Cymulate’s March 2021 Cyberattacks Wrap-up
Threat actors were busy during March 2021, breaching major companies such as SITA, a global IT company supporting 90% of the world’s airlines. In this case, the PII belonging to airline passengers was stolen, including their names, card numbers, and status level. In the Netherlands, the stolen personal data of an estimated 7.3 million residents were offered online for sale. The data was stolen from RDC, a company that provides car garages with IT services, and included home addresses, telephone numbers, email addresses, license plates, and dates of birth.
The Microsoft Exchange Server data breach, which began in January 2021, reached a new level with threat actors installing new ransomware (dubbed DearCry or DoejoCrypt) on compromised Microsoft Exchange servers in the US, Luxembourg, Indonesia, Ireland, India, and Germany using ProxyLogon vulnerabilities. The ransomware seemed to use MingW-compiled executables. The attack followed a familiar path:
- The DearCry ransomware created a Windows service named “msupdate” on the compromised machine.
- The malware started to encrypt the following extensions: .tif, .tiff, .pdf, .xls, .xlsx, .xltm, .ps, .pps, .pptx, .doc, .docx, .log, .msg, .rtf, .tex, .txt, .cad, .wps, .eml, .ini, .css, .htm, .html, .xhtml, .js, .jsp, .php, .keychain, .pem, .sql, .apk, .app, .bat, .cgi, .aspx, .cer, .cfm, .c, .cpp, .go, .confirg, .pl, .py, .dwg, .xml, .jpg, .bmp, .png, .exe, .dll, .avi, .h.csv, .dat, .iso, pst, .pgd, .7z, .rar, .zip, .zipx, .tar, .pdb, .bin, .db, .mdb, .mdf, .bak, .edb, .stm, .dbf, .ora, .gpg, .edb, and .mfs.
- The encrypted files were appended with the.CRYPT extension to the file name, e.g., 1.doc.CRYPT or 1.jpg.CRYPT.
- The ransomware used AES-256 to encrypt the files and the RSA-2048 public key to encrypt the AES key.
- It also started each string with ‘DEARCRY!’ at the beginning of each encrypted file.
- Once the encryption process is completed, a simple ransom note with the name readme.txt is created on the desktop of the compromised computers.
- This ransom note contains two contact email addresses and a unique MD4 hash.
- The threat actors demanded in one case $16,000 in ransom.
During March 2021, we saw threat actors using a new pay2decyrpt variant in their ransomware attacks. Pay2Decrypt appends .aes and .lck extensions to files written in Autolt that are encrypted using AES and RSA keys. It also encrypted target files (such as MS Office and pdf documents as well as Open Office, text (.txt), volume backup image, music, video, archive, and executable files) multiple times, adding an encryption extension each time.
The threat actors also added a Pay2Dectypt text file (e.g., Pay2Decrypt1.txt, Pay2Decrypt2.txt, Pay2Decrypt100.txt), that contained the ransom demand and contact information.
What makes this ransomware so dangerous is its ability to pass Microsoft’s UAC, to stop cybersecurity tools, such as AV and firewalls, to modify registry keys, to delete shadow copies of the compromised files, and to use ps2exe utility and PS for downloading and running the malicious files with admin rights.
On the malware front, Spectre (CVE-2017-5753) made a reappearance. Spectre, similar to its predecessor Meltdown, exploits vulnerabilities in unpatched Linux and Windows systems. Spectre is known for stealing sensitive data, including passwords, documents, and any other data available in privileged memory. The malware also affects major operating systems, including Windows, Linux, macOS, Android, and ChromeOS.
The notorious Lazarus Group, also known as APT38 and Hidden Cobra, was active again during March 2021. The APT group used the ThreatNeedle malware (as well as other malware clusters such as Manuscrypt, NukeSped, AppleJeus, DeathNote, and Bookcode) for its attacks. Backed by the North Korean government, Lazarus has been using the ThreatNeedle cluster of malware for specific primary objectives such as research labs and defense contractors.
Once the group gained access, the malware started to gather crucial data while moving laterally. In another campaign, the APT group used ThreatNeedle to target security researchers. In March 2021, the group launched attacks on the defense industry also used ThreatNeedle.
The attacks take place as follows:
- The threat actors launched a spear-phishing email campaign containing personal information gathered from publicly available sources to dupe recipients in clicking on malicious links or attachments.
- Once opened, a macro containing malicious code opened.
- The malware then started to download and execute additional payloads on the infected system.
- The process of gathering credentials started while also moving laterally.
- Access to an internal router machine and configuring it as a proxy server, allowed the threat actors to bypass network segmentation.
- After harvesting valuable assets, this stolen data was exfiltrated from the compromised network to the remote C&C server of the threat actors.
- The installed ThreatNeedle malware was able to obtain full control of the compromised machines.
- This allowed the Lazarus Group to do everything it wanted, from manipulating files to executing received commands.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable.
Also, IOCs are available at the Cymulate UI!
Don’t speculate, validate your security with Cymulate.