Welcome to Safety Sunday – 11. Week. Our weekly overview of events in the world of cyber security (11.03 – 17.03 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

StopCrypt Ransomware:  Detection Evasion Evolution

StopCrypt, widely recognized as STOP Djvu, has emerged as one of the most pervasive ransomware strains, yet it often flies under the radar in discussions about cyber threats. Unlike notorious ransomware like LockBit, BlackCat, and Clop, StopCrypt primarily targets individual users rather than businesses. It aims to garner numerous small ransom payments ranging from $400 to $1,000, instead of seeking a single large payout.  The distribution channels for StopCrypt are varied, with malvertising and dubious websites distributing adware bundles disguised as free software, game cheats, or software cracks being the most common vectors. 

However, unsuspecting users who fall prey to these schemes often find themselves infected with StopCrypt, alongside other malware such as password-stealing trojans. The modus operandi of StopCrypt has remained relatively consistent since its inception in 2018, with new iterations typically focused on addressing critical issues. Consequently, whenever a new version surfaces, it demands attention due to its potential impact on a large number of users. Recently, SonicWall’s threat research team uncovered a fresh variant of StopCrypt, dubbed StopCrypt, in the wild. This iteration employs a multi-stage execution process to enhance its stealth and resilience against detection mechanisms. In its initial stages, the malware loads a seemingly unrelated DLL file (msim32.dll) as a diversionary tactic. It incorporates time-delaying loops to circumvent time-based security measures, complicating detection efforts. StopCrypt leverages dynamically constructed API calls to allocate memory space with read/write and execution permissions, making its detection more challenging. It further employs API calls to capture snapshots of running processes, providing insight into its operational environment. Subsequently, StopCrypt employs process hollowing, a technique where it appropriates legitimate processes to execute its payload discreetly in memory. This process involves meticulous manipulation of process memory and control flow through API calls. Upon successful execution, StopCrypt initiates actions to ensure persistence, modify access control lists (ACLs) to prevent users from deleting critical malware files, and create scheduled tasks to execute the payload at regular intervals. Files encrypted by StopCrypt receive a “.msjd” extension, although it’s important to note that the ransomware frequently changes extensions to evade detection. The evolution of StopCrypt into a more sophisticated and elusive threat highlights a concerning trend in cybercrime. While its ransom demands may not be exorbitant and it doesn’t engage in data theft, the widespread damage it inflicts on individuals could be substantial.

GhostRace: A New CPU Vulnerability Leading to Data Leakage

A recent discovery by a team of researchers has unveiled a new data leakage vulnerability affecting modern CPU architectures that support speculative execution. Dubbed GhostRace (CVE-2024-2193), this vulnerability is a variant of Spectre v1 (CVE-2017-5753) and exploits a combination of speculative execution and race conditions. GhostRace allows attackers to bypass common synchronization primitives implemented using conditional branches, exploiting branch misprediction attacks to turn architecturally race-free critical regions into Speculative Race Conditions (SRCs). This enables attackers to extract information from the target, as highlighted by researchers from the Systems Security Research Group at IBM Research Europe and VUSec, the latter known for disclosing the SLAM side-channel attack targeting modern processors in December 2023. 

Spectre attacks, including GhostRace, capitalize on speculative execution to read privileged data in memory, leveraging erroneous predictions that leave traces in processor caches. These attacks induce victims to speculatively perform operations that would not occur during strictly serialized processing, thereby leaking confidential information to adversaries through covert channels. The discovery of vulnerabilities like GhostRace, along with Meltdown, has prompted a comprehensive review of microprocessor architecture. The MITRE Common Weakness Enumeration (CWE) program recently added four new weaknesses related to hardware microarchitectures stemming from transient execution, further emphasizing the significance of these findings. What sets GhostRace apart is its ability to allow unauthenticated attackers to extract arbitrary data from processors using race conditions to access speculative executable code paths. This is achieved through a Speculative Concurrent Use-After-Free (SCUAF) attack, exploiting transiently executed paths originating from mis-speculated branches.

Healthcare provider in Scotland, has experienced a cyberattack.

Scottish healthcare provider NHS Dumfries and Galloway is currently managing a “focused and ongoing cyber attack,” as reported by the Record. The organization has swiftly responded to the incident following established protocols, collaborating with partner agencies such as Police Scotland, the National Cyber Security Centre, and the Scottish Government. As a result of this situation, there may be some disruptions to services. NHS Dumfries and Galloway also acknowledged the risk of hackers potentially accessing a significant amount of data during their incursions into the systems.

LockBit ransomware group member sentenced to 4 years in prison

The LockBit ransomware scheme, which targeted over 1,000 victims and extorted millions of dollars from them. Mikhail Vasiliev, aged 33 and residing in Ontario, Canada, was apprehended in November 2022 and charged with conspiring to infect computers with ransomware and issuing ransom demands. Last month, he admitted guilt to eight counts related to cyber extortion, mischief, and weapons offenses. During a raid on Vasiliev’s Bradford home in October 2022, Canadian authorities found incriminating evidence, including a laptop displaying the LockBit control panel login screen and a bitcoin wallet linked to ransom payments. Additionally, investigators discovered a file named “TARGETLIST,” which contained potential or past LockBit targets, along with screenshots and instructions related to the ransomware.

LockBit, previously known as “ABCD,” has been active since at least 2019 and has become one of the most prevalent ransomware strains globally. Operating on a ransomware-as-a-service model, LockBit provides software and infrastructure to affiliates who conduct attacks, with profits shared between the group and its affiliates. The FBI estimates that LockBit has extorted over $120 million from victims worldwide. Law enforcement agencies recently dealt a significant blow to LockBit by seizing much of its server infrastructure. However, subsequent attacks indicate that the group remains operational, sparking concerns among observers. During Vasiliev’s sentencing, Judge Michelle Fuerst characterized him as a “cyber-terrorist,” highlighting the deliberate and calculated nature of his actions. The judge emphasized that Vasiliev’s crimes were far from victimless and were motivated by greed.

French Government Agency Data Breach may impact 43 million people

A recent breach at France’s government unemployment agency, France Travail (formerly Pole Emploi), has potentially affected up to 43 million individuals, authorities revealed this week. The cyberattack occurred between February 6 and March 5, 2024, resulting in the unauthorized access and theft of personal data. The compromised information includes names, dates of birth, social security numbers, agency-specific identifiers, email and postal addresses, and phone numbers of job seekers. Fortunately, passwords and financial data were not compromised. France Travail disclosed that the breached database contained records of current job seekers, individuals registered with the agency over the past two decades, and those who created accounts on its website. The total number of affected individuals could reach 43 million.

Efforts are underway to notify impacted individuals and caution them against potential cybercriminal activities leveraging the stolen data. However, the perpetrators behind the attack remain unidentified, and it’s unclear if the breach was orchestrated by a ransomware group. This incident isn’t the first data breach involving France Travail. In August 2023, the agency reported a separate breach that affected approximately 10 million individuals.

Notepad++ and VNote Installers targeted with fake malicious ads

Malicious ads targeting Chinese users seeking genuine software like Notepad++ and VNote on search engines such as Baidu have surfaced, leading to the distribution of trojanized versions of the software and the deployment of Geacon, a Golang-based implementation of Cobalt Strike. According to Kaspersky researcher Sergey Puzan, the malicious site found in the Notepad++ search is disseminated through an advertisement block. Upon accessing it, observant users will notice a striking inconsistency: while the website address includes “vnote,” the title suggests a download of “Notepad–” (an alternative to Notepad++, also available as open-source software), even though the displayed image proudly showcases Notepad++. In reality, the packages downloaded from this source contain “Notepad–.”

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.