The Good, the Bad and the Ugly in Cybersecurity – Week 35

The Good | Big Reward Offered for Angler Exploit Kit Hacker

The U.S. Department of State is offering a reward of up to $2.5 million for information relating to the whereabouts of Volodymyr Kadariya, a Belarusian man alleged to be heavily involved in cybercrime. The 35-year old is wanted for his role in a number of scams and malware operations, notorious among them development and management of the Angler Exploit Kit.

Kadariya, along with two others previously identified as Maksim Silnikau and Andrei Tarasov, is alleged to have been central to malvertising operations delivering Angler for almost a decade.

Source: US Gov

The Angler Exploit Kit was used extensively in the years between 2013 and 2022, to exploit vulnerabilities in Adobe Flash, Internet Explorer and Silverlight, infecting victims with ransomware, info stealers and banking trojans. It was also an early pioneer of the fileless infection technique, an attempt to avoid detection by legacy AntiVirus solutions by executing payloads in memory rather than writing to disk.

Kadariya is also alleged to have been heavily involved in "scareware" advertising campaigns that deliver fake messages to trick internet users into downloading malware or revealing sensitive information. The Belarussian is said to have profited from selling logs of such stolen data to other cybercriminals as well as selling access to devices infected by Angler.

Known by online aliases such as "Stalin," "Eseb," and "baxus," Kadariya currently remains at large, but with a heavy bounty on his head, it's likely only a matter of time before he receives a visit from the authorities.

The Bad | Critical Infrastructure Targeted by RansomHub RaaS

The RansomHub cybercrime group has encrypted and exfiltrated data from at least 210 organizations since February 2024, CISA, the FBI and other partners say. The attacks have taken a particularly heavy toll on critical infrastructure, impacting organizations involved in water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications.

RansomHub operates as a ransomware-as-a-service (RaaS) operation and has been hugely successful in attracting a wide-range of affiliates from other high-profile RaaS operations such as LockBit and BlackCat/ALPHV.

According to the advisory, RansomHub affiliates use the full spectrum of techniques to gain initial access, including phishing emails, exploiting known vulnerabilities and password spraying using credentials obtained from data breaches. Once inside a target device, the group has been observed hiding payloads as a file named windows.exe in the user's Desktop or Downloads folders.

The #FBI, @CISAgov and other partners have released a joint #CybersecurityAdvisory on Ransomhub, a ransomware-as-a-service (RaaS) variant that has claimed at least 210 victims in multiple critical infrastructure sectors. Click for details and mitigations: https://t.co/vnQ5H0uVo6pic.twitter.com/2GnEXXIdiz

- FBI (@FBI) August 29, 2024

Following initial access, RansomHub affiliates create new or re-enable defunct user accounts to set up persistence. Mimikatz has been observed being deployed on Windows systems for credentials harvesting and privilege escalation. Lateral movement across the network is then achieved via tools such as Remote Desktop Protocol (RDP), PsExec, Anydesk, Connectwise, N-Able, Cobalt Strike, Metasploit, and others depending on the affiliate involved.

The group employs a double extortion method to maximize its chances of a payout. The ransomware executable uses intermittent encryption - a technique to speed up the file locking process by only encrypting parts of larger files - and targets user data while ignoring executables and other system resources. A random extension is appended to encrypted files and a ransom note with the name "How To Restore Your Files.txt" is left on the system. To inhibit recovery, the ransomware additionally attempts to delete volume shadow copies via vssadmin.exe.

It is worth noting that none of these techniques are new and organizations with robust ransomware defenses in place should be protected. Security teams are advised to follow best practice including deployment of robust endpoint and identity protection controls. Further mitigation advice can be found in CISA's advisory.

The Ugly | State-backed Attackers Exploit Bugs in Safari and Chrome

A new report from Google TAG suggests that state-backed attackers are using similar exploits to those sold by private sector offensive actorslike NSO (vendors of notorious Pegasus surveillance software) and Intellexa.

The research found that watering hole attacks on Mongolian government websites were used to deliver Safari and Chrome exploits across November 2023 and July 2024. The vulnerabilities involved had previously been patched by Apple and Google, respectively, but are still exploitable on devices running older, unpatched software.

Suspicion for the attacks has fallen on Russia's APT29, but perhaps of most concern is that the researchers repeatedly saw the same exploits in use by the state-backed actor as those sold by private surveillance companies.

Re: APT29.. Additional details which may be helpful …

Initial watering hole on https://t.co/0JHWiq5YsN appears to have gone up between Nov 22nd or 24th, 2023. Bottom of homepage..
This watering hole on https://t.co/0JHWiq5YsN was removed around December 19th 2023. https://t.co/hTp41a4CV6pic.twitter.com/sVeMyQxxDi

- Tom Hegel (@TomHegel) August 29, 2024

Such vendors routinely claim that their clients are vetted, legitimate law enforcement agencies or 'friendly' governments involved in counter-terrorism operations, claims that have previously been met with skepticism across the security community.

This raises the question of whether commercial surveillance vendors (CSVs) are selling directly to oppressive regimes, or whether the exploits were independently developed. It is also possible that the vendors themselves were compromised by a nation-state actor such as APT29, either through a hack or a malicious insider.

The researchers noted that exploits against Apple's Safari web browser on iOS targeted the theft of cookies for the following websites:

["webmail.mfa.gov.mn/owa/auth", "accounts.google.com", "login.microsoftonline.com", "mail.google.com/mail/mu/0", 
"www.linkedin.com", "linkedin.com", "www.office.com", "login.live.com", "outlook.live.com", "login.yahoo.com", 
"mail.yahoo.com", "facebook.com", "github.com", "icloud.com"]

While the Chrome attacks targeted the following data:

• Saved cookies for all websites
• Passwords stored in Chrome
• Saved credit cards data
• User Chrome history
• Trust Tokens

Disclosure of this campaign should serve as a timely reminder that keeping software up-to-date is a basic security measure, particularly for devices where third-party endpoint controls are restricted by OS vendors and mobile malware is on the rise.

Public link

Please use the above public link if you want to share this noodl on another website.