As part of its ongoing offensive against threat actors backed by the North Korean government, the Department of Justice on Thursday announced an indictment of an alleged member of the APT45 group that is known for deploying the Maui ransomware and running long-term campaigns against government agencies, health care facilities, and other organiztions in the United States and elsewhere.

The indictment accuses Rim Jong Hyok of being a key part of the APT45 team–also known as Andariel–that conducted intrusions against a number of U.S. facilities, including a health care facility in Kansas, where the grand jury indictment was handed down. The group is one of the more active and prolific attack teams associated with the North Korean government, and U.S. officials say that APT45 is aligned with the country’s Reconnaissance General Bureau, its military intelligence arm. APT45 and other North Korea state-sponsored teams are well-known for using ransomware, cryptocurrency theft, and other financially focused tactics to support the government’s military operations. As part of the indictment and other actions, the FBI seized about $114,000 inn cryptocurrency.

“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”

The indictment of Rim coincides with actions taken by Mandiant and Microsoft to expose the tools and tactics used by APT45 in its intrusions. On Thursday, Mandiant graduated the group to APT status and published details of the malware and tactics the group uses, and Microsoft published its own detailed assessment of the group’s activities, as well. In addition, the FBI, NSA, and other agencies issued an in-depth technical advisory about the group.

The Justice Department alleges that Rim and some of his colleagues used the proceeds from some of their intrusions to fund other attacks.

“Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them. Victims of this further hacking included U.S. defense contractors, two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy company. The Andariel actors obtained initial access to victims’ networks by exploiting known vulnerabilities that had not been patched by the victims, including the widespread Log4Shell vulnerability,” the Justice Department advisory says.

The FBI seized almost $500,000 in cryptocurrency related to Maui ransomware intrusions in 2022, as well.

A North Korean threat group that has been active for more than 15 years and is known for targeting critical infrastructure, government agencies, and technology providers, is being elevated to APT45 by researchers at Mandiant.

The activity associated with APT45 is quite varied and the operators have demonstrated an ability to target a broad range of systems, including critical infrastructure, nuclear facilities, and enterprise networks, and deploy custom tools as well as publicly available malware. Mandiant researchers have been working with the FBI to track APT45’s activities and the bureau released a technical advisory today, as well. Among the topics and areas that APT45 has targeted are missile systems, tanks, nuclear facilities, military operations, satellite communications, hospitals, and many others.

APT45, which Mandiant has referred to as Andariel in the past, is just one of the myriad offensive cyber teams operating under the auspices of the North Korean government and military, but it is one of the more active and capable of those groups.

“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defense organizations around the world. When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him,” said Michael Barnhart, the leader of Mandiant’s North Korea threat hunting team.

The decision to graduate this group to APT status is a reflection of its capabilities and persistence in going after high-level targets around the world for many years. The move comes three months after Mandiant graduated the notorious Sandworm group to APT44.

“APT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science,” the Mandiant analysis says.

“Financially motivated activity occurring alongside intelligence collection has become a defining characteristic of North Korean cyber operations, and we expect APT45 to continue both missions. As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country’s leadership.”

"Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities."

The Mandiant team said in its analysis that APT45 may also be using ransomware in some of its intrusions. Other North Korean actors have used ransomware, as well as cryptocurrency heists, as part of their operations.

“Mandiant tracks several clusters of activity where we suspect, but cannot confirm APT45 attribution. Public reporting has claimed that these clusters have used ransomware, possibly to fund their operations or generate revenue for the regime. While Mandiant cannot confirm this ransomware use by APT45, it is plausible as they have employed diverse schemes to raise money,” the report says.

In its advisory, authored jointly with the NSA, CISA, and several other agencies, the FBI supported Mandiant's assessment of ransomware use by APT45.

"Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity," the advisory says.

The United States government has focused quite a bit of attention and resources on North Korea state-sponsored threat groups in recent years, including the Lazarus Group and Kimsuky. Last year, the U.S. government, along with the governments of Australia, Japan, and South Korea sanctioned alleged members of Kimsuky for their participation in various attacks.

UPDATE--As organizations around the world continue work to recover from the outage caused by the faulty CrowdStrike update last week, cybercrime groups are using the incident as an opportunity to lure victims with fake recovery tools, instruction manuals, and updates. Meanwhile, CrowdStrike's initial analysis of the incident shows that the root cause was an out-of-bounds read error in a Falcon content update.

The outage, which was the result of a bad content update for CrowdStrike’s Falcon sensors on Windows machines, affected more than 8.5 million machines, according to Microsoft, and caused widespread issues for banks, retailers, airlines, government agencies and many other organizations globally. The update caused Windows hosts to crash and in some cases go into a boot loop. Although CrowdStrike discovered the error relatively quickly and deployed a fix, because many of the affected machines could not be brought back to a good state to get them online, they could not receive the fix, exacerbating the problem. The company has published detailed recovery instructions and Microsoft has released a tool to help affected users, but the scope of the outage is so large that remediating all of the affected machines will likely take many weeks.

On Wednesday, CrowdStrike released a preliminary post-incident review of what caused the crash and concluded that an out-of-bounds read flaw in an InterProcessCommunication (IPC) template was the culprit.

"On July 19, 2024, two additional IPC Template Instances were deployed. Due to a bug in the Content Validator, one of the two Template Instances passed validation despite containing problematic content data. Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production," the analysis says.

"When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD)."

In the interim, cybercrime groups have begun to take advantage of the incident as a lure in phishing campaigns and targeted attacks. On Friday, the Cybersecurity and Infrastructure Security Agency warned that attackers already were using the CrowdStrike issue as a hook in phishing attacks, and now CrowdStrike is also warning customers about attackers distributing an infostealer by using a fake Microsoft recovery manual as the lure document. The document is titled “New_Recovery_Tool_to_help_with_Crowdstrike_issue_impacting_Windows” and it contains malicious macros, which upon execution, download a DLL that eventually leads to the infostealer, which CrowdStrike has named Daolpu.

“Upon execution, Daolpu invokes taskkill /F /IM chrome.exe to kill the Chrome process. The malware then collects credentials such as login data and cookies stored in Chrome and Mozilla browsers,” the CrowdStrike analysis says.

“The collected data is saved to %TMP%\result.txt and removed after exfiltration. The malware sends the result.txt file to the command-and-control (C2) server http[:]//172.104.160[.]126:5000/Uploadss in an HTTP POST request, which includes the system MAC address and hardcoded key Privatekey@2211#$.”

Over the weekend, CrowdStrike detected a separate campaign targeting CrowdStrike customers in Latin America that used a fake Falcon update as a lure.

“CrowdStrike Intelligence has since observed threat actors leveraging the event to distribute a malicious ZIP archive named crowdstrike-hotfix.zip. The ZIP archive contains a HijackLoader payload that, when executed, loads RemCos. Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers,” the company said.

The scope of this outage and the awareness of it among the general public makes it a prime candidate for continued attention from cybercrime groups and other attackers. As a result of the incident, CrowdStrike says it will conduct more comprehensive testing of rapid response content updates in the future, as well as staged deployment of those updates. Also, the company will "provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed", something that could have limited the scope of last week's outage.

This story was updated on July 24 to add information from CrowdStrike's PIR.

A known APT espionage group has updated its toolset in a number of recent attacks against organizations in Taiwan, as well as a U.S. non-governmental organization in China.

The group, known as Daggerfly, has been around for at least a decade and was previously discovered targeting a telecommunications organization in Africa in a 2023 campaign that leveraged the MgBot malware. MgBot is a modular framework with various plugins enabling network scanning, information stealing abilities for browsers like Chrome and Firefox and for the QQ chat tool, keylogging, password dumping and other espionage capabilities.

This latest series of campaigns by Daggerfly, which exploited an unknown vulnerability in an Apache HTTP server as initial access, also include MgBot, but this time the group has been using a new version of the previously discovered Macma MacOS backdoor. Macma was discovered in 2021 as part of APT activity targeting Mac users visiting Hong Kong websites that supported pro-democracy activism. The backdoor has various features like screen capture, audio recording, device fingerprinting and keylogging.

“While Macma is a previously documented threat, it had hitherto been of unknown authorship,” according to a new analysis by Symantec released Tuesday. “However, Symantec’s Threat Hunter Team has now found evidence suggesting that it is developed by Daggerfly.”

Researchers said the recent Macma variants illustrated ongoing development, including a different main module and updates to various existing functionalities. For instance, the main module has been updated to include modified code in the AudioRecorderHelper feature and new logic for collecting a file’s system listing.

“By and large we are seeing evidence of small, iterative updates to the malware that appear to be intended to improve its functionality and iron out bugs,” said Dick O’Brien, principal intelligence analyst with the Symantec Threat Hunter Team. “The updated main module appears to be the most significant update and will likely improve the quality of data they harvest from infected computers.”

They also found several clues allowing them to “confidently” link Macma to Daggerfly. For example, two variants of the Macma backdoor were connected to a command-and-control server also used by an MgBot dropper. Also, Macma and known Daggerly malware, like MgBot, all contain code from a single shared library or framework, which has been used to build various Windows, macOS, Linux and Android threats.

“Symantec has yet to find any matching code in public repositories,” said researchers. “Shared code and shared infrastructure between Macma and other Daggerfly tools suggests that Macma is also part of the Daggerfly toolkit.”

Researchers also found the group using a recently discovered Windows backdoor, which first emerged in March 2024 by ESET researchers.This backdoor has used OneDrive for its command-and-control communications. Overall these campaigns highlight a more detailed picture of Daggerfly’s capabilities and resources, particularly as it continues to evolve its tooling, said researchers. The threat group seems to have the ability to quickly update its toolset in espionage attacks with minimal disruption, they said.

“This group has demonstrated an ability to create malware capable of targeting multiple platforms,” said O’Brien. “We think it's very likely that they'll continue to broaden their toolset in this vein but continue with its narrow range of targeting.”

U.S. government agencies and cybersecurity experts are warning of opportunistic phishing attacks, SMS scams and other malicious activity, which are attempting to take advantage of the chaos of Friday’s global outages.

The outages themselves are not a cyberattack, but instead have been linked to an update for versions of CrowdStrike’s Falcon EDR product running on Windows machines. Many large organizations worldwide have been forced to take their services offline overnight, including banks, airlines, media companies, leading to everything from flights being grounded to non-urgent surgeries being canceled.

In a Friday statement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that it has observed threat actors taking advantage of this incident for phishing “and other malicious activity.” CISA said it is working closely with CrowdStrike as well as federal, state and local partners, and critical infrastructure partners, to assess the impact of the outage and support remediation efforts.

“CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources,” according to CISA’s Friday advisory. “CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”

The UK National Cyber Security Centre (NCSC) said that the increase in phishing activity may be aimed at both organizations and individuals. There are various potential scenarios for attacks, including cybercriminals pretending to be IT support and saying they could assist impacted people, and then asking for their credentials or other sensitive information.

NCSC said organizations can take multiple steps to prevent phishing, including implementing anti-spoofing controls, filtering or blocking incoming phishing emails, providing training for employees so that they can better spot phishing attacks, protecting accounts to make them more resistant to phishing by setting up multi-factor authentication and using proxy services and up-to-date browser to protect from malicious websites.

John Hammond of Huntress said that “a run of the mill outage from just technical maintenance is common, but something with this size and scale and sheer impact is extremely rare.” Hammond said the issue here is “not a matter of business owners or system administrators having automatic updates enabled, but genuinely the vendor and provider who had pushed out this problematic update.”

“The gist is the CrowdStrike kernel driver had an automatic update and [an] unfortunate mistake that would cause all of the computers to crash,” said Hammond. “That is what has made for such a widespread outage across practically every Windows server or workstation running the CrowdStrike Falcon Sensor.”

CrowdStrike on Friday said that the issue has been identified, isolated and a fix has been deployed. The company is recommending on its website that organizations take several specific workaround steps to remediate any Windows machines affected by the update. The company said that the crashes on Windows hosts are related to the Falcon sensor, but the issue does not affect the Falcon platform system.

“We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption,” said CrowdStrike CEO George Kurtz in a Friday tweet. “We are working with all impacted customers to ensure that systems are back up and they can deliver the services their customers are counting on.”

UPDATE--An issue with an update for versions of CrowdStrike’s Falcon EDR product running on Windows machines late Thursday night caused those machines to fail and go into a boot loop state, causing widespread issues and a cascading series of outages for companies and services across the Internet.

Many banks, airlines, media companies, and other large entities were forced to take services offline overnight, with airlines including United, Delta, and others grounding all of their flights for hours. The outages are not connected to an attack, but rather the result of a faulty update that CrowdStrike pushed Thursday night. That update appears to have affected machines running in Microsoft’s Azure cloud platform, as well, which serves as the hosting platform for a huge number of organizations around the world.

“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website,” CrowdStrike CEO George Kurtz said.

Microsoft estimates that about 8.5 million Windows machines were affected by the CrowdStrike update, and the company has released a recovery tool to help IT administrators recover from the outage.

"While software updates may occasionally cause disturbances, significant incidents like the CrowdStrike event are infrequent. We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services," David Weston, vice president of enterprise and OS security at Microsoft, said in a post Saturday.

CrowdStrike is one of the larger providers of endpoint and server security products in the world and has customers in virtually every major industry, including finance, travel, technology, government, and many more. Many airlines and other companies have posted notices on their apps and websites about the issue.

“A third-party software outage impacted computer systems worldwide, including at United. We are resuming some flights but expect schedule disruptions to continue throughout Friday,” United Airlines said on its app.

CrowdStrike is recommending that organizations take the following steps to remediate any Windows machines affected by the update:

Boot Windows into Safe Mode or the Windows Recovery Environment Navigate to the C:\Windows\System32\drivers\CrowdStrike directory Locate the file matching “C-00000291*.sys”, and delete it. Boot the host normally.

Microsoft said on its Azure status page that the problem began around 19:00 UTC on July 18.

“We have been made aware of an issue impacting Virtual Machines running Windows Client and Windows Server, running the CrowdStrike Falcon agent, which may encounter a bug check (BSOD) and get stuck in a restarting state,” the status page says.

This story was updated on July 20 to add information from Microsoft.

The FIN7 cybercrime group has been active since at least 2013 and has used a wide range of tactics and tools in that time, including the Carbanak backdoor, the Black Basta ransomware, and perhaps most notably, the AvNeutralizer tool. AvNeutralizer, as its name might suggest, is designed specifically to tamper with EDR and other security tools, disabling them so that the threat actors can perform other maicious actions without throwing alerts.

In a new research report this week, SentinelOne's Antonio Cocomazzi dug into FIN7's current tactics and discovered a new version of AvNeutralizer that the group has been deploying in some recent intrusions. He also found that the group is selling the tool to other threat actors and sharing an obfuscator with those buyers, as well.

Since last year, the APT41 Chinese state-sponsored espionage group has launched sustained data exfiltration attacks against multiple organizations across the shipping and logistics, media, technology and automotive sectors.

Different security research teams in past weeks have taken note of this APT41 activity and updates to its toolset. The attacks used variants of previously known malware and publicly available tools, all aimed at defense evasion and achieving long-term persistence on compromised systems. The targeted, unnamed organizations are primarily in Italy, Spain, Taiwan, Thailand, Turkey and the United Kingdom. Overall, APT41 targeted 10 organizations, although researchers with Mandiant couldn't confirm how many of those were compromised.

“In collaboration with Google's TAG, Mandiant notified multiple additional organizations across various sectors that have been compromised by this campaign,” according to a threat intelligence report released by Mandiant researchers on Thursday. “APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period.”

In the attacks observed by Mandiant researchers, APT41 utilized two web shells that then executed a dropper (called Dustpan) that had previously been used by the group in attacks in 2021 and 2022. The dropper, which was disguised as a Windows binary, would load Beacon payloads into memory, encrypted with chacha20, and these payloads then communicated with the attacker’s command-and-control (C2) channels. One major part of the attacks was a multi-stage framework tracked as Dusttrap, which operated using DLL sideloading and DLL search order hijacking tactics for persistence, and included plugins that allowed for file manipulation, keylogging, active directory-related operations and various shell, file system and process-related operations.

“Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces,” said Mandiant researchers. “The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access.”

APT41 also relied on several publicly available command-line utility tools like PineGrove, which it used to exfiltrate data to Microsoft OneDrive; and SQLULDR2, which it utilized to copy and export data from Oracle databases.

The APT group is notable for its previous attacks, including ones in 2022 that targeted various vulnerable Internet-facing web applications like the infamous Log4j flaw in order to compromise at least six U.S. state government networks. In 2020, the group conducted a massive attack targeting companies in the banking, defense, technology, and other sectors in at least 20 countries. The group is also known for launching software supply-chain attacks and using compromised digital certificates.

APT41 is a unique group within the broader China-based threat landscape for several reasons. While the threat actor conducts espionage attacks that fall into the line of state-sponsored activity, it also carries out financially motivated attacks, like targeting the video game industry to steal source code or digital certificates, and trying to deploy ransomware, Mandiant researchers said.

“APT41 has always had a worldwide mandate driven by a combination of PRC government intelligence priorities and sometimes financial incentives," said Stephen Eckels, Mandiant staff reverse engineer with Google Cloud. "We expect that the targeting in this campaign is driven by them as well. We also note that there are likely other organizations targeted beyond Mandiant’s visibility, so the targeting of these orgs should not be interpreted to exclude other operations."

Senators are putting pressure on AT&T to disclose more details around a massive data breach involving “nearly all” - or 110 million - of its customers, including how threat actors initially gained access to customer information.

The company first disclosed the incident on Friday, saying that between April 14 and April 25, the attackers were able to exfiltrate files containing AT&T records call and text interactions that were made between May 1 and Oct. 31, 2022, and on Jan. 2, 2023, as well as a subset of stolen records with location-related cell site identification numbers. In a letter to AT&T CEO John Stankey on Tuesday, senators Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.), both on the U.S. Senate Subcommittee on Privacy, Technology and the Law, sought answers “about how AT&T failed to protect such profoundly sensitive information from cybercriminals.”

“While the records do not directly include names and addresses, as AT&T’s Securities and Exchange Commission filing notes, the stolen data includes location information and it is easy to find the name associated with a phone number,” according to the letter. “Taken together, the stolen information can easily provide cybercriminals, spies, and stalkers a logbook of the communications and activities of AT&T customers over several months, including where those customers live and traveled — a stunning and dangerous breach of its customers’ privacy and intrusion into their personal lives.”

An AT&T spokesperson said that the activity involves data storage and analytics company Snowflake; however, AT&T has not commented on the initial cause of the security incident outside of linking it to Snowflake, with a spokesperson telling Decipher "it is AT&T’s policy not to discuss specific details about the security of our systems."

According to Mandiant researchers, around 165 Snowflake customers have been targeted by threat actors that leveraged compromised credentials for accounts that did not have multi-factor authentication (MFA) enabled, including Ticketmaster, Santander Bank and Advance Auto Parts. When asked specifically about the AT&T incident, a Snowflake spokesperson pointed to a previously published statement by Snowflake CISO Brad Jones on the spate of attacks: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform."

Blumenthal and Hawley told AT&T that it has until July 29, 2024, to provide more details about how hackers behind the breach initially were able to gain access to its Snowflake services and download customer data, whether the breach included information that was stolen from a contractor, and who that contractor was. They also sent a separate letter to Snowflake CEO Sridhar Ramaswamy asking for more details about the timeline, investigation, and notification around the attacks targeting the company's customers, and asking why Snowflake had not enforced MFA for its clients.

“Disturbingly, the AT&T breach appears to have been easily preventable."

“Disturbingly, the AT&T breach appears to have been easily preventable,” said Blumenthal and Hawley. “While Snowflake, AT&T, and other clients have avoided taking direct responsibility, according to Mandiant, it appears that the cybercrime group behind the breaches obtained companies’ passwords from malware infections, including malware bundled with pirated software.”

Another one of the senators' inquiries for AT&T touched on a critical part of the breach: Why AT&T had retained months of detailed records of customer communications for an extended amount of time, why the company had uploaded that highly sensitive data into a third-party platform, and whether all of these measures are in line with AT&T’s existing policies.

The letter also asked AT&T to provide a detailed timeline of all events related to the breach (such as the date of discovery, response and remediation), which mobile virtual network operators were impacted by the breach and whether they’ve been notified, and how AT&T plans to notify and protect impacted customers.

Finally, the letter asked for more information about an ongoing investigation into a separate AT&T breach that occurred just four months ago. In March, the company had responded to a separate data set being released on the dark web, which appeared to contain data from 2019 or earlier and impacted 7.6 million current AT&T account holders and 65.4 million former account holders. The data compromised in that incident included personal information like full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes.

In addition to answers from AT&T, senators are calling on the government to do a better job holding telecommunication carriers like AT&T and T-Mobile that have been hit by security breaches in recent years accountable for a lack of cybersecurity measures.

“This is not the first data breach revealed by a major phone company and it won’t be the last,” said Sen. Ron Wyden (D-Ore.) in a statement. “These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines."

Drugstore chain Rite Aid disclosed that an unnamed threat actor was able to gain access to “certain business systems” and compromise the names, addresses, dates of birth and driver’s license numbers for 2.2 million customers.

The attack started on June 6, according to the U.S.-based company on Monday, when a threat actor impersonated a company employee in order to compromise the employee's business credentials.

When asked via email, Rite Aid did not specify exactly how the employee’s credentials were compromised or whether multi-factor authentication was enabled. A spokesperson instead provided the following statement: “Rite Aid experienced a limited cybersecurity incident in June, and we are finalizing our investigation. We take our obligation to safeguard personal information very seriously, and this incident has been a top priority. Together with our third-party cybersecurity partner experts, we have restored our systems and are fully operational.”

According to a data breach notification submitted Monday to the Office of the Attorney General in Maine, 2.2 million individuals were impacted by the breach (including 30,137 Maine residents). Law enforcement agencies, as well as federal and state regulators, have been looped in, said the company.

The threat actor was able to acquire certain data linked to the purchase or attempted purchase of retail products at the time of purchase between June 6, 2017 and July 30, 2018. The customer data involved driver’s license numbers and other potential forms of government issued IDs presented during this purchase timeframe, opening up the potential for fraud-based attacks. However, social security numbers, financial information and patient information were not impacted in the incident, said Rite Aid.

The company said on its website that it detected the incident within 12 hours, and has since terminated the unauthorized access, remediated impacted systems and determined the level of impacted customer data.

Further details of the attack come after Rite Aid first confirmed the incident last week, on the heels of unsubstantiated claims by the RansomHub ransomware group that they had targeted the drugstore chain.

Rite Aid has dealt with a number of previous breaches, including one in May 2023 that impacted the personal identifiable information and sensitive health data - including insurance information and medication names - of 24,000 former and current customers. That breach stemmed from a vulnerability being exploited by an unknown third party, which was able to access specific files.

Threat actors have been targeting a previously disclosed, critical-severity remote code execution flaw in Apache HugeGraph Server, an open-source tool used in Java 8 and Java 11 environments that helps users build applications and products based on graph databases.

The flaw (CVE-2024-27348), which was first disclosed three months ago, impacts Apache HugeGraph Server from version 1.0.0 to the version before 1.3.0 in Java 8 and Java 11. Apache released a fix April 22, 2024, and urged users to upgrade to version 1.3.0 with Java 11 and enable the Auth system to fix the issue. In June, several proof-of-concept exploits were released for the flaw. Since then, threat actors have started targeting the flaw, according to nonprofit security organization the Shadowserver Foundation on Tuesday.

“We are observing Apache HugeGraph-Server CVE-2024-27348 RCE "POST /gremlin" exploitation attempts from multiple sources,” according to the Shadowserver Foundation on Tuesday. “PoC code is public since early June. If you run HugeGraph, make sure to update.”

The Shadowserver Foundation on Tuesday told Decipher they noticed an increase in exploitation attempts last week, but the original attempts started June 6. Meanwhile, Dick O’Brien, principal intelligence analyst for the Symantec threat hunter team, said attempts seemed to have started in earnest around June 20 when the team started seeing a “few hundred a day,” and they peaked between June 29 and July 6, when the team saw “several thousand on some days.” Since then, the exploitation attempts have started to trend downwards, said O’Brien.

In a detailed analysis of the flaw in June, researchers with SecureLayer7 found that the remote code execution bug enables threat actors to bypass sandbox restrictions and execute code remotely via the Gremlin query language.

"This allowed us to access and manipulate various methods, ultimately enabling us to change the task/thread name to bypass all security checks," said SecureLayer7 researchers. "It was patched by filtering critical system classes and adding new security checks in HugeSecurityManager."

Researchers with Symantec said that the flaw is severe. At a broader level, the flaw could enable threat actors to execute arbitrary commands on the server, ultimately allowing for data manipulation and full control over the server.

“The impact for organizations could be critical,” said Symantec's O’Brien. “A remote code execution vulnerability in a public facing system provides the keys to the kingdom for an attacker, providing them with a foothold on an organization's network. From there they can move [laterally] onto other systems. Organizations are left exposed to anything from ransomware to espionage.”

Researchers have identified a new tool that ttackers affiliated with the North Korean government have developed that is designed to look like a legitimate browser-based video call application and can be used to exfiltrate information from infected machines.

The tool, which was uploaded to the VirusTotal service recently, is embedded in a macOS disk image that mimics the legitimate MiroTalk service. The file was hosted on a site posing as the legitimate MiroTalk site, but the malicious one is offline at the moment. Mac security researcher Patrick Wardle analyzed the file and its behavior and found that it is likely a variant of an older piece of malware known as BeaverTail that Palo Alto Networks researchers identified in November. Although the older BeaverTail is Java-Script-based and the newer version is a native Mach-O executable, Wardle said they share similarities and both communicate with the same API endpoints.

MiroTalk is a free video call service that is browser-based and does not require an app download.

BeaverTail is essentially an infostealer and the DPRK threat actors have used it in several campaigns designed to ensnare job-seekers in various ways. The campaigns typically lure victims with potential interviews or other recruiting-related topics. Once it’s on a new machine, BeaverTail performs a few basic checks and then eventually downloads a secondary tool called InvisibleFerret.

“As an information stealer, BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. As a loader, BeaverTail retrieves and runs the next stage of malware, InvisibleFerret,” the Palo Alto analysis says.

“The BeaverTail JavaScript file inside an NPM package is heavily obfuscated to evade detection. The threat actor might upload an entire malicious NPM package to GitHub or they might also inject BeaverTail code into other developer’s legitimate NPM projects.”

The newer, native version of BeaverTail that Wardle analyzed exhibits similar behavior. InvisibleFerret is a backdoor written in Python that includes the main malicious capabilities, including keylogging and data exfiltration.

“Specifically from the symbol’s output we see methods names (fileUpload, pDownFinished, run) that reveal likely exfiltration and download & execute capabilities,” Wardle said.

“And from embedded strings we see both the address of the likely command & control server, 95.164.17.24:1224 and also hints as to the type of information the malware collect for exfiltration. Specifically browser extension IDs of popular crypto-currency wallets, paths to user browsers’ data, and the macOS keychain. Other strings are related to the download and execution of additional payloads which appear to be malicious python scripts.”

Among the files that the malware will exfiltrate if they’re present on the machine are keychains and local state files for various browsers, including Chrome, Opera, and Brave.

“The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive),” Wardle said.

Earlier this year, an APT group was found exploiting a now-patched Microsoft MSHTML platform spoofing flaw in information stealer malware attacks that aimed to steal sensitive data and credential information from various applications, including web browsers.

The flaw (CVE-2024-38112) exists in the Windows MSHTML browser rendering engine, and was disclosed and fixed by Microsoft in its regularly scheduled security updates last week. However, over the past week researchers with both Check Point and Trend Micro have offered additional details about the attacks leveraging the flaw. According to Trend Micro researchers on Monday, the flaw was used by the Void Banshee APT in attacks that targeted organizations in North America, Europe and Southeast Asia and leveraged the bug to access and execute files through processes linked to the disabled Internet Explorer browser, using MSHTML. Trend Micro researchers said they tracked the campaign in mid-May and are still seeing attacks even to this day; meanwhile, Check Point researchers said they found malicious .url samples linked to the campaign existed as early as January 2023.

“The Void Banshee group used similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Microsoft protocol handlers and URI schemes, including the MHTML (MIME encapsulation of aggregate HTML documents) protocol which was able to access Windows system-disabled Internet Explorer,” said Peter Girnus and Aliakbar Zahravi with Trend Micro in a Monday analysis.

The attack started with zip archives that contained malicious files disguised as book PDFs. The threat actors are using online libraries, like cloud-based file sharing and Discord CDN, according to researchers. One of the book PDF lures was Clinical Anatomy, suggesting the campaign targets skilled professionals or students.

After victims clicked on the URL shortcut file, CVE-2024-38112 was used “to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA),” said Trend Micro researchers. This technique is notable as it runs files directly through disabled Internet Explorer instances on victim machines, they said.

“The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide.”

Though support for Internet Explorer ended on June 15, 2022, and Internet Explorer has been officially disabled in Windows 11 versions and later Windows 10 versions, the attacks leveraged IE remnants that have remained on the systems even after it was disabled. Threat actors crafted a URL string using the MHTML protocol handler to target victims through the iexplore.exe Internet Explorer executable process. If users try to execute iexplore.exe, Microsoft has provided a feature that opens the currently supported Microsoft Edge browser but in a special mode inside the Microsoft Edge sandbox that helps access sites and workloads with some IE-specific functionality.

“Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” said Haifei Li in a Check Point Research analysis. “An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

The malicious application led to the download of a PowerShell trojan downloader, .NET trojan loader and Donut, which is an open-source tool enabling in-memory execution of VBScript, JScript, and other various assemblies. In this attack, Donut was used to execute the Atlantida stealer, an information stealer with several capabilities. Atlantida stealer has the ability to snatch data - like passwords and cookies - from applications like FileZilla, Telegram and Steam, as well as various web browsers like Google Chrome, Microsoft Edge and Mozilla Firefox, and cryptocurrency wallets. System information, including RAM, GPU, CPU and screen resolution, is also targeted.

A fix for CVE-2024-38112 exists as of last week, and users are urged to apply Microsoft’s patches to protect against the attack. However, the bigger picture that this attack highlights is that threat actors are able to access disabled system services as part of their attacks, which highlights “a significant industry concern,” said researchers.

“In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware,” said Trend Micro researchers. “The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide.”

Telecommunications giant AT&T has disclosed a security incident that compromised the records of calls and texts of “nearly all” of its wireless customers over certain periods of time.

The company first learned of the incident on April 19, when an unnamed threat actor claimed to have accessed and copied call logs. Upon further investigation, AT&T found threat actors had accessed an AT&T workspace on a third-party cloud platform. Between April 14 and April 25, the attackers were able to exfiltrate files containing AT&T records call and text interactions that were made between May 1 and Oct. 31, 2022, and on Jan. 2, 2023. A subset of stolen records included one or more cell site identification numbers, the unique location-related identifiers that are assigned to individual cell towers on wireless communication networks.

The data did not contain the content of calls or texts, according to AT&T. It also did not include personal information like social security numbers or dates of birth. However, AT&T said that while the data does not include customer names, there are publicly available online tools that can help associate names with specific telephone numbers.

“Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network,” according to AT&T both in an SEC Form 8-K filing and on its website. “These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.”

AT&T said that it has taken steps in response to the incident to secure the impacted workspace, and it plans to provide data breaches notices for current and former impacted customers. At the same time, as of the date of the filing the company said it does not believe the data is publicly available, and it believes that at least one person has been apprehended in the attack.

An AT&T spokesperson said that the activity involves Snowflake, whose customers have recently been hit by attackers that leveraged compromised credentials for accounts that did not have MFA enabled. When asked about the AT&T incident, a Snowflake spokesperson pointed to a previously published statement by Snowflake CISO Brad Jones: "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform."

The AT&T spokesperson did not comment on the initial cause of the security incident outside of linking it to Snowflake, saying "It is AT&T’s policy not to discuss specific details about the security of our systems."

Earlier this year in March, the company had responded to a separate data set being released on the dark web, which appeared to contain data from 2019 or earlier and impacted 7.6 million current AT&T account holders and 65.4 million former account holders. That data compromised in that incident included personal information like full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes.

The Form 8-K filing was under the SEC’s mandate from last year that publicly traded companies must report cyber incidents within four business days of determining that the incident is “material.” However, AT&T said that its filing fell under an exception to the SEC rule that allowed a 30-day wiggle room extension for companies if the disclosure of the cyber incident would impact national security or public safety.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted,” according to AT&T’s filing. “AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident.”

AT&T said that as of the date of the filing, the incident has not had a material impact on its operations, and it "does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations." The Cybersecurity and Infrastructure Security Agency (CISA) on Friday released an advisory about the incident, and the Federal Communications Commission (FCC) said that it has launched an ongoing investigation into the breach.

This article was updated on July 12 at 10 am with a statement from Snowflake and CISA, and then on July 15 with a statement from AT&T.

A new threat actor is finding success in relying on open-source software (OSS) security tools and a networking mapping tool called SSH-Snake in its campaigns.

The group, which researchers with Sysdig call CrystalRay, launches attacks with the purpose of moving laterally across victims' networks, exfiltrating and selling credentials and deploying cryptomining malware. A key tool here for the threat actor is SSH-Snake, which was released on January 4. The threat actor uses SSH-Snake to spread through the network and automatically search for credentials in various locations. The tool then leverages any SSH keys and credentials it discovers to propagate to new systems, while sending captured keys and bash histories back to the command-and-control server.

Sysdig’s threat research team first discovered SSH-Snake being used by threat actors in February, in a campaign exploiting Confluence flaws. Since this activity was first uncovered, CrystalRay has utilized SSH-Snake to vastly scale its operations, and many of the 1,500 victims targeted by the threat actor (up to 36 percent) are U.S.-based, said researchers. One unique component of SSH-Snake is its ability to modify itself - deleting comments and unnecessary functions - after it is first executed to make itself smaller, said researchers.

“This is done out of necessity due to the way the shell script passes arguments and allows it to remain fileless,” said Miguel Hernandez with Sysdig in a Thursday analysis. “Compared to previous SSH worms, its initial form is much larger due to the expanded functionality and reliability… Unlike traditional scripts, SSH-Snake is designed to work on any device. It’s completely self-replicating and self-propagating — and completely fileless.”

At the same time, CrystalRay has used a variety of OSS tools to expand its abilities to scan for and exploit vulnerabilities. For instance, it leverages the ZMap scanner and the asn compiler for vulnerability discovery. Other OSS tools that the threat actor has relied on include Platypus, nuclei and httpx.

“Once they gain access, they install one of several backdoors to keep control of the target,” said Hernandez. “SSH-snake is then used to spread throughout a victim’s network and collect credentials to sell. Cryptominers are also deployed to gain further monetary value from the compromised assets.”

The threat group uses existing vulnerability proof-of-concept exploits in order to target known flaws as a method of initial access. Researchers have seen the group targeting flaws like an unauthenticated remote code execution vulnerability in Control Web Panel (CVE-2022-44877), a remote code execution bug in the Laravel framework (CVE-2021-3129) and a server side request forgery vulnerability in Ignite Realtime (CVE-2019-18394).

“Based on their exploitation patterns, CRYSTALRAY likely also took advantage of newer vulnerability tests for Confluence available in nuclei,” said Hernandez. “In some cases, they used nuclei tags argument to detect possible honeypots on ports where they scanned, to avoid launching their tools on those targets in order to remain undetected.”

Vulnerability exploitation is the biggest initial access vector here, so organizations are urged to prioritize vulnerability remediation as a top way to avoid this threat. Researchers also recommended that organizations implement identity and vulnerability management policies to block CrystalRay’s automated attacks.

“CRYSTALRAY’s operations prove how easily an attacker can maintain and control access to victim networks using only open source and penetration testing tools,” said researchers. “Therefore, implementing detection and prevention measures to withstand attacker persistence is necessary.”

Citrix has fixed a critical-severity vulnerability in NetScaler Console, its cloud-based monitoring and management product, which if exploited could give attackers unauthorized access to sensitive data.

The flaw (CVE-2024-6235), which scores 9.4 out of 10 on the CVSS scale, stems from improper authentication and could be exploited with an attacker that has access to a NetScaler Console IP. Versions of NetScaler Console 14.1 before 14.1-25.53 are impacted. In separate advisories, both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre urged users and administrators to apply updates for the flaw, as well as several other vulnerabilities patched by Citrix on Tuesday.

“Citrix released security updates to address vulnerabilities in multiple Citrix products,” according to CISA’s alert on Tuesday. “A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”

Citrix also fixed a high-severity denial-of-service flaw in its NetScaler Console, which also exist in the NetScaler Agent and NetScaler Service Virtual Machine (SVM). The bug (CVE-2024-6236) stems from the improper restriction of operations within the bounds of a memory buffer, and an attacker with access to a NetScaler Console, NetScaler Agent or SVM IP could launch denial-of-service attacks. Citrix also warned of another high-severity denial-of-service bug (CVE-2024-5491) in its NetScaler ADC and Gateway appliances.

“Cloud Software Group strongly urges customers of NetScaler Console to install the relevant updated versions of NetScaler Console as soon as possible,” according to Citrix’s NetScaler security advisory.

In the Citrix Workspace app for Windows, a high-severity vulnerability (CVE-2024-6286) was patched that could give low-privileged attackers SYSTEM privileges if they have local access to the targeted system. The flaw impacts the Citrix Workspace app for Windows versions before 2403.1 in the current release (fixes are available in 2403.1 and later versions) and versions before 2402 in the long-term service release (fixes are available in 2402 and later versions).

NetScaler has previously been a target for threat actors. Last year, threat actors exploited a critical-severity flaw in Citrix NetScaler ADC and Gateway appliances in order to target professional services, technology and government organizations. The flaw (CVE-2023-4966) stemmed from an unauthenticated buffer-related issue and could enable sensitive information disclosure.

Some versions of OpenSSH contain a serious vulnerability–distinct from CVE-2024-6387 disclosed last week–that can potentially remote code execution. The bug was discovered during the analysis of the other OpenSSH flaw last month, but was not disclosed at the same time because some of the affected vendors did not have a fix ready in time.

The newly disclosed vulnerability (CVE-2024-6409) is a race condition that in some cases will expose the same weakness as the CVE-2024-6387 bug.

“A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server,” the vulnerability description says.

Security researcher Alexander Peslyak, known as Solar Designer, discovered the new bug while reviewing Qualys researchers’ analysis of the initial OpenSSH flaw late last month. The issues are related, but not identical, and the newer bug only affects OpenSSH 8.7 and 8.8.

“The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant. In particular, the "LoginGraceTime 0" mitigation works against both issues, whereas the "-e" mitigation only works against CVE-2024-6387 and not (fully) against CVE-2024-6409,” Solar Designer’s advisory says.

On July 1, Qualys researchers disclosed the details of CVE-2024-6387, which is also a race condition, and can lead to remote unauthenticated code execution. The bug is a regression that was introduced in 2020 after initially being fixed in 2006. CVE-2024-6387, nicknamed regreSSHion, affected more version of OpenSSH than the newer vulnerability.

“This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. It could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization,” the Qualys advisory says.

Affected vendors released fixes for CVE-2024-6387 as part of the disclosure last week.

Agencies in the U.S., Australia and a number of other countries are warning of the ongoing threat posed by the PRC state-sponsored group known as APT40, which they said has repeatedly targeted Australian networks and government agencies, as well as private sector organizations globally.

Tuesday’s joint advisory by the U.S., Australia, UK, Canada and New Zealand outlined how starting in 2017 the APT group has steadily been finding more success in quickly exploiting newly public flaws in popular software, including ones in Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207 and CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473). Many times, the threat actors jump on these flaws days or even hours within public release, the advisory warned.

“Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability,” according to the advisory. “APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits.”

APT40, which has been around since 2009, is known for previously hacking organizations and government entities in the U.S. and beyond in order to steal IP, trade secrets and other sensitive data, and in 2021 the U.S. indicted four members of the hacking group.

In their advisory, the various agencies broke down campaigns by the group in April and August 2022 against two unnamed organizations, which the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) investigated. After initial access via exploitation of flaws in internet-facing applications, the group would deploy webshells, use remote services (like the RDP and SMB protocols) for lateral movement, and leverage various system commands to discover system information, accounts, and credentials.

APT40 previously used compromised Australian websites for command-and-control hosts in its operations, but it has recently relied on compromised small-office/home-office (SOHO) devices for its operational infrastructure in Australia. The advisory said that many of the compromised devices are end-of-life or unpatched, and create a valuable way for attackers to blend in with legitimate traffic to skirt by network defenders.

Chinese threat activity has been under scrutiny over the past year, especially after the U.S. government earlier this year highlighted the compromise of hundreds of SOHO routers by the Chinese attack group known as Volt Typhoon, which then used its access to those devices to facilitate access to critical infrastructure networks in various sectors, such as water and power.

The advisory recommended a number of measures that organizations can take to defend against APT40’s activities, including staying up to date on patching internet exposed devices and services, as most exploits used by the actors were publicly known and had patches available. Organizations should also ensure they have a network segmentation strategy in their environments in order to block lateral movement, and utilize logging and monitoring processes.

“During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs,” according to the advisory.