The Good, the Bad and the Ugly in Cybersecurity – Week 3

The Good | Multimillion Dollar Cryptojacking Scammer Arrested In Joint Europol Operation

After creating a million virtual servers to mine €1.8 million in stolen cryptocurrency, the kingpin behind the illicit operation has been apprehended in their native Ukraine. The 29-year old individual stands accused of orchestrating a sophisticated cryptojacking scheme before being caught by the National Police of Ukraine, assisted by Europol and an unnamed cloud service provider.

Source: Europol

The joint investigation began in January 2023 when a cloud provider informed Europol about compromised user accounts. The agency shared this intelligence with Ukrainian authorities,  with reports noting that the accused had been infecting a prominent e-commerce company’s servers with a miner virus since at least 2021, utilizing custom brute-force tools to infiltrate 1,500 accounts.

Subsequently, the hacker accessed the service’s management through the compromised accounts, creating over one million virtual computers to sustain the cryptojacking operation. Ukrainian authorities confirmed that the suspect utilized TON cryptocurrency wallets to transfer the illicit proceeds.

Cryptojacking involves the unauthorized use of a victim’s computing resources to mine cryptocurrencies. In cloud environments, attackers typically gain access through compromised credentials and installing miners that leverage the host’s processing power for mining without consent. This allows the attacker to sidestep the usual fees associated with mining infrastructure through the abuse of free trials or by compromising legitimate tenants.

Given that cryptojackers often exploit flaws in cloud platforms for initial compromise, maintaining continuous monitoring methods and regular patch management can help safeguard systems against external threats. To guard against crypto-centric attacks, look for unusual activity such as irregular spikes in resource usage and consider implementing role based access control and zero-trust policies to protect administrative privileges from abuse.

The Bad | High Profile Victims Plunged Into New Custom COLDRIVER Phishing Malware

The next iteration of a Russia-linked threat actor dubbed COLDRIVER has surfaced, delivering its first-ever custom malware coded in Rust to extend past its usual credential harvesting tradecraft.

In the latest report on their tactics, COLDRIVER’s evolution uses PDFs as decoy documents to initiate the infection sequence. Sent from impersonation accounts, the PDFs are aimed to engage high-profile targets in the U.K., U.S., and other NATO countries, as well as those neighboring Russia.

The documents are disguised as op-eds or articles seeking feedback and display encrypted text to the recipient. This is meant to prompt the victim into replying that the document cannot be read, after which the threat actor provides a malicious link to a supposed-decryptor tool called Proton-decrypter.exe.

Lure document displays encrypted text (Source: Google TAG)

The decryption tool is actually a backdoor named SPICA, marking COLDRIVER’s first custom malware. SPICA employs JSON over WebSockets for command-and-control (C2), then enabling the execution of commands, cookie theft from web browsers, file uploading and downloading, and file enumeration and exfiltration.

Security researchers note that there is currently no visibility into how many victims have been successfully compromised with SPICA as it has only been used in limited, targeted attacks. So far through, all victims are from critical sectors including NGOs, defense, academia, think tanks, and energy facilities.

This development follows the recent sanctioning of two Russian nationals associated with COLDRIVER. The threat actors have been active since 2015 and continue to focus on open-source intelligence (OSINT) and social engineering skills to develop their spear-phishing attacks. As of December 2023, U.S. authorities are offering a $10 million reward for information leading to the arrest of COLDRIVER members.

The Ugly | Citrix Customers Urged to Patch Against Two Exploited Zero-Day Vulnerabilities

Citrix NetScaler ADC and NetScaler Gateway customers were warned this week of two zero-day vulnerabilities being actively exploited in the wild. The first of the two, tracked as CVE-2023-6548 with a CVSS score of 5.5, is a code injection flaw that allows authenticated (low privilege) remote code execution (RCE) on Management Interface. The second, tracked as CVE-2023-6549 with a CVSS score of 8.2, is a buffer overflow flaw that could be exploited for denial of service (DoS) attacks if the appliance is configured as a Gateway or authorization and accounting, or AAA, virtual server.

Citrix’s security notice urges NetScaler ADC and NetScaler Gateway version 12.1 users to upgrade their appliances to a supported version that patches the flaws. Users that cannot deploy the updates immediately are advised to remove exposure of the management interface to the internet to reduce the risk of exploitation and block network traffic to affected instances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

CISA has mandated U.S. federal agencies to secure their systems against both Citrix vulnerabilities, emphasizing the high risk they pose to federal enterprise security. The directive requires patching CVE-2023-6548 by January 24 while CVE-2023-6549 must be mitigated within three weeks by February 7. While the directive applies to federal agencies, CISA encourages all organizations, including private companies, to prioritize patching these listed vulnerabilities. Not three months ago, another Citrix flaw dubbed “Citrix Bleed” (tracked as CVE-2023-4966) made headlines after being leveraged by notorious ransomware affiliates of the LockBit group to attack government organizations and high-value tech companies worldwide.