Threat Intelligence Report May 2 - May 8 2023

The Oracle Opera property management system was reported vulnerable to multiple exploits, including the ability for attackers to obtain the JNDI connection name through servlets that leak information. The system's weak hardcoded cryptography also makes it possible for attackers to create encrypted payloads and execute remote commands without authentication. Attackers can upload a web shell, leading to arbitrary command execution and potential lateral privilege escalation. Versions of Oracle Hospitality Opera 5 Property Services 5.6 and below are affected. A solution to this vulnerability is upgrading to the latest version of Opera, version 5.6 or higher.

DarkCloud Stealer, a highly sophisticated infostealer, is being distributed through various spam campaigns. It starts with a phishing email containing a malicious link/attachment and copies itself into the system directory, creating a task scheduler entry for persistence. It loads the final payload written in Visual Basic (VB) into the memory of a running process and gathers sensitive data from multiple applications on the targeted system. The malware is capable of collecting system information, capturing screenshots, monitoring clipboard activities, and retrieving data from cryptocurrency applications. It also offers a crypto-swapping feature for popular cryptocurrencies like Bitcoin and Ethereum. The malware exfiltrates stolen data to the command and control (C2) server via different methods such as SMTP, Telegram, Web Panel, and FTP. The attackers behind DarkCloud Stealer target applications like web browsers, FileZilla, CoreFTP, and Pidgin.

Shellbot malware enables the attackers to communicate with the C&C server to run commands within the victim machine. The C&C server, also called the IRC server in this scenario, can directly send some messages to its victims’ machines to keep the communication channel alive and to specify what commands they must run. Its peculiarity is that the victim machine downloads and launches multiple binaries after the first execution. Many of them have the same purpose but are conceived for different OS (32/64 bits) and CPUs (arm, mips).

The Tsunami malware can still give remote control access to malicious users. Thus, potential attackers can take full control of the infected systems and leverage them to exploit their computational resources or to propagate attacks elsewhere. Two files are downloaded on the infected machine sshexec and sshpass. The former is a bash script that sets some variables and arguments that later will be used as sshpass parameters.

The latter is an executable binary that seems like a mass executor for non-interactively performing password authentication with SSH. It can be used against a list of hosts previously received or set by the sshexec bash script.

RokRAT is a remote access trojan used to steal sensitive information from victim machines. It was first discovered in 2017 targeting government sectors in South Korea as well as journalists, activists, and North Korean defectors. The infection scheme starts with lures using phishing emails or social engineering attacks. It sends seemingly interesting documents to its targets which contain LNK files that run malicious PowerShell scripts. One of many samples of RokRAT was observed to have utilised Twitter as its Command-and-Control server and others have used Yandex or Mediafire. The latest RokRAT samples analysed today rely on cloud storage for their Command-and-Control communications.

Red Piranha proactively gathers information about organizations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 109 new ransomware victims from 22 distinct industries across 22 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organizations of all sizes and sectors.

Blackbasta, a specific ransomware, has affected the largest number of new victims (23) spread across various countries. Akira and Alphv groups follow closely with each hitting 15 and 11 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 22 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 71 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Retail sectors were hit particularly hard, with the loss of 21 and 13 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.