Intel Reports

Activity Summary - Week Ending on 6 July 2023:

• Red Sky Alliance identified 521 connections from new IP’s checking in with our Sinkholes
• com.tr hit 389x
• 1,573 ‘new’ Botnets hits
• ThirdEye
• CMK Правила оформления больничных листов
• Nikita Kislitsin
• LAUSD
• Schneider Electric & Siemens Energy
• US Marines & Cyber
• Noberus

Red Sky Alliance Compromised (C2) IP’s 

On 5 July 2023, Red Sky Alliance identified 2,516 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 7 July 2023, analysts identified 168 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

ThirdEye - FortiGuard Labs recently discovered files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”.  While this malware is not considered sophisticated, it is designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.[1]  The below report analyzes the behavior and evolution of this new infostealer.

ThirdEye – Researchers began when they spotted an archive file with a file name in Russian, “Табель учета рабочего времени.zip” (“time sheet” in English).  This zip file contains two files our experience immediately identified as up to no good.  Both files have a .exe extension preceded by another document-related extension (double extension).  And one of the files is “CMK Правила оформления больничных листов.pdf.exe” (“QMS Rules for issuing sick leave” in English, which is an executable instead of a document, as the title suggests).

The file has a SHA2 hash value of: f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

Screenshot of Figure 1. CMK Правила оформления больничных листов.pdf.exe

The ThirdEye infostealer has relatively simple functionality.  It harvests various system information from compromised machines, such as BIOS and hardware data.  It also enumerates files and folders, running processes, and network information.  Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server hosted at (hxxp://shlalala[.]ru/general/ch3ckState).  And unlike most other malware, it does nothing else.  One interesting string unique to the ThirdEye infostealer family (from which we derived its name) is "3rd_eye", which it decrypts and uses with another hash value to identify itself to the C2.  The second item in the archive is “Табель учета рабочего времени.xls.exe”, which shares the same file name with the parent file. This file is a ThirdEye infostealer variant designed to perform the same activities as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

Figure 2. Табель учета рабочего времени.xls.exe

Based on the traits seen in those ThirdEye infostealer samples, analysts managed to trace the very first sample to 610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2, which was first submitted to a public file scanning service on 4 April  2023.  The oldest sample uncovered that it did not harvest as much information as recent samples.  The earliest sample we found has a compilation timestamp of Monday 3 April (Apr 03 12:36:37 2023 GMT) and collects the following data:

• client_hash
• OS_type
• host_name
• user_name

Figure 3. Data to be exfiltrated by 610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2

It calculates a “client_hash”, which is used as an identifier. During exfiltration, the collected data is sent to the C2 server with a custom web request header:

Cookie: 3rd_eye=[client_hash value]

Figure 4. Client hash as cookie value

This variant uses hxxp://glovatickets[.]ru/ch3ckState as a C2 server.

No significant changes were made to the malware family until a few weeks later.  A variant (SHA256: A9D98B15C94BB310CDB61440FA2B11D0C7B4AA113702035156CE23F6B6C5EECF) with a compile timestamp of Wed Apr 26 09:56:55 2023 GMT collected additional data, such as:

• BIOS release date and vendor
• Number of CPU cores and RAM size
• File list of the user’s desktop
• Network interface data

List of usernames registered to the infected computer.

However, this version would crash in certain virtual machines due to missing hardware information.  An updated variant was released one day later (SHA256: C36C4A09BCCDEDA263A33BC87A166DFBAD78C86B0F953FCD57E8CA42752AF2FC).  The only change here was the use of a PDF icon.  Prior to this, none of the samples we found used a custom/fake icon. “hxxp://ohmycars[.]ru/general/ch3ckState” was used as the C2 by this variant.

The following week brought even more changes. This next variant (SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) gathered much more data:

• Total/Free disk space on the C drive
• Domain name
• List of network ports the infected computer is currently using
• List of currently running processes
• List of installed programs in the Program_Files directory
• systemUpTime
• List of user’s programs, including the version number
• Volume information such as CD-ROM and other drive letters

Figure 5. Additional data to be exfiltrated by 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337

While another variant (5D211C47612B98426DD3C8EAC092AC5CE0527BDA09AFA34B9D0F628109E0C796), compiled on Thursday 25 May (May 25 11:02:54 2023 GMT), gathered the same type of data, the main difference was with encoding. Instead of plaintext, the data it collected was encoded in hex.  Over the past couple of months, we also spotted some variants that used internal IP addresses 10[.]10[.]30[.]36 in SHA256: 2008BDD98D3DCB6633357B8D641C97812DF916300222FC815066978090FA078F and 192[.]168[.]21[.]182 in SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) instead of an actual C2 server.  This was perhaps due to testing new features and/or checking for AV detections.

Conclusion - Although there is no concrete evidence that ThirdEye infostealer was used in attacks, the malware is designed to collect information from compromised machines that is valuable for understanding and narrowing down potential targets. Researchers believe this infostealer was designed for that purpose, and ThirdEye victims may be the subjects of future cyberattacks.  Since most ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, the attacker may be looking to deploy malware to Russian-speaking organizations.  While ThirdEye is not yet considered sophisticated, our investigation found the attacker has put effort into improving the infostealer, such as recent samples collecting more system information compared to older variants.  Analysts expect that effort to continue.

IOCs

YARA:  FortiGuard Labs has created the following YARA rule to identify the ThirdEye Infostealer.

GLOBAL TRENDS:

Russia - A notable Russian cybersecurity expert was detained in Kazakhstan last week at the request of the US, prompting authorities in Moscow last week to also seek his extradition.  Although the details and reasoning for the arrest are unclear, Nikita Kislitsin was charged with selling usernames and passwords belonging to American customers of the social media company Formspring in 2012.  Kislitsin worked as the head of network security at Group-IB, as well as its Russia-based spinoff company known as F.A.C.C.T. after Group-IB exited the country earlier this year.  Kislitsin's arrest is not related to his work at Group-IB, the company said in a statement on Telegram. F.A.C.C.T. said that the charges against Kislitsin stemmed from his time “as a journalist and independent researcher,” but didn’t provide further details.  Kislitsin is a former editor-in-chief of the Russian magazine “Hacker,” which focuses on information security and cyberattacks.

On 28 June in a separate case, a Russian court issued an arrest warrant for Kislitsin on charges related to the unauthorized access of protected computer information.  Russia said it will also seek his extradition from Kazakhstan.  Once in Russia, Kislitsin could potentially evade extradition to the US, a tactic the country has employed in the past.[2]  In 2012, for example, Moscow launched a criminal probe against Russian national Dmitry Zubakha following his arrest in Cyprus.  The US requested Zubakha’s extradition for his role in cyberattacks against Amazon.  Zubakha, however, was ultimately extradited to Russia.  In 2021, he became a co-founder of a company owned by the son of a former Russian deputy prime minister.

Wanted hackers often choose to flee to former Soviet countries such as Armenia, Georgia, and Kazakhstan, believing they will be safe from foreign prosecution there, according to researchers.  "Kislitsin's arrest is a clear indication of the shift in Kazakhstan geopolitics,” said an expert in Russian affairs, who became involved in Russia’s cybercrime scene around the fall of the Soviet Union.  "Some hackers called it ‘betrayal’ and ‘backstabbing’ in the private chats on Telegram."  Kislitsin traveled abroad frequently in recent years, including to Kazakhstan, for both business and personal reasons, F.A.С.С.T. told Russian state news agency RIA Novosti.  He had no problems crossing the border, according to the company.  “We are convinced that there are no legal grounds for his detention in Kazakhstan,” F.A.С.С.T. said in a statement. “We support Nikita and his family.”  Law enforcement hasn’t alleged any wrongdoing by F.A.С.С.T., the company said.

US Los Angeles - About 2,000 assessment records were breached during last September’s cyber-attack on Los Angeles Unified, affecting at least 60 currently enrolled students, the district is now disclosing. Compromised records have primarily affected former district students and include some drivers license numbers and social security numbers.  The new information comes after education news site The 74 revealed that hundreds if not thousands of sensitive mental health records for former district students were posted to the dark web containing details about education services, medical histories and disciplinary records.  It is not clear how many affected students have been notified of the breach. LAUSD, which addressed the situation in a statement attributed to IT infrastructure senior administrator Jack Kelanic, wrote that the district has notified some individuals and vendors who have been impacted by this attack and will continue to do so as determined.  “This is an ongoing investigation in partnership with forensic and cybersecurity experts where arduous, painstaking efforts are taking place to comb through the data, review individual pieces, determine what information was accessed, locate the impacted individuals and notify them of resources to protect themselves,” the statement read. “The aftermath of a cyberattack is a multi-layered, dynamic process in which real-time updates often alter the direction of an investigation.”[3]

The cyber-attack on LAUSD initially surfaced over Labor Day weekend but is thought to have started 31 July 2022.  The district refused to pay ransom, which resulted in the release of 500 gigabytes of data on the dark web, including vendor information, though district officials indicated that the impact was not widespread. Superintendent Alberto Carvalho initially said no psychological evaluations were included in the data leak.

France & Germany - Energy giants Schneider Electric and Siemens Energy have confirmed being targeted by a ransomware group in the recent campaign exploiting a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) software.  The Cl0p ransomware group claims to have exploited a MOVEit zero-day vulnerability to access the files of hundreds of organizations that had been using the MFT product.  Several major companies have confirmed being hit and the cybercriminals have started naming victims that refuse to pay up.[4]

Last week, the hackers added over a dozen more alleged victims to their leak website.  Germany-based Siemens Energy, a spinoff of Siemens’ energy business, and France-based automation and energy management giant Schneider Electric are among the companies named this week on the Cl0p site.  Siemens Energy has confirmed that it’s among the targets of the MOVEit attack and said it took immediate action in response to the incident.  “Based on the current analysis no critical data has been compromised and our operations have not been affected,” the company said in an emailed statement.

Schneider Electric said the company became aware of the MOVEit software zero-day on 30 May and promptly deployed mitigations to secure data and infrastructure.  “Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities.  Our cybersecurity team is currently investigating this claim as well,” the company said.

Secure cloud native applications - Other major organizations listed recently by Cl0p on its leak website include Sony, EY, PwC, Cognizant, AbbVie and UCLA, but it’s unclear if all of them have been targeted in the MOVEit attack.  The attackers have started leaking data allegedly stolen from energy giant Shell, which has confirmed being targeted in the MOVEit attack. SecurityWeek has reached out to Shell as well.  Some evidence suggests that the cybercriminals have known about the MOVEit zero-day vulnerability since 2021, but mass attacks only started in late May 2023.  While some government organizations have also confirmed being impacted, the hackers claim they have deleted all the data obtained from such entities, noting that they are financially motivated and “do not care about politics.”  They allegedly deleted data obtained from more than 30 government and government-related organizations.  The cybercriminals also claim on their website that they are the only group to have exploited the zero-day before it was patched and they are the only ones in possession of the data obtained as a result of the attack.  

US - US Marines who enlist for jobs in cyber and crypto operations will get a $15,000 signing bonus, triple the bonus announced in fall 2022.  A slate of bonuses announced in October 2022 had promised $5,000 as the cyber and crypto enlistment bonus, less than the enlistment bonuses for electronics maintenance ($8,000), chemical, biological, radiological and nuclear defense ($7,000), or music ($6,000).  But the Marine administrative message from October 2022 noted that the amounts could be tweaked “as recruiting environment conditions require.”

Now, Marines enlisting into cyber and crypto operations jobs in fiscal year 2023 will receive the heftiest enlistment bonus for any job in the Corps, once they complete training and receive their primary military occupational specialties, according to a June 26 Marine news release.[5]  The military occupational specialties eligible for the bonus are cyberspace warfare operator (1721), communications intelligence/electronic warfare operator (2621), electronic intelligence/electronic warfare analyst (2631), cryptologic language analyst (2641) and intelligence surveillance reconnaissance systems engineer (2651), according to the October 2022 administrative message and the Corps’ index of specialties.

With cyberspace a more important domain of warfare than ever, the service has said it needs Marines who can defend against cyber-attacks and launch some of their own.  The Marine Corps has acknowledged that it’s having trouble finding enough people to fill its cyber slots. That is one of the reasons for the Corps’ talent management initiatives, which are aimed at building a more seasoned, technologically capable force.  The Marine Corps, along with the other military services, is competing for cyber talent with the civilian sector, which often offers higher salaries, a 2022 Government Accountability Office report noted.  In fiscal year 2022, approximately 1,200 Marine recruits enlisted for the cyber jobs in question, according to Marine spokesman Maj. Jordan Cochran. The enlistment bonus that year for those jobs was $2,000.

UK - The Russian-speaking ALPHV or BlackCat ransomware operation has named Barts NHS Trust on its dark web leak site, claiming to have exfiltrated 7TB of data from the group, but almost three days after news of the incident came to light, its precise nature and circumstances remain unclear.  The dark web posting was made on the afternoon of Friday 30 June, and a copy of the notice has since been reviewed by Computer Weekly.  It is written in typically broken English, and claims to be the “most bigger leak from health care system in UK.”  The gang said: “You have 3 days for contact with us to decide this pity mistake, which made your IT department, decide what to do in next step. If you prefer to keep silence, we will start publicate data, most of it – citizens confidential documents [sic]”.  The data dump allegedly includes personally identifiable information (PII) on clinicians and Trust employees, including CVs and social security numbers (presumably referring to National Insurance), as well as financial reports, accounting and loan data, and insurance agreements. It also supposedly includes client documentation and credit card data.

A successful ransomware attack on an NHS Trust such as Barts, which operates five major London sites, St.  Bartholomew’s Hospital, The Royal London Hospital, Mile End Hospital, Whipps Cross Hospital and Newham Hospital, serving more than 2.5 million people, would have caused significant disruption and made national headlines.  The fact this has not happened could indicate that ALPHV/BlackCat has not deployed any ransomware on Barts’ systems at all.  This is now a common tactic, as like any legitimate organization, financially motivated cybercrime gangs will try to take the path of least resistance to maximize the potential return on their “investment.”  Lately, this has been evidenced by Clop’s ongoing attacks on users of the MOVEit file transfer product.  Alternatively, it could suggest that the gang was interrupted and evicted from Bart’s systems after it had exfiltrated data but before it had executed its locker.[6]

Speaking before the weekend, a Barts’ spokesperson merely confirmed that the organization was aware of the claims and was investigating “as a matter of urgency.”  Its press office had not responded to a request for further comment at the time of writing.  Almost 72 hours after the gang first posted Barts’ name online, there remains no public evidence, other than its word, to support its claims.

Long-running operation - The ALPHV/BlackCat operation, which also goes by Noberus and is thought to have links to earlier operations such as BlackMatter, the DarkSide gang that attacked Colonial Pipeline in 2021, and possibly REvil, is itself one of the longer-established players in the Russian cybercriminal underground.  It formerly operated a malware known as Carbanak, which targeted banks and was likely used to steal close to $1bn over the course of its shelf life.  Since pivoting to ransomware, ALPHV/BlackCat has emerged as a highly dangerous operator, coming to prominence in the first two months of 2022 with a series of attacks on fuel and transport infrastructure operators.

This year, it is known to have targeted the systems of storage firm Western Digital, taking its MyCloud and SanDisk services offline for nearly a fortnight in May, and multinational payment giant NCR, which was hit in April and caused service problems for hospitality organizations using its Aloha point-of-sale platform.

[1] https://www.fortinet.com/blog/threat-research/new-fast-developing-thirdeye-infostealer-pries-open-system-information?lctg=141970831

[2] https://therecord.media/russian-cyber-expert-arrested-in-kazakhstan-triggering-showdown

[3] https://edsource.org/updates/2000-assessment-records-breached-in-lausd-cyber-attack

[4] https://www.securityweek.com/siemens-energy-schneider-electric-targeted-by-ransomware-group-in-moveit-attack/

[5] https://news.yahoo.com/marine-corps-triples-enlistment-bonuses-124536962.html

[6] https://www.computerweekly.com/news/366543473/BlackCat-gang-claims-cyber-attack-on-Barts-NHS-Trust