Avertium's End of the Year Recap - 2023

executive summary

In the dynamic landscape of cybersecurity, the year 2023 has brought forth noteworthy security incidents, introducing new and complex threats that have impacted various organizations. Play ransomware and RansomHouse have taken center stage this year, each using strategies that have kept security professionals on high alert.

Emerging in June 2022, Play ransomware has impacted organizations worldwide, using big game hunting tactics and tools like Cobalt Strike and SystemBC RAT. RansomHouse has targeted entities such as the Saskatchewan Liquor and Gaming Authority, multinational corporations like Advanced Micro Devices (AMD), and the healthcare giant Keralty. The group's unconventional approach has disrupted operations and left a financial impact on its victims.

Alongside significant threat actors, this year witnessed the exploitation of notable vulnerabilities. In the third quarter, the ransomware gang Cl0p exploited Progress Software's MOVEit file transfer vulnerabilities. Before this, they also targeted PaperCut servers, alongside LockBit. Also, let's not overlook the numerous zero-day vulnerabilities and discussions about the future of generative Artificial Intelligence (AI). Let’s explore this year's most discussed cyber threats and anticipate what organizations can expect in 2024.

THE THREAT ACTORS

PLAY RANSOMWARE

Play ransomware, also known as PlayCrypt, made its debut in June 2022, swiftly impacting organizations worldwide. With a primary focus on Latin America, especially Brazil, Play has demonstrated big game hunting tactics, utilizing tools like Cobalt Strike and SystemBC RAT for persistence. Notably, their recent exploitation of ProxyNotShell vulnerabilities in Microsoft Exchange has added to their arsenal. Researchers suspect a connection between Play and the ransomware groups Hive and Nokoyawa, pointing to shared tactics and techniques.

Notable Incidents & Tactics

Play gained attention after victims reported attacks on Bleeping Computer forums, with targets including Argentina’s Judiciary of Cordoba. The attack forced the Judiciary to shut down IT systems, signaling the severity of Play's impact. The ransomware, identified by the .play extension and a simplistic note, shows an unusual level of simplicity. Furthermore, Play has been observed leveraging ProxyNotShell vulnerabilities, demonstrating a high degree of sophistication in their tactics. The threat actor's connections to Hive, Nokoyawa, and even Quantum ransomware suggest a complex web of affiliations.

RANSOMHOUSE

RansomHouse, emerging in December 2021, stands out as a unique threat in the cybercrime landscape. Despite its name, it strays from typical ransomware operations, operating as a data-extortion group. Instead of encrypting systems, RansomHouse focuses on breaching networks through vulnerabilities, opting to request payment for stolen data rather than deploying traditional ransomware tactics.

Noteworthy Incidents and Defense Strategies

RansomHouse's targets range from the Saskatchewan Liquor and Gaming Authority to global entities like Advanced Micro Devices (AMD), Keralty, and even the government of Vanuatu. The group distinguishes itself by avoiding encryption, choosing a manual, one-victim-at-a-time approach. Public shaming is a key tactic; if a victim refuses to pay, RansomHouse publishes a portion of their data, aiming to tarnish the organization's reputation. Interestingly, RansomHouse criticizes poor security practices, as seen in their attack on AMD, suggesting a potential connection to disgruntled white-hat hackers. Negotiations with victims involve providing breach reports and promising data deletion.

WHAT DO PLAY AND RANSOMHOUSE HAVE IN COMMON?

• Use of Extortion: Both Play ransomware and RansomHouse leverage extortion tactics. Play ransomware encrypts files and demands a ransom for decryption, while RansomHouse focuses on data exfiltration and demands payment for the stolen data.
• Public Shaming: Both groups resort to public shaming as part of their tactics. Play ransomware publishes victims' names on their extortion site, and RansomHouse threatens to publish a portion of the victim's data on their site if the ransom is not paid.
• Connection to Other Groups: Play ransomware is believed to have similar tactics and techniques to other ransomware groups, such as Hive and Nokoyawa. RansomHouse has been compared to the data extortion group Lapsus$ and may be operated by individuals associated with White Rabbit.

QAKBOT

In February 2023, Avertium published a Qakbot case study highlighting their QakNote campaign. The campaign case, like in other cases, began when a malicious email with a OneNote attachment was sent to a client’s administrative assistant. The assistant double-clicked on the OneNote attachment as instructed, which looked like it contained information about a meeting cancellation, but the attachment was actually laced with malware.

Qakbot was successful with attacks until the summer of 2023 when they faced disruption through the "Duck Hunt" operation led by the US Department of Justice. Despite the successful seizure of 52 servers and the removal of the malware loader from over 700,000 victim computers globally, the cybercriminals behind Qakbot have launched a new campaign targeting the hospitality sector.

Qakbot Resurfaces

Unfortunately, in December 2023, Qakbot resurfaced. Microsoft's threat analysts identified this resurgence on December 11, with a phishing email masquerading as an IRS employee and containing a PDF named GuestListVegas.pdf. The PDF contained a URL leading to the download of a digitally signed Windows Installer (.msi), executing the Qakbot malware. This resurgence is particularly alarming due to phishing being an easy attack vector.

Despite a recent disruption by the US Department of Justice, the cybercriminals behind Qakbot have quickly launched a new phishing campaign, demonstrating their determination and agility in evading previous takedowns. Qakbot is often disseminated through phishing, utilizing tactics like malicious emails from new or hijacked addresses, with the reuse of existing email conversations being particularly effective, as it appears trustworthy. It is important for organizations to remain vigilant, providing their employees with the proper training to quickly spot and thwart a phishing attempt.

WINTER VIVERN

In addition to Qakbot resurfacing, Winter Vivern also resurfaced in 2023. In late February 2023, cybersecurity intelligence firms Recorded Future and Google’s TAG issued warnings about Russia's plans to escalate cyber attacks against Ukraine. Google’s TAG team expressed high confidence that Moscow would intensify disruptive and destructive attacks in 2023, particularly if the military situation significantly favors Ukraine. Predictions suggested that Russian hacktivists might support military efforts through cyber warfare, targeting regions in Ukraine not overtaken by physical force and potentially extending attacks to NATO countries.

Winter Vivern Exploits Zimbra Vulnerability

This year, the Russian APT Winter Vivern, also known as TA473 and UAC-0114, exploited a Zimbra software vulnerability (CVE-2022-27926) in an ongoing cyber espionage campaign. The medium-severity vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript or HTML code. Exploiting this flaw involves using tools like Acunetix to identify unpatched webmail portals, particularly in specific organizations, for the purpose of sending phishing emails impersonating government entities.

Linked to the goals of the Belarusian and Russian governments, Winter Vivern, recognized for phishing campaigns using replicated official documents, targeted state authorities in Ukraine and Poland, along with officials in India, Lithuania, the U.S., Slovakia, and the Vatican.

Winter Vivern may use simple tactics, but their powerful tools and ability to stay hidden make them a serious threat.

MIRAI BOTNET

Mirai, an IoT-targeting malware botnet, was known to exploit vulnerabilities in devices running a simplified Linux version on ARC processors. It reached its peak in 2016, infecting over 600,000 devices like home routers and surveillance cameras. Acting as a self-propagating worm, Mirai used default credentials and a brute-force approach, demonstrating its potency with powerful distributed denial-of-service (DDoS) attacks. Despite the FBI's arrest of its creators in 2019, Mirai's open-source code allowed the development of new threats.

Mirai Returns as HinataBot

In March 2023, HinataBot, a Golang-based malware, surfaced as a successor to Mirai. Believed to be created by former Mirai hackers, HinataBot exploits vulnerabilities, spreads through various techniques, and surpasses Mirai's potency. Written in Golang, it exhibits advanced features, making it challenging to analyze. This choice of language showcases how threat actors are adopting new approaches to writing malware, taking advantage of Golang's performance, multi-threading capabilities, cross-compilation support, and the ability to add complexity during compilation.

HinataBot's power is considered to eventually surpass Mirai's. In a brief trial attack, researchers found that with only 1,000 nodes, HinataBot could generate UDP flood traffic at approximately 336 Gbps per second, showcasing its potential for intense attacks. It is important to maintain password policies, timely patching, and vigilance in monitoring and securing IoT devices, given that such devices remain attractive targets for botnets and DDoS attacks.

What Do These Botnets Have in Common?

• Targeted Devices: Both botnets target IoT devices. Mirai specifically scans for IoT devices running a simplified version of Linux on ARC processors, such as home routers, surveillance cameras, and air-quality control monitors. HinataBot, created by former Mirai hackers, also targets routers and servers.
• Propagation Technique: Both Mirai and HinataBot spread by exploiting vulnerabilities in IoT devices, including the use of default usernames and passwords. They use techniques like brute-force attacks to gain unauthorized access.

ENCRYPTION VS. EXFILTRATION - 8BASE, BIANLIAN, & KARAKURT

In 2023, ransomware groups strategically shifted away from traditional encryption-focused attacks, opting for data extortion tactics instead. This evolution is a significant threat as threat actors now exfiltrate sensitive information before encrypting it, leveraging the fear of data exposure to pressure victims. While the demand for ransom still exists, the primary focus has moved from locking access to data to threatening its exposure, representing a departure from previous approaches.

Data Extortion

Several ransomware groups, such as 8Base, BianLian, Karakurt, and Cl0p, have embraced data extortion strategies. These groups target various sectors, compromising organizations' networks, stealing valuable data, and threatening to expose or sell it unless a ransom is paid.

In December 2023, 8Base targeted four new victims, expanding its data-extortion cybercrime operations to include three American companies – Davis, Cedillo & Mendoza, Inc. (specializing in business litigation), Employ Milwaukee (involved in workforce development), and Horizon Spa & Pool Parts (pool and spa components distribution) – along with Canadian firm Socadis (book industry). 8Base strategically attacked the backend, containing critical information such as databases and server details.

The shift from encryption to data extortion is attributed to increased profitability, enhanced leverage over victims, reduced technical barriers, a broader range of potential targets, easier monetization, and heightened fear among victims - making it a psychologically effective tactic for ensuring compliance.

What Do These Groups Have in Common?

• Shift Toward Data Extortion: All three groups, 8Base, BianLian, and Karakurt, have shifted their focus from traditional encryption-based ransomware attacks to data extortion. They are involved in stealing sensitive information from victims instead of merely encrypting data and then demanding a ransom for decryption keys.
• Double-Extortion Strategy: Some of these groups, like 8Base, employ a double-extortion strategy. This means that, in addition to demanding payment for the decryption key, they also demand assurance that the stolen data won't be exposed. This strategy aims to maximize their chances of receiving a ransom payment.
• Targeting a Range of Sectors: The groups target a diverse range of sectors and entities. For example, 8Base targeted the Canadian provincial government entity (Alberta Dental Service Corp.), BianLian targeted one of the world's oldest and largest charities (Save the Children), and Karakurt targeted the healthcare sector (McAlester Regional Health Center).
• Evading Detection: Some of these groups, like 8Base, have managed to evade detection for extended periods before resurfacing with an alarming surge in operations.

the vulnerabilities

PAPERCUT & MOVEIT

In April 2023, threat actors exploited two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, in the widely used PaperCut print management software. Despite PaperCut issuing patches, some organizations failed to upgrade, which made them vulnerable to attacks. Cl0p and LockBit, known for swift exploitation, targeted these vulnerabilities. Meanwhile, the Iranian APT MuddyWater and later the Bl00dy ransomware group also exploited the same weaknesses. The attackers gained unauthorized access, exfiltrated sensitive data, and, in some cases, deployed ransomware.

PaperCut's first vulnerability, CVE-2023-27350, with a critical CVSS score, allowed unauthenticated attackers to execute Remote Code Execution (RCE) on PaperCut Application Servers. The second, CVE-2023-27351, allowed for unauthenticated information disclosure. Exploiting these, Cl0p and LockBit used Atera and Syncro as backdoors, deploying TrueBot downloader linked to Silence cybercrime group. The Bl00dy ransomware group exploited the vulnerabilities in the Education Facilities Subsector, bypassing user authentication and executing remote commands, leading to data exfiltration and encryption.

In June 2023, the MOVEit file transfer software faced more zero-days (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708), targeted by Cl0p ransomware. Progress Software's patches couldn't prevent immediate exploitation. The class-action lawsuit against Progress Software highlighted the company’s alleged negligence. The fallout impacted organizations globally, including the New York City Department of Education, Schneider Electric, Siemens Energy, and UCLA. The MOVEit attacks continued to unfold for months after initial exploitation.

What Do These Vulnerabilities Have in Common?

• File Manipulation and Transfer Services: Both MOVEit and PaperCut are software solutions that provide file manipulation and transfer services. MOVEit is a managed file transfer (MFT) solution, while PaperCut is a print management and document processing software. These functionalities involve handling sensitive data and require robust security measures.
• Remote Code Execution (RCE): Both vulnerabilities allowed for remote code execution (RCE), allowing attackers to execute arbitrary code on the affected systems. RCE vulnerabilities are particularly dangerous as they can lead to complete compromise of targeted systems.
• Wide Impact: The vulnerabilities had the potential for a wide impact. MOVEit, being an MFT solution, handles the secure transfer of files for various organizations. PaperCut, as a print management system, is widely used in educational and business environments. Exploitation of vulnerabilities in such widely deployed systems could affect a large number of users and organizations.

MICROSOFT'S VULNERABILITIES / ZERO-DAYS

In 2023, Microsoft faced an onslaught of vulnerabilities, with attackers consistently targeting its products. During Microsoft's August 2023 Patch Tuesday, the company addressed two zero-day vulnerabilities, CVE-2023-36884 and CVE-2023-38180. Both were exploited in cyberattacks, and one, CVE-2023-36884, allowed attackers to craft Microsoft Office documents to bypass security features, allowing remote code execution. The Russian threat actor Storm-0978, now rebranded as 'Underground,' actively exploited this vulnerability, continuing its ransomware operations.

Another actively exploited vulnerability, CVE-2023-38180, potentially leading to Distributed Denial of Service (DDoS) attacks on .NET applications and Visual Studio, was also patched. This vulnerability does not require the attacker to have acquired user privileges on the target system, posing a significant threat within the same network.

In a separate security update, Microsoft addressed high severity and critical vulnerabilities, including CVE-2023-29357, CVE-2023-32014, and CVE-2023-32015, affecting Windows Pragmatic General Multicast (PGM) and Microsoft SharePoint Server. While unexploited, these vulnerabilities, with a CVSS score of 9.8, were still a significant risk.

Additionally, a severe remote code execution vulnerability (CVE-2023-21716) in Microsoft Word, allowed attackers to execute code via specially crafted RTF documents. A public proof-of-concept (PoC) exploit heightened the urgency for organizations to patch immediately.

The challenges continued in December 2023, as Microsoft patched three zero-day vulnerabilities (CVE-2023-21715, CVE-2023-21823, and CVE-2023-23376) being actively exploited. CVE-2023-21715 involved a Microsoft Publisher Security Feature bypass, allowing attackers to override macro policies. CVE-2023-21823, targeting Windows Graphics Component, and was an elevation of privilege threat.

The final noteworthy vulnerability, CVE-2023-23376, found in Windows Common Log File System (CLFS) driver, had severe consequences for the system's security and reliability. Attackers exploited these vulnerabilities, emphasizing the need for users to apply patches promptly.

What Do These Vulnerabilities Have in Common?

• Diverse Attack Vectors: The vulnerabilities span diverse attack vectors, including remote code execution (RCE), elevation of privilege, security feature bypass, denial of service (DoS), and information disclosure. This variety underscores the multi-faceted nature of cyber threats facing Microsoft products.
• Actively Exploited: A notable commonality is that many of these vulnerabilities were actively exploited by threat actors. Exploitation in the wild indicates that attackers identified and leveraged these weaknesses for malicious purposes, highlighting the urgency of prompt patching.
• Zero-Day Exploitation: Several vulnerabilities were zero-days, meaning that they were exploited before Microsoft could release official patches.
• Targeted Threat Actors: Specific threat actors, such as the Russian group Storm-0978/RomCom, were identified in exploiting some of the vulnerabilities. Attribution of attacks to known threat actors adds a layer of complexity and geopolitical implications to the security landscape.

HONORABLE MENTIONS

OKTA INC'S BREACH AND THE SEC'S NEW RULES

In 2022, Okta Inc., a global authentication company, suffered a breach by the data extortion group Lapsus$ - the group stayed in Okta’s systems for two months before they were noticed. In November 2023, Okta faced another breach involving a threat actor leveraging stolen credentials to infiltrate its support case management system.

The threat actor accessed files from specific Okta customers involved in recent support cases. BeyondTrust Corp. reported an identity-centric attack on October 2, receiving no acknowledgment from Okta until October 19. Cloudflare Inc. detected attacks on October 18 traced back to Okta, expressing concerns about Okta's response time. 1Password also detected suspicious activity on September 29 but promptly terminated it. This marks Okta's second breach within a two-year span, with the 2022 Lapsus$ breach involving stolen internal documents. That breach was allegedly not disclosed by Okta Inc. in a timely manner.

The recent security breaches at Okta, coupled with concerns about the delayed disclosure, provide a timely introduction to the potential impact of the Security and Exchange Commission's (SEC) new rules for businesses.

In 2023, the SEC proposed cybersecurity disclosure regulations aimed at enhancing transparency for public companies. The regulations require consistent reporting of material cybersecurity incidents, disclosure of policies, and procedures for managing cybersecurity risks, as well as annual reporting on the board's cybersecurity expertise.

Two notable regulations focus on prompt reporting of breaches, requiring disclosure within 48 hours of discovery, and increased scrutiny of board members' cybersecurity expertise and oversight. These changes aim to keep investors informed and hold companies accountable. Despite potential costs and reputational risks, the SEC emphasizes transparency. The final rule, passed on July 26, 2023, mandates disclosure of significant cybersecurity incidents and annual reporting on cybersecurity risk management and governance by public companies.

GENERATIVE AI

In 2023, the integration of artificial intelligence (AI), especially generative AI like ChatGPT, became a big part of our daily lives. AI offers convenience but also raises concerns about privacy and data security. This year, a notable data breach related to ChatGPT exposed user information. This event sparked a much-needed debate on striking the balance between using generative AI for efficiency while still maintaining user privacy.

Initially, there were worries about AI being used for cyberattacks, but the focus shifted to the technology itself. Regulatory responses, such as JPMorgan Chase restricting employee use of AI, highlighted privacy issues. Some countries even temporarily banned certain AI tools due to concerns about age verification and data security. Using AI tools in everyday tasks, like work emails, can unintentionally expose sensitive data. To balance AI's benefits with security, organizations need clear policies, employee training, and regular checks to protect data and privacy.

While there are risks, developers are working on safety measures, and regulations aim to address privacy concerns, emphasizing a balanced approach that maximizes AI benefits while minimizing security risks.

were we right? - avertium's 2022 predictions for 2023

• BEC will increase, with threat actors spending more time making emails convincing and harder to detect.
  • The healthcare sector has experienced a substantial surge in BEC attacks, with a 279% increase.
• Anticipated increased Russian cyber threat activity post the Russia-Ukraine conflict, with China, Japan, and Australia posing continued threats.
  • Russian threat actor Storm-0978 exploiting a Microsoft zero-day in phishing campaigns targeting defense and government organizations, aligning with the prediction of increased Russian cyber activity.
• Predicted ongoing issues with partners and service providers, with less skilled operators targeting healthcare and education.
  • Threat actors targeting healthcare organizations, aligns with the prediction of ongoing issues regarding ransomware activity.

How Avertium is Protecting Our Customers

• Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management
• Avertium simplifies Governance, Risk, and Compliance (GRC) by providing contextual understanding instead of unnecessary complexity. With our cross-data, cross-industry, and cross-functional expertise, we enable you to meet regulatory requirements and demonstrate a robust security posture without any vulnerabilities. Our GRC services include:
  • Cyber Maturity
  • Compliance Assessments and Consulting
  • Managed GRC
• Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers.

Supporting Documentation

AI and Cybersecurity: Is There a Balance Between AI and Privacy? (avertium.com)

End of the Year Recap and What to Expect for 2023 (avertium.com)

An In-Depth Look at Mirai & HinataBot (avertium.com)

2022 in review: DDoS attack trends and insights | Microsoft Security Blog

Mirai Botnet Shows Just How Vulnerable the IoT Really Is – IoT Security Foundation

APT Winter Vivern Resurfaces (avertium.com)

Winter Vivern Uses Zimbra Vulnerability to Target NATO Email | Proofpoint US

Analyzing Embedded Files in Malicious OneNote Documents (avertium.com)

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry (thehackernews.com)

An In-Depth Look at Play Ransomware (avertium.com)

RansomHouse attack compromises AvidXchange | SC Media (scmagazine.com)

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (bleepingcomputer.com)

Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa (trendmicro.com)

Everything You Need to Know About the Data Extortion Group, RansomHouse (avertium.com)

Keralty ransomware attack impacts Colombia's health care system (bleepingcomputer.com)

Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers (welivesecurity.com)

Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices (therecord.media)

Okta admits hackers accessed data on all customers during recent breach | TechCrunch

Top 3 reasons ransomware groups are focusing more on data exfiltration than encryption - GRCI Law Blog

Ransomware Groups Pivoting Away from Encryption (avertium.com)

8BASE Ransomware Attack Hits American, Canadian Companies (thecyberexpress.com)

A Deeper Look into the PaperCut Vulnerabilities (avertium.com)

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG | CISA

MOVEit Postmortem (avertium.com)

MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023 | TechCrunch

MOVEit Vulnerability Hits Delta Dental: 7 Million Records Exposed - Infosecurity Magazine (infosecurity-magazine.com)

Flash Notice: Microsoft Patches Several Zero-Day Vulnerabilities (avertium.com)

Understanding Business Email Compromise (BEC) - A Guide (avertium.com)

Flash Notice: Microsoft Zero-Day Exploited by Russian Threat Actor (avertium.com)

Microsoft Patches Zero-Days Impacting Microsoft Office and Windows (avertium.com)

Flash Notice: UPDATE - Okta Breached via Stolen Credentials - CloudFlare, 1Password, & BeyondTrust Also Impacted (avertium.com)

Okta says hackers stole data for all customer support users in cyber breach | Reuters

How the SEC's Proposed Security Rules Could Impact Businesses (avertium.com)

End of the Year Recap and What to Expect for 2023 (avertium.com)

A Closer Look at QakBot (avertium.com)

An In-Depth Look at Play Ransomware (avertium.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.