Issue 22: Hacker Simulation Tool Gets Abused By Cybercriminals, $11 Billion Cybercrime Hub Exposed And More!

Top Stories 12 July 2024:

1. International Law Enforcement Coalition Target Cobalt Strike
2. HuiOne Guarantee: Southeast Asia’s $11 Billion Cybercrime Hub
3. New Ransomware Group Exploits Veeam Backup Software Vulnerability
4. PHP Vulnerability Exploited for Malware and DDoS Attacks

International Law Enforcement Target Cobalt Strike

An international law enforcement coalition, led by the UK’s National Crime Agency (NCA), has targeted illegal uses of the Cobalt Strike penetration testing tool.

This operation addressed 690 IP addresses hosting unauthorised instances of the software across 27 countries. Cobalt Strike, developed in 2012 and now owned by Fortra, was meant to simulate hacker attacks for security testing. However, its effectiveness has led to widespread use by cybercriminals and state-sponsored hackers from Russia, China, and North Korea.

The tool’s versatility, including its ability to manage command and control infrastructure, has made it a favourite among ransomware operators and cyber espionage actors. Unlicensed versions are often used in spear phishing attacks to install beacons on victims’ devices, enabling remote access and network profiling.

The National Crime Agency (NCA) recently took down some servers and informed internet service providers (ISPs) about possible malware being hosted. However, ransomware threats still remain as criminals have backup plans. Fortra has promised to help law enforcement by removing old, vulnerable versions of Cobalt Strike from use.

TLDR;

• The NCA led an international coalition targeting 690 IP addresses using illegal Cobalt Strike across 27 countries.
• Originally for legitimate use, Cobalt Strike is misused by cybercriminals and state-sponsored hackers from Russia, China, and North Korea.
• Actions included server takedowns and ISP notifications, with Fortra working to remove vulnerable versions, but the ransomware threat remains.

HuiOne Guarantee: Southeast Asia’s $11 Billion Cybercrime Hub

HuiOne Guarantee, an online marketplace linked to the Cambodian conglomerate HuiOne Group, has been identified as a major hub for cybercriminal activities in Southeast Asia, particularly pig butchering scams .

These scams involve luring victims with fake job offers, trapping them in scam compounds, and coercing them into fraudulent activities.

But that's not all! Merchants on HuiOne Guarantee offer technology, data, and money laundering services, with transactions totalling at least $11 billion. The platform, established in 2021, operates through thousands of Telegram channels and claims to deal in real estate and cars, though most services cater to cyber scam operators.

The marketplace is connected to HuiOne International Payments, which launders scam proceeds globally. It boasts 500,000 registered users and lists major companies like Alipay and Huawei as customers.

Pig butchering scams have proliferated in Southeast Asia, targeting victims from Asia and Africa. Scammers create fake social media and dating profiles to build trust and persuade victims to invest in non-existent crypto businesses.

How does it work? Merchants on HuiOne Guarantee also offer money laundering services, converting scam proceeds into various assets, including cash and stablecoins. Additionally, they provide software for creating scam websites and equipment like tear gas and electric batons for controlling scam compound workers.

HuiOne Guarantee plays a key role in cyber scams in the region. This marketplace has helped many cryptocurrency transactions, making it easier for cybercriminals to operate.

TLDR;

• HuiOne Guarantee, part of the Cambodian HuiOne Group, is a major hub for cybercriminal activities in Southeast Asia.
• The platform facilitates pig butchering scams, which involve luring victims with fake job offers and coercing them into fraudulent activities.
• It offers technology, data, and money laundering services, with at least $11 billion in transactions, operating through thousands of Telegram channels.

New Ransomware Group Exploits Veeam Backup Software Vulnerability

A newly identified ransomware group, EstateRansomware, is exploiting a patched vulnerability in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5).

Discovered by Group-IB in April 2024, the group gains initial access via a Fortinet FortiGate firewall SSL VPN using a dormant account. They then establish RDP connections and deploy a persistent backdoor named “svchost.exe” to evade detection.

What happens next? The attackers exploit the Veeam flaw to enable xp_cmdshell on the backup server, create a rogue user account “VeeamBkp,” and conduct network discovery and credential harvesting. The attack culminates in ransomware deployment after disabling Windows Defender.

To mitigate the risks posed by this vulnerability, it is imperative to upgrade to Veeam Backup & Replication 11a or Veeam Backup & Replication 12.

Cisco Talos has noted that ransomware gangs often exploit security flaws in public-facing applications and use custom tools for data exfiltration before encryption. The rise of new ransomware groups like EstateRansomware are another example more targeted cybercriminal activities.

TLDR;

• EstateRansomware, a new ransomware group, exploits a patched vulnerability in Veeam Backup & Replication software (CVE-2023-27532).
• The group gains access via Fortinet FortiGate firewall SSL VPN, establishes RDP connections, and uses a persistent backdoor to evade detection.
• They exploit the Veeam flaw for network discovery, credential harvesting, and ransomware deployment which is as a common tactic among ransomware gangs.

PHP Vulnerability Exploited for Malware and DDoS Attacks

A critical PHP vulnerability, CVE-2024-4577 (CVSS score: 9.8), is being exploited by multiple threat actors to spread remote access trojans, cryptocurrency miners, and DDoS botnets.

Here's what you need to know: Disclosed in June 2024, this flaw allows attackers to execute malicious commands on Windows systems using Chinese and Japanese language settings.

Why does this matter? Akamai researchers noted that the vulnerability stems from how Unicode characters are converted to ASCII, enabling attackers to pass arguments directly to PHP. Within 24 hours of the disclosure, attempts to exploit this vulnerability were detected on Akamai's honeypot servers.

These attacks included deploying Gh0st RAT, RedTail and XMRig cryptocurrency miners, and the Muhstik DDoS botnet. The same vulnerability is being exploited by TellYouThePass ransomware actors to distribute a .NET variant of their malware.

Users of PHP are advised to update to the latest version to protect against these threats.

Cloudflare have highlighted a 20% year-over-year increase in DDoS attacks in Q2 2024, with known botnets accounting for half of all HTTP DDoS attacks. China, Turkey, and Singapore were the most targeted countries, while Argentina emerged as the largest source of these attacks. The most targeted sectors included IT services, telecom, consumer goods, education, construction, and food and beverage.

TLDR;

• CVE-2024-4577, a critical PHP vulnerability (CVSS score: 9.8), is being exploited to spread remote access trojans, cryptocurrency miners, and DDoS botnets.
• The flaw allows malicious command execution on Windows systems using Chinese and Japanese locales, with exploits observed within 24 hours.
• Akamai and Imperva reported malware such as Gh0st RAT and TellYouThePass ransomware targeting this flaw, with users urged to update PHP installations.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Atif Chaudry (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!