July 6, 2021
Anomali Threat Research

Anomali Cyber Watch: Thousands Attacked as REvil Ransomware Hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/koKtyWqOQgmxcJ2k79CP"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/" target="_blank">Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack against MSPs, Clients</a></h3> <p>(published: July 4, 2021)</p> <p>A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.<br/> <b>Analyst Comment:</b> Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947137" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947232" target="_blank">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a><br/> <b>Tags:</b> REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank">IndigoZebra APT Continues to Attack Central Asia with Evolving Tools</a></h3> <p>(published: July 1, 2021)</p> <p>Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&amp;C server. The attacker would then be able to fingerprint the machine and begin accessing files. IndigoZebra have run an ongoing spy campaign since 2014 and are known for previously targeting Central Asian countries including Kyrgyzstan and Uzbekistan with malware including Meterpreter, Poison Ivy RAT and xCaon backdoors.<br/> <b>Analyst Comment:</b> Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target. Education is the best defense. Employees should be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3297596" target="_blank">[MITRE ATT&amp;CK] Software Discovery - T1518</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a><br/> <b>Tags:</b> IndigoZebra, Vicious Panda, APT10, Poison Ivy, PoisonIvy, xCaon, BoxCaon, Dropbox, China, APT, Central Asia, Afghanistan, Kyrgyzstan, Uzbekistan</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version" target="_blank">REvil’s New Linux Version</a></h3> <p>(published: July 1, 2021)</p> <p>REvil (aka Sodinokibi) operates as a ransomware-as-a-service (RaaS). First observed in April 2019, REvil has become one of the most prolific RaaS groups targeting Windows. Following the lead of other ransomware groups, REvil developed new Linux encryptor that targets ESXi virtual machines. This Linux version was announced by REvil in April 2021 and first observed in late May 2021. The samples are ELF64 executables, with similarities to the Windows REvil executable (the most noticeable among the configuration options). The malware runs the esxcli command line tool to list all running ESXi VMs and terminate them to avoid corruption issues of the encrypted files. However, the executable has a specific parameter to run in silent mode, which avoids debugging without stopping any VMs.<br/> <b>Analyst Comment:</b> Storage devices and virtual machines are increasingly targeted by ransomware. If your systems are connected online, consider alternative archives and disaster recovery plans.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> REvil, Sodinokibi, Linux, ESXi, NAS, ransomware</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://threatpost.com/zero-day-wipe-my-book-live/167422/" target="_blank">Zero-Day Used to Wipe My Book Live Devices</a></h3> <p>(published: June 30, 2021)</p> <p>Many users of old ‘My Book Live Duo’ network-attached storage devices had their data wiped at the end of June 2021. Attackers were already exploiting the old, unpatched RCE vulnerability from 2018 (CVE-2018-18472), submitting vulnerable devices to a botnet called Linux.Ngioweb. In addition, a newly identified vulnerability, registered as CVE-2021-35941, affects Western Digital’s WD My Book Live (2.x and later) and WD My Book Live Duo (all versions). Successful exploitation can allow attackers to perform a system factory restore without authentication. The reason for mass-scale factory resets could be an attempt by a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the Ngioweb botnet.<br/> <b>Analyst Comment:</b> Users should avoid connecting online end-of-life data storage devices with known unpatched vulnerabilities. Affected My Book Live users may try the Western Digital data-recovery and trade-in migration services. Vendors should try their best in implementing secure coding practices.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> Ngioweb, CVE-2018-18472, CVE-2021-35941, data storage, data recovery, Western Digital, My Book Live, My Book Live Duo, Linux.Ngioweb</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/" target="_blank">Leaked Babuk Locker Ransomware Builder Used in New Attacks</a></h3> <p>(published: June 30, 2021)</p> <p>Babuk Locker was a ransomware operation that launched at the beginning of 2021 against corporate victims. After a high-profile attack on Washington DC's Metropolitan Police Department, Babuk came under pressure from law enforcement, and in April 2021, shut down the ransomware part of its operations. In June 2021, Babuk Locker builder was leaked to VirusTotal and a new actor appeared under the name Babuck Locker (this time, Babuck with a C). This new campaign is targeting individuals and the ransom amount is much smaller (0.006 BTC ~ 210 USD). The leaked builder allows unsophisticated actors to create a custom ransom note and customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices.<br/> <b>Analyst Comment:</b> Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. Additionally, educate your employees about the typical ransomware tactics for initial access.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Babuk Locker, Babuck Locker, ransomware, Windows, ESXi, NAS</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://blog.malwarebytes.com/awareness/2021/06/second-colossal-linkedin-breach-in-3-months-almost-all-users-affected/" target="_blank">Second Colossal LinkedIn “Breach” In Three Months; Almost All Users Affected</a></h3> <p>(published: June 30, 2021)</p> <p>In May 2021, threat actors were selling information scraped from 500M LinkedIn user profiles. In a new incident on June 22, 2021, actor “TomLiner” was observed selling a database of 700M (92% of the total amount) LinkedIn users. To prove the quality of the breach data, TomLiner published a sample of 1M users on RaidForums. The authenticity of the data was confirmed and it is believed to be derived through LinkedIn API abuse. LinkedIn stated that they are aware of the database and that no actual breach occurred. Despite this statement, the fact that email addresses and phone numbers of all users have become available should be of concern for LinkedIn users.<br/> <b>Analyst Comment:</b> LinkedIn users should make sure they have two-factor authentication (2FA) enabled. They should be aware that this exposure of their email and cell phone number increases their chances to be a target for phishing and/or spam campaigns: email, SMS, and robocalls.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947117" target="_blank">[MITRE ATT&amp;CK] Automated Collection - T1119</a><br/> <b>Tags:</b> LinkedIn, phishing, spam, API abuse, exposure, breach data, TomLiner, RaidForums</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/" target="_blank">Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks</a></h3> <p>(published: June 29, 2021)</p> <p>A newly discovered Microsoft Edge vulnerability “CVE-2021-34506” is a universal cross-site scripting (UXSS) issue rated important (CVSS 5.4). An exploit would require user interaction such as opening a certain page while using auto-translate from a foreign language in a vulnerable Edge browser version. An attacker could potentially exploit it without needing any privileges. In a proof of concept (POC) demonstration researchers were able to embed an executable script in a Facebook profile. The script was executed when a targeted user followed on the friend request and opened the profile in Edge browser while using auto-translate into Spanish.<br/> <b>Analyst Comment:</b> In order to mitigate such bugs, secure coding techniques such as input sanitation are critical. Thankfully this specific bag was found by security researchers, responsibly disclosed, and a fix was issued by Microsoft on June 24th, 2021.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947267" target="_blank">[MITRE ATT&amp;CK] Drive-by Compromise - T1189</a><br/> <b>Tags:</b> Microsoft, Microsoft Edge, UXSS, CVE-2021-34506</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/" target="_blank">Lil’ Skimmer, The Magecart Impersonator</a></h3> <p>(published: June 28, 2021)</p> <p>Malwarebytes Labs have identified infrastructure used by an online skimmer called Lil’ Skim. Unlike the similar Magecart JavaScript code, this skimmer has very straightforward, clear code. Lil’ Skim was discovered last month by security researchers, but it has been around for over a year while keeping a low profile. The threat actor impersonates Google, jQuery, Facebook, Cloudflare, other popular brands, but often names their domains after the websites they have compromised.<br/> <b>Analyst Comment:</b> Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. Users who use their credit cards online should regularly monitor their financial accounts.<br/> <b>Tags:</b> Lil’ Skim, Magecart, skimmer, Javascript, impersonation, typosquatting</p> </div> <div class="trending-threat-article"> <h3 id="article-9"><a href="https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/" target="_blank">New Ransomware Variant Uses Golang Packer</a></h3> <p>(published: June 28, 2021)</p> <p>A new ransomware has been identified by Crowdstrike written in C++ and compiled in Go. The sample shares similarities with FiveHands and HelloKitty ransomware families: both are written in C++, accept CLI arguments, use four magic bytes appended to the encrypted files, and use an embedded public key. For ransom negotiations it gives a TOR link where victims will be directed to a temporary chat session.<br/> <b>Analyst Comment:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> Ransomware, FiveHands, HelloKitty, Golang, Go, C++</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.