Welcome to Safety Sunday – 9. Week. our weekly round-up of events in the world of cyber security (26.02 – 03.03 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

Windows Kernel bug fixed last month exploited as zero-day since August

Microsoft addressed a critical Windows Kernel privilege escalation vulnerability in February, following a six-month window since being alerted to its exploitation as a zero-day threat.
Identified as CVE-2024-21338, the security loophole was discovered by Avast Senior Malware Researcher Jan Vojtěšek within the appid.sys Windows AppLocker driver. It was promptly reported to Microsoft in August as an actively exploited zero-day vulnerability.
The vulnerability impacts a range of operating systems including multiple versions of Windows 10 and Windows 11, including the latest releases, as well as Windows Server 2019 and 2022. According to Microsoft, the successful exploitation of this vulnerability allows local attackers to elevate privileges to SYSTEM level in low-complexity attacks that do not necessitate user interaction. “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” states Redmond. Microsoft released the patch for the vulnerability on February 13 and updated the advisory on Wednesday, February 28, confirming the exploitation of CVE-2024-21338 in the wild. However, it refrained from disclosing specific details regarding the attacks. Avast informed BleepingComputer that North Korean Lazarus state hackers have been exploiting the flaw as a zero-day since at least August 2023. Their objective was to gain kernel-level access and deactivate security tools, thus evading detection using less conspicuous BYOVD techniques.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more,” Avast explained. Furthermore, Lazarus leveraged the flaw to establish a kernel read/write primitive, facilitating an updated FudModule rootkit version to execute direct kernel object manipulation.|
This new FudModule version boasts significant enhancements in stealth and functionality, incorporating new and updated rootkit techniques to evade detection and deactivate security protections such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.

Germany has dismantled the Crimemarket, a major cybercrime marketplace

The operation resulted in the arrest of six individuals, including one of the platform’s operators. Crimemarket, recognized as the largest German-speaking illegal trading platform, served as a central hub for the exchange of illicit drugs, narcotics, and cybercrime services. Additionally, it provided tutorials and guides for various criminal activities. The crackdown follows extensive investigations spanning several years, culminating in the identification of the platform’s operators and numerous users.
“In a collaborative effort, law enforcement agencies both in Germany and abroad initiated action against the largest German-speaking criminal trading platform on the Internet,” stated a machine-translated announcement.

As part of the operation, 102 search warrants were simultaneously executed across the country on the evening of February 29th, 2024. The primary focus was in North Rhine-Westphalia, where three arrests were made, including that of a 23-year-old man believed to be the primary suspect. Three additional arrests occurred in other federal states. Numerous pieces of evidence, including cell phones, IT devices, and data carriers, were seized by the police. In North Rhine-Westphalia alone, authorities seized narcotics in 21 cases, including 1 kilogram of marijuana and various ecstasy tablets. Nearly €600,000 in cash and movable assets were also confiscated. The operation targeted not only the operators of Crimemarket but also its users, with investigations ongoing.

The demise of Crimemarket began with reports of accessibility issues earlier in the week, as users encountered difficulties logging in despite the site remaining online.
Rumors circulated regarding the outage, with speculation linking it to the ChipMixer bust, a payment laundering service utilized by the platform. Some suggested that investigations into ChipMixer’s infrastructure might have compromised Crimemarket’s administrator, ‘Evolution.’
Today’s police announcement confirms that the site’s accessibility problems were indeed the result of law enforcement action and not technical issues.

Ransomware assaults targeting healthcare institutions surging in recent months

These attacks have impeded patient care and hindered access to vital prescription drugs. Among the most consequential incidents of 2024 is the assault on UnitedHealth Group’s subsidiary, Change Healthcare, which has had far-reaching repercussions for the US healthcare infrastructure. The attack has been attributed to the BlackCat ransomware operation, a group officially acknowledged by UnitedHealth as the perpetrator. Change Healthcare serves as an electronic payment exchange platform utilized by doctors, pharmacists, and hospitals for submitting billing claims within the US healthcare framework. The assault has resulted in severe disruptions to Change Healthcare’s operations, particularly affecting pharmacies’ ability to process billing for prescription medications. Consequently, patients have found themselves bearing the brunt of the disruption, often compelled to pay the full price for their medications until normal services are restored. Given that certain medications carry exorbitant costs, many patients face significant financial strain. Compounding the crisis, the BlackCat ransomware group, also known as ALPHV, asserts to have absconded with 6TB of data from Change Healthcare during the attack, comprising sensitive personal information belonging to millions.

In response to the escalating threat, the FBI, CISA, and the HHS have issued a joint advisory, cautioning hospitals about the looming threat of BlackCat attacks. Rick Pollack, President and CEO of the American Hospital Association (AHA), underscored the severity of the situation: “The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a U.S. health care organization.” He further emphasized ongoing dialogues with UnitedHealth Group and the federal government, stressing the critical implications of prolonged disruptions to Change Healthcare’s systems. Such disruptions could impair hospitals and health systems’ ability to meet financial obligations, including salaries for clinicians, procurement of essential medicines and supplies, and funding for vital contract work in areas such as physical security, dietary, and environmental services.

Golden Corral, a prominent US restaurant chain, disclosed a data breach impacting approximately 180,000 individuals

The breach, identified on August 15, 2023, disrupted certain corporate operations. Investigations revealed that a threat actor accessed specific systems and obtained various personal data between August 11, 2023, and August 15, 2023. Subsequent analysis revealed that compromised data includes names, Social Security numbers, driver’s license numbers, financial account details, medical information, health insurance particulars, and credentials. Following a thorough review, Golden Corral concluded the scope of the breach and located address information for affected individuals by January 26, 2024. The company promptly initiated efforts to notify potentially impacted parties and regulatory bodies, commencing on February 16. In total, over 183,000 individuals were affected, prompting Golden Corral to inform the Maine Attorney General’s Office.

While there is no evidence of misuse of the compromised data, Golden Corral advises affected individuals to remain vigilant against identity theft by scrutinizing account statements and benefits explanations for any suspicious activity. To mitigate potential risks, the restaurant chain offers affected individuals complimentary access to credit monitoring services and guidance on safeguarding against identity theft and fraud. Despite these measures, Golden Corral faces class action lawsuits over the breach. Several consumer rights law firms have expressed interest, resulting in at least three lawsuits filed in the North Carolina Eastern District Court this week. One lawsuit, filed by a former employee, alleges that Golden Corral neglected to implement adequate security measures despite being aware of potential risks associated with the collected personal information.

Critical infrastructure organizations in the United States  put on alert regarding Phobos ransomware attacks

Phobos, operational since May 2019, operates under the ransomware-as-a-service (RaaS) model and has extracted millions of dollars from victim organizations.A joint advisory issued by CISA, the FBI, and MS-ISAC highlights Phobos’s association with ransomware variants like Backmydata, Devos, Eight, Elking, and Faust. The attackers employ tactics such as phishing emails to deliver malicious payloads, including SmokeLoader backdoors, which facilitate Phobos deployment and data exfiltration. Phobos attacks commonly begin with phishing emails delivering IP scanning tools to identify vulnerable Remote Desktop Protocol (RDP) ports, subsequently targeted for brute-force attacks. Remote access tools are then utilized to establish connections within compromised networks. Spoofed email attachments have been observed delivering malicious payloads, while cybercriminals exploit legitimate executables to deploy additional payloads and bypass network defenses. Reconnaissance, credential harvesting, and discovery are performed using open-source tools like Bloodhound, Mimikatz, and NirSoft.

Phobos has been observed deleting data backups to thwart recovery efforts and encrypting all connected logical drives on target machines. Extortion tactics involve email, voice calls, and instant messaging applications. Compromised organizations are listed on Tor-based sites hosting allegedly stolen data. The advisory includes indicators of compromise (IoCs) to aid organizations in identifying potential Phobos ransomware compromises, along with recommended mitigations. The FBI, CISA, and MS-ISAC urge organizations to implement these measures to minimize the likelihood and impact of Phobos ransomware and other ransomware incidents.

A new variant of the Bifrost remote access trojan (RAT) for Linux has surfaced, utilizing a deceptive domain resembling VMware

Bifrost, a RAT identified two decades ago, remains one of the most enduring threats, infiltrating systems through malicious email attachments or payload-dropping sites and harvesting sensitive data. Recent observations by Palo Alto Networks’ Unit 42 researchers have revealed heightened Bifrost activity, prompting an in-depth investigation that uncovered this stealthier variant. The latest Bifrost samples analyzed by Unit 42 researchers introduce enhancements to the malware’s operational and evasion capabilities. Firstly, the command and control (C2) server employs the domain “download.vmfare[.]com,” resembling a legitimate VMware domain, thereby evading detection during scrutiny. This deceptive domain resolution, facilitated by a Taiwan-based public DNS resolver, complicates tracing and blocking efforts. Technically, the malware binary is compiled in stripped form without debugging information or symbol tables, increasing the complexity of analysis.

Bifrost gathers the victim’s hostname, IP address, and process IDs, encrypts them using RC4 encryption, and transmits them to the C2 via a newly created TCP socket. Additionally, Unit 42’s report highlights the emergence of an ARM version of Bifrost, exhibiting similar functionality to the x86 samples analyzed. This development signifies the attackers’ intent to expand their targeting to ARM-based architectures, increasingly prevalent in diverse environments. Although Bifrost may not rank among the most sophisticated threats, the Unit 42 team’s findings underscore the need for heightened vigilance. The RAT’s developers are evidently refining it into a more covert threat capable of targeting a broader range of system architectures.

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.