used to hunt for DLL search order hijacking or sideloading. In this particular case, we’ll discuss the approach for PlugX malware.
We could hunt for:
Process / Mutex
Lnk Files
Disk
Memory
Network traffic / C2 URL/IP-address
Using the YARA toolset, we created rules for malicious or suspicious binaries and/or memory patterns. Velociraptor can use these rules to scan a bulk of data or process memory or raw memory using the ‘yara()’ or ‘proc_yara’ options.
Based on recent PlugX samples (end of 2022, beginning 2023), the we created the following rule (which can be downloaded from my Github page):
Using this rule, which is based on code patterns from the DLL component used in PlugX, Velociraptor will hunt for these DLL files and detect them. Once detected, you can look at the systems impacted, make a memory-dump, process dumps, etc., and investigate the system for suspicious activity. The directory where the DLL is stored will most likely also have the payload and trusted binary included, all written to disk at the same time.
Recently my colleague Matt Green released a repository on Github called DetectRaptor to share publicly available Velociraptor detection content. It provides you with easy-to-consume detection content to hunt for suspicious activity. One of the libraries Matt is importing is from https://hijacklibs.net/, a list of files and locations that are indicators of DLL hijacking (including PlugX). If you look at the non-Microsoft entries in the ‘hijacklibs.csv’, several instances are related to PlugX incidents reported by multiple vendors.
After importing the content, Velociraptor can start hunting and detecting possible signs of DLL hijacking and, for example, PlugX.
A Global Ransomware campaign has reportedly targeted over 3800 organizations so far, including Florida Supreme Court and Universities operating in the United States and Central Europe. Analysis conducted by Ransomwhere; a digital platform that keeps a tab of all international cyber attacks says that the number of victims might increase as time unfolds. As the digital invasion seems to be the work of a threat group funded by Russia.
Although investigations revealed the attack is not much sophisticated, it is surprising security analysts across the globe because of the speed at which it is spreading.
Neither of the victims from the 12 affected universities, including Rice University in Houston, Georgia Institute of Technology in United States and few of the educational institutions from Hungary and Slovakia, have revealed details of the impact on their operations.
The incident took place just after the revelation of Ransomware attacks on VMware ESXi Servers via a two-year-old exploit.
In another revelation made by air conditioning business giant Bluestar, the technical teams have provided an update that all of their systems were restored and data recovered, after a ransomware gang targeted their IT infrastructure last week.
It is unclear on who exactly targeted the firm with the malware. However, confirmed sources state that the attack was of file encrypting malware variant and they did not bow down to the demands of hackers, as they had an efficient business continuity plan in place.
NOTE- In the year 2019, FBI urged all companies operating in America and abroad to not entertain those spreading ransomware by paying them the demanded sum. As it not only encourages crime but also doesn’t guaranty a decryption key for sure in exchange for the ransom. There is 90% of probability that the hackers could target the same victim twice or thrice in a year, as they perceive their victims as soft targets and money minting machines, thereafter.
