The Rise of Multiple Ransomware Attacks

Summary: The FBI announced that a recent trend of threat actors encrypting victims’ files using multiple ransomware variants has been growing. According to the FBI “During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.” These multi-ransomware attacks are launched in close date proximity and come in either two forms:

  • Layered encryption: Data is encrypted with Ransomware A, and the encrypted data is then re-encrypted with Ransomware B.
  • Side-by-side encryption: Some systems are encrypted with Ransomware A while others are encrypted with Ransomware B. In some cases, both strains append encrypted files with the exact same extension, which can further complicate recovery.

These new attacks also follow a rise in custom data theft, wiper tools, and malware to make it increase pressure on the targets. The use of multiple ransomwares allows threat actors to extort more money from the victims and with the additional custom tools, make it more difficult to recover the infected systems.

Why it matters: Ransomware is one of the more costly attacks an entity can face. This threat has been slowly being mitigated through the use of ransomware decryptors. However, by implementing a second or third layer of encryption, the victims will need to use multiple keys to decrypt the files. By using different encryptions, particularly in a layered encryption, threat actors force the victims to use more time and resources. To combat this, the FBI has recommended maintaining immutable, offline, encrypted backups, monitoring and limiting remote connections and file executions, and implementing recovery plans.

iOS and iPad OS Security Patches

Summary: Apple released new security patches on October 04, 2023 to address CVE-2023-5217 and CVE-2023-42824. The affected devices are:

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Originally detected by Google’s Threat Analysis Group, CVE-2023-5217 is a heap-based buffer overflow vulnerability in the VP8 compression format in libvpx that can lead to arbitrary code execution. The CVE is currently in use by a security vendor and an exploit exists in the wild. Apple’s patch upgrades the libcpx to libvpx 1.13.1.

Not much information has been released regarding CVE-2023-42824, but it is known that it allows an attacker to elevate their privileges. This vulnerability has been previously exploited against iOS version before 16.6. The new patch improves checks to prevent attackers from escalating their privilege.

Why it matters: Reports that both vulnerabilities are currently being exploited in the wild by threat actors and a surveillance company. It is currently unknown if the two patched vulnerabilities are related. However, Apple only recently on September 21, 2023 addressed three other CVEs in regard to actively exploited zero-day vulnerabilities by Israeli spyware vendor Cytrox. The zero days were used to deliver Predator malware. Given the popularity of iPhones and the growing threats to them, it is important for users to patch their Apple devices as soon as possible to help protect sensitive and personal data.

State-Sponsored WinRAR Attacks

Summary: Google’s Threat Analysis Group stated they have observed state-sponsored actors from several nations, including Russia and China, exploiting the known vulnerability CVE-2023-38831 in WinRAR, a popular Windows archiving tool. Rarlab, the creator of WinRAR, has released patches in versions 6.23 and 6.24 for the vulnerability. Unlike many applications, WinRAR does not automatically update and so the patches must be downloaded and installed manually. This lack of auto updates has left many users vulnerable to the exploit by malicious attackers.

The CVE allows threat actors to execute arbitrary code when a user attempts to view a benign file within a ZIP archive and a folder with the same name as the benign file. This event occurs because both files are being processed and in turn could execute malicious code inside the folder. Known incidents of this exploit include decoy documents with malicious payloads such as infostealers, reverse shells, and remote access trojans.

Why it matters: The widespread detection of this exploit is a reminder for users to update their software, particularly those that do not have automatic updates. Software updates not only provide better features but also fix known vulnerabilities. Leaving software in an older version risks the security of an entire system and the information stored within. Many hacking groups from around the world have already been detected using the exploit in the wild. It is likely that there are multitudes more who are experimenting with the exploit on other targets. To help from becoming a victim, it is vital that all software should be updated to the latest versions.

Cisco Finds New Zero Day Bug, Pledges Patches in Days

Summary: Two exploits of Cisco devices have been announced in the past few days, with the first being tracked as CVE-2023-20198 reported on October 16, 2023, which has already compromised tens of thousands of devices. On October 20, 2023, Cisco announced CVE-2023-20273, which stated IOS XE devices were being targeted as part of the same exploit chain by the same threat actors. The first bug was used for initial access, and the second is being used to escalate privileges once authenticated.

As per Cisco, threat actors have been exploiting CVE-2023-20198 since September 18, 2023, an authentication bypass zero-day, which actors then create the following accounts: “cisco_tac_admin” and “cisco_support”. Using the second exploit, CVE-2023-20273, actors are able to gain root access of the device and execute arbitrary commands on the system.

Why it matters: Networking devices running Cisco IOS XE include enterprise switches, access points, wireless controllers, as well as industrial, aggregation, and branch routers. Over 40,000 Cisco devices running the vulnerable IOS XE software have already been compromised by hackers using the two still-unpatched zero-days, according to Censys and LeakIX estimations. It is imperative that businesses and agencies that use Cisco devices push patches as soon as possible to prevent compromise, as the track record for users patching affected hardware (according to some cybersecurity professionals) is either slow or non-existent for many companies to deploy.

QuasarRAT Uses DLL Side-Loading to Fly Under the Radar

Summary: QuasarRAT is an open-source Remote Administration Tool for Windows and is readily available for download from GitHub. Its purpose is to provide everything from support for day-to-day administrative work to employee monitoring. However, an increase in a technique known as “DLL Side-Loading” has allowed threat actors to execute their payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for. Basically, a legitimate app like calc.exe calls upon a malicious renamed DLL allowing arbitrary code to run on a system.

Step-by-step breakdown:

  1. Initial contact and execution:
    • The threat actor begins by employing DLL side-loading techniques. Interestingly, they opted for two distinct Microsoft files for their attack: “ctfmon.exe” and “calc.exe.
    • In the initial phase, the attacker harnesses “ctfmon.exe,” which is an authentic Microsoft file. By doing so, they load a malicious DLL which, to the untrained eye, would seem benign because of its disguised name.
    • Upon execution of the “ctfmon.exe” binary, the stage is set as the attacker acquires a ‘stage 1’ payload. This initial payload is crucial, acting as the gateway for the subsequent malicious actions.
  2. Payload release:
    • This ‘stage 1’ payload plays a dual role. It is responsible for releasing both the legitimate “calc.exe” file and the malevolent DLL into the system.
  3. Second phase of attack:
    • At this juncture, the threat actor brings into play the “calc.exe” file, which in this context, isn’t just a simple calculator application. Alongside “calc.exe,” the malicious DLL is also set into motion.
    • On executing “calc.exe,” the malicious DLL is triggered. This action culminates in the infiltration of the “QuasarRAT” payload into the computer’s memory, reflecting the attacker’s adeptness at circumventing security mechanisms.
  4. Process hollowing:
    • With the “QuasarRAT” payload now residing in the computer’s memory, the payload employs a technique known as ‘process hollowing.’ Here, it embeds itself into a legitimate system process, further camouflaging its malicious intentions and making detection more challenging.

Why it matters: Given the prevalence of side-loading techniques in malware campaigns, it’s vital to understand their mechanisms to defend against them effectively. Windows users, system administrators, and cybersecurity professionals need to be on high alert. The use of legitimate processes to cloak malicious activities helps them bypass traditional security measures. Hence, the need for advanced threat detection and response mechanisms becomes paramount.

Security Tip of the Month – Fake File Names

Summary: A common tactic by malicious actors is to use fake files and fake file names. When attempting to hide malicious files, threat actors may sometimes replace authentic files with malicious ones containing the same name and icon. Some malicious files are named after legitimate files such as “dllhost.exe” and “uninstall.exe” which are common files in systems.

Why it matters: Tricking users into clicking files is an easy way to launch malicious files without the users knowing. Most users are not normally aware that certain files are actually malicious especially when they appear to be named after system files. Three ways to determine if a file is malicious are:

  • Modern antivirus can automatically detect if there are malicious files. These programs can run in the background of a system and help with known and unknown malware. This approach is generally the easiest as antivirus can be downloaded with the least amount of configuration.
  • Revealing hidden files and extensions. Some malware hides authentic files when replacing them to lessen suspicion on the files. Others use multiple file extensions such as for example “example.txt” and “example.txt.exe”. The former is a standard .txt file while the latter is an executable as noted with “.exe”. Operating Systems such as Windows normally hide file extensions when using File Explorer. However, both file extensions and hidden files can be seen when changing the View of the directory.
  • Check the file’s hash on VirusTotal to see if it is signed by the proper vendor. File hashes are created to ensure that the files are authentic by containing unique hashes. This approach provides a more manual detection of the files along with a database to determine the file’s reputation.