The Good, the Bad and the Ugly in Cybersecurity – Week 15

The Good | Police Unmask 200 LockBit Affiliates

Following the takedown of their operations earlier in the year, the inner workings of LockBit’s affiliate infrastructure have become clearer this week as investigations continue. The UK’s National Crime Agency, with assistance from the FBI, have reportedly matched a list of pseudonyms used by the ransomware gang to suspected cybercriminals.

So far, investigators have been able to link some 200 affiliates of LockBit who were using nondescript usernames to real world identities. The NCA’s senior officer on the case further confirmed that authorities have been able to connect specific affiliates back to particular cyberattacks. As the investigations carry on, all details collected are helping law enforcement to pursue more of the gang’s influential members, as well as any associated money launderers and malware developers.

Over the past three years, LockBit’s Ransomware-as-a-Service (RaaS) operations have left a long line of victims in its wake, with their ransom demands totalling at least $120 million.

Despite a dramatic takedown in February and having a senior administrator sentenced in March, LockBit lingers on through a new blog and data leak site, though lacking its prior momentum. Still, the gang’s ringleaders remain at large and cyber defenders continue to monitor for signs of rebranding – a strategy used by Hive and predecessors of BlackCat/ALPHV. Law enforcement’s efforts in matching up outstanding LockBit usernames to known criminals is a major step in disrupting LockBit’s new and future operations.

The Bad | New Phishing Campaign Drops Multi-Stage Malware via SVG Files

Security researchers this week reported on a complex cyberattack leveraging phishing emails to spread a wide range of malware, including Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a crypto wallet stealer.

In this wave of phishing attacks, the threat actor emails fake invoices in the form of Scalable Vector Graphics (SVG) files, which trigger the infection process after the victim engages. Researchers pegged this technique to the use of BatCloak malware obfuscation engines and a crypter called ScrubCrypt to deliver obfuscated batch scripts carrying the malware.

According to the report, the SVG file drops a ZIP archive containing a batch script, likely crafted using BatCloak, which unpacks the ScrubCrypt batch file to deploy Venom RAT. The remote access trojan then establishes control over compromised systems, executing commands from a command-and-control (C2) server.

The threat actors has been observed using various methods to distribute additional plugins, including NanoCore RAT, XWorm, and Remcos RAT, with Remcos RAT distributed through obfuscated VBS scripts, ScrubCrypt, and GuLoader PowerShell. Finally, a stealer component targets crypto wallets and applications like Atomic Wallet and Telegram to send stolen data to a remote server.

Accounting for the multiple layers of obfuscation and plugin deployment via different payloads, the campaign demonstrates threat actors’ efforts to stay versatile in their approach in order to persist and evade detection. Pairing consistent monitoring capabilities with cyber hygiene surrounding email security continues to be an effective approach to minimizing threats from increasingly intricate phishing campaigns.

The Ugly | Bug in Rust Could Allow Command Injection Attacks

Codenamed BatBadBut, a new and critical vulnerability (CVE-2024-24576) could allow threat actors to target Windows systems and execute command injection attacks. The flaw, rated 10/10 CVSS, arises from weaknesses in OS command and argument handling in a number of programming languages, including Rust.

BatBadBut permits remote exploitation by unauthenticated attackers without user interaction. The bug only impacts Windows and only when programs or their dependencies execute batch files with untrusted arguments. In their security advisory, the Rust Security Response Working Group attributed the flaw to improper argument escaping when invoking batch files on Windows using the Command API.

The flaw affects all Rust versions prior to 1.77.2. Addressing the complexity of parsing rules in cmd.exe, Rust’s security team have since enhanced the escaping code and Command API to mitigate the risk. They have also introduced an InvalidInput error if the Command API fails to safely escape arguments during process spawning.

Maintainers of other languages have either updated their documentation or provided a patch, with the exception of Java, which currently has a status of ‘Won’t fix’.

Project Status
Erlang Documentation update
Go Documentation update
Haskell Patch available
Java Won’t fix
Node.js Patch available
PHP Patch available
Python Documentation update
Ruby Documentation update
Rust Patch available

The emergence of CVE-2024-24576 draws attention back to a February statement made by the National Cyber Director who called for widespread adoption of memory-safe programming languages (like Rust) to bolster their software security. A report released by the White House also promoted tech manufacturers to be proactive about reducing risk by adopting memory-safe programming languages in their operations.