Maine Hit by MOVEit Supply Chain Attack – Week 12

On November 9th, APNews reports that Maine has informed resident-users that a MOVEit attack caused a breach. In October, 9to5mac.com wrote about a MOVEit 0day that was making in-roads.

Ransomware is now implementing a double-extortion method to get victims to pay its ransoms. Normally, a company or organization might be able to restore from a backup and thereby avoid paying the ransom that was requested for them to restore their services; however, ransomware is now adding the threat of release of information, if that ransom hasn’t been paid.

In 9to5Mac’s 2023 State of Ransomware, the USA is considered the highest target with ransomware. It is 7x more likely to be targeted with ransomware than the next highest countries. Here’s Malwarebytes’ assessment on why CL0P is outpacing Lockbit:

The drive behind the sudden change? CL0P used separate zero-days in GoAnywhere MFT and MOVEit Transfer to gain an edge. This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale.

The use of zero-day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies, mirroring the adoption of the “double extortion” tactic in 2019.

Malwarebytes, https://9to5mac.com/2023/08/04/us-number-one-for-ransomware-attacks/

Unfortunately, I don’t foresee any of this easing up. With ransomware crews achieving successes, they’ll probably continue with this activity. In some areas online, I’m starting to hear that the best recommendation (due to these breaches of information) is to freeze your credit, and unthaw it temporarily when shopping. Why is this becoming a common recommendation? With so many breaches, it’s more probable that your information is available. It might also be helpful if the government would implement some protections with teeth to increase the deterrence.

Thousands of Android/TV Ship with Malware – Week 7

It would appear that the supply chain has come under attack again for Android users, https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/ And it’s confirmed by MalwareBytes: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon

Indicators of Compromise

Root Access

It would appear that in the Android About system settings, a “root switch” has been added to compromised devices. If this is found, then it’s safe to initiate a return or replacement.

Shell Games

If you connect to the device to adb, and you run the shell utility. The compromised systems (via adb shell pm list packages -f) are identifying as “walleye” within the shell, which is an old Google Pixel 2

CoreJava Directories Ought Not Be There

On the Android’s filesystems, compomised hosts have a directory called: /data/system/Corejava. It contains malicious file objects, Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

Conclusion

The MalwareByes article: https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon offers steps to remediate this on the compromised device. Despite the fact that this may be a dirty deal, it seems common for unsuspecting users on a budget to fall victim to these attacks.

Supply Chain Attacks – Week 6

Canonical, the proprietor of Ubuntu/Linux, has announced that they’re temporarily suspending automatic registrations within their Snapstore. I often come across a Linux-inspired blog post on the Internet, being deploying PiHole, security hardening PiHoles using Cloudflare’s DNS-over-HTTPS resolver or an unbound instance, etc, and others. And I have come across the phrase “snaps.” I’ve seen Docker container images built with snaps installed, and I don’t understand why. It appears that snaps are akin to app stores, where you install a sandboxed image and the snapd (snap daemon/service) monitors it for updates upstream.

Now, many of us have heard of some Supply Chain attack where Google (in their Play Store), Apple (in their App Store), and Canonical (in the Snapstore) remove a malicious package/app. Even Python, in their PyPI system have been hit by some intrusion by malicious actors.

Supply Chain Attacks

CrowdStrike does a good job explaining:

supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain.

Software supply chain attacks inject malicious code into an application in order to infect all users of an app, while hardware supply chain attacks compromise physical components for the same purpose.

CrowdStrike: What Is a Supply Chain Attack?

The above examples, in my links, are examples of software supply chain attacks — targetting PyPI, Play Store, App Store, etc. Although CrowdStrike supplies the SolarWind supply chain attack, it’s not exclusively software. There are instances of hardware supply chain attacks, namely Supermicro via Chinese spies.

Conclusion

Aside from awareness, and listening to disclosures of app stores and other dependencies, users are generally the least able to mitigate these exploits, and often times, app stores are informed by users of malicious activities by their solution/product. Also, if you’re a developer (maker of software products), you’ll have dependencies and it’s good to stay vigilant on what you’re including in your software.

I hope this blog post helped raise awareness of this new attack vector. The really tragedy is that it feels like malicious actors are getting better, definitely more prolific in their attempts. So, uh, yeah – keep an ear out for security news, try and sanitize your environments (when you can), and relay the news of this attack type when you can.