From CACTUS to Colour-Blind, the Kroll Cyber Threat Intelligence team has observed and shared updates about a wide range of threats over the past year.
In this blog post, we share some of our most popular threat intelligence updates of 2023.
1. The MOVEit Transfer vulnerability: discovery, analysis and exfiltration methods
The impact of the MOVEit Transfer vulnerability meant it was no surprise that these Kroll updates were among our most-read threat intelligence article of 2023. Our first MOVEit article reported that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. We had observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion life cycles. As of June 2, 2023, the vulnerability was assigned CVE-2023-34362.
The second MOVEit article discussed how, in June, the CLOP ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). While Kroll analysis of the exploitation confirmed that threat actors were using this vulnerability to upload a web shell and exfiltrate data, our Kroll forensic review also identified activity indicating that the CLOP threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021—highlighting the sophisticated knowledge and planning that go into mass exploitation events such as these.
We published a third MOVEit update in July, focusing on our identification of two different file exfiltration methodologies leveraged by threat actors, primarily CLOP, during engagements throughout May and June 2023.
For a full debrief on the MOVEit Transfer vulnerability, check out our webinar replay page.
2. CACTUS ransomware: prickly new variant evades detection
Another of our most-visited threat intelligence articles of the year was our update about our identification of a new ransomware strain which we named CACTUS, active since at least March 2023, and observed leveraging documented vulnerabilities in virtual private network (VPN) appliances in order to gain initial access. Once inside the network, CACTUS actors attempt to enumerate local and network user accounts as well as reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks.
3. Proof of concept developed for Ghostscript code execution vulnerability
In July, we shared that Ghostscript, an open-source interpreter for the PostScript language and PDF files, had recently disclosed a vulnerability prior to the 10.01.2 version. The vulnerability CVE-2023-36664 was assigned a CVSS score of 9.8 that could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices (with the %pipe% or the | pipe character prefix). Because Ghostscript can be executed in many different ways, an exploitation of a vulnerability might not be limited to one application or be immediately obvious. We shared information about a viable exploit that we developed for this vulnerability and our work in using it to advance detection efforts.
4. Black Basta technical analysis
With a surge in double extortion ransomware attacks by Black Basta, a notorious ransomware-as-a-service (RaaS) threat group, in another of our most-visited articles of 2023, we outlined how we had identified tactics, techniques and procedures (TTPs) used by Black Basta to conduct double-extortion ransomware campaigns. While the actor is sophisticated, we have observed Black Basta sometimes utilising similar TTPs across multiple incidents, making it important for potential victims to educate themselves and adopt proactive countermeasures.
5. Royal ransomware deep dive
Royal ransomware proved to be another top concern for organizations this year. In an article in February, we explained how the group brought together threat actors previously associated with Roy/Zeon, Conti and TrickBot malware, escalating attacks to focus on top-tier corporations for larger ransoms from the start of 2023. Their ransoms reportedly ranged from $250,000 to over $2 million. While the Royal group had first been observed primarily targeting systems running Windows operating system, reports surfaced in February 2023 of a variant capable of compromising Linux/virtual machines.
6. Deep dive into GOOTLOADER malware and its infection chain
Our June update on the GOOTLOADER malware proved to be another highly popular article. We observed an increase in the number of active GOOTLOADER malware campaigns targeting a variety of sectors, including the legal, financial and professional services sectors. The analysis of Kroll cases identified that GOOTLOADER was delivered into victim environments via search engine optimization (SEO), using compromised WordPress sites that host malicious documents masquerading as generic legal and contract templates.
Following the initial GOOTLOADER compromise, further tooling such as COBALTSTRIKE, SYSTEMBC and open-source scripts were observed being deployed into victim environments. Our view continues to be that the goal of these attacks is currently corporate espionage; however, this can move to extortion and ransoming the organisation very quickly. It all depends on the actors and their motives.
7. Microsoft Teams used as initial access for DARKGATE malware
In October, we shared news about our observation of DARKGATE malware being delivered to users through files shared in Microsoft Teams messages, targeting the transportation and hospitality sectors. Files hosted to public SharePoint sites were downloaded and executed by victims, which led to batch scripts copying the AutoIT interpreter and scripts from adversary-controlled infrastructure. The DARKGATE payload was injected into a running process and further AutoIT scripts were created and used for persistence in the user’s Start Menu.
This activity appeared to be part of a wider DARKGATE campaign, also reported across open-source. The surge in Microsoft Teams-related social engineering activities has been observed since Q2 2023, coinciding with the discovery of a vulnerability in Microsoft Teams. This vulnerability required organisational configuration changes and heightened user awareness for effective mitigation. Organisations that have not made the configuration changes can still be impacted, although the campaign is no longer being as active as observed during Q2 2023.
8. PyPI packages used to deliver Python remote access tools
In March, we shared news about our identification of a fully featured information stealer and remote access tool (RAT) in the Python Package Index (PyPI) that we named “Colour-Blind.” The malicious package was found as part of a project to obtain more awareness of initial attack vectors and uses a tool developed by Kroll’s threat intelligence team. The “Colour-Blind” malware points to the democratisation of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others.
Get the latest intel updates in your inbox
Stay prepared for the emerging threats of 2024 and beyond with our regular threat intelligence reports, which draw on over 3,000 yearly incident response engagements. From our quarterly Cyber Threat Landscape Reports sharing the latest trends and real-life case studies, to ad hoc security updates in response to breaking security news, sign up here to receive breaking threat intelligence before anyone else, along with periodic news, alerts and exclusive invitations from Kroll.