Storm-0501 Threat Identified, HTML Smuggling DCRat, CISA Releases Toolkit – Cybersecurity News [September 30, 2024]
We’re back to provide you with the latest cybersecurity news of the week, designed to keep you informed and secure against evolving threats. This week, we delve into Microsoft’s identification of Storm-0501 as a critical player in hybrid cloud ransomware attacks, a new HTML smuggling campaign distributing DCRat malware to Russian-speaking users, CISA’s release of a new toolkit for K-12 schools to address anonymous threats, a recently patched but less severe vulnerability in CUPS, and NIST’s revisions to identity and password guidelines. Furthermore, let us now go through the details of each story.
Microsoft Identifies Storm-0501 as a Major Threat in Hybrid Cloud Ransomware Attacks
Microsoft has recently flagged Storm-0501, a financially motivated cybercriminal group, as a major player in hybrid cloud ransomware attacks. The malicious group primarily targets sectors like transportation, manufacturing, law enforcement, and government, mainly focusing on compromising hybrid cloud environments. Active since 2021, Storm-0501 has evolved into a caffiliate, delivering various ransomware payloads, including Hive, BlackCat, and LockBit.
Microsoft revealed that Storm-0501 exploits weak credentials and over-privileged accounts to gain unauthorized access to on-premises networks, which they then leverage to move into cloud infrastructure. Their campaigns typically result in data exfiltration, credential theft, and the deployment of ransomware, most recently using Embargo, a Rust-based ransomware.
Storm-0501’s attack methodology includes using initial access brokers like Storm-0249 and Storm-0900 or exploiting vulnerabilities in unpatched servers such as Zoho ManageEngine and Citrix NetScaler. After gaining access, they employ tools like Impacket’s SecretsDump to steal credentials and Cobalt Strike to move laterally across the network. Data exfiltration is often conducted using Rclone to transfer files to public cloud storage services like MegaSync.
Microsoft has noted that while ransomware deployment is an expected outcome, Storm-0501 has also been observed to maintain persistent backdoor access without executing ransomware in some cases. This significant discovery sheds light on the wide usage of ransomware attack tactics, specifically targeting hybrid cloud environments for monetary benefits.
New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users
A recent cyber campaign targeting Russian-speaking users has been detected, which seems to be utilizing a technique called HTML smuggling to deliver the commodity trojan DCRat (also known as DarkCrystal RAT). Previously, DCRat was distributed through compromised websites and phishing emails, but this marks the first time it has been delivered using HTML smuggling. This method involves embedding the malicious payload directly within an HTML file.
In the leading steps, these payloads can be decoded and downloaded when intentionally or unintentionally opened in a web browser. Netskope researchers identified that the attack relied on social engineering, tricking users into opening the malicious file that ultimately delivers the DCRat malware.
The campaign was found to mimic well-known Russian services like TrueConf and VK, distributing HTML files that automatically download password-protected ZIP archives containing the DCRat malware. Once executed, DCRat acts as a full-featured backdoor, allowing attackers to log keystrokes, execute commands, and steal sensitive information. The campaign demonstrates the increasing sophistication of malware delivery methods, particularly through HTML smuggling, which is harder to detect and block. Netskope has advised organizations to monitor HTTP and HTTPS traffic closely to avoid potential infections. For further insights, check out Netskope’s research.
CISA Releases Anonymous Threat Response Guidance and Toolkit for K-12 Schools
The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new Anonymized Threat Response Toolkit aimed at helping K-12 schools handle anonymous threats of violence, particularly those spread through social media. Developed in partnership with the FBI, the toolkit offers a structured approach for school administrators, law enforcement, and community partners to respond to and mitigate the risks posed by anonymous threats.
The resource provides actionable strategies for assessing the credibility of threats, preparing for potential incidents, and coordinating responses with local partners. The toolkit aims to reduce the psychological impact of these threats on school communities while improving safety.
According to CISA Director Jen Easterly, schools across the country are dealing with a growing number of anonymous threats that can disrupt learning environments and overwhelm resources. The toolkit outlines six key strategies, including building awareness, forming partnerships with law enforcement, and developing multidisciplinary threat assessment teams. It also emphasizes the importance of practicing emergency management exercises to ensure schools are prepared for threats at any time. The initiative was announced at CISA’s 2024 National Summit on K-12 School Safety and Security. For more information, visit the CISA website.
Patch for CUPS Vulnerability Less Critical Than Anticipated
Earlier this month, a potentially critical vulnerability was discovered in CUPS (Common UNIX Printing System), which serves as the printing framework for many Linux distributions. This flaw in the earlier stages was identified as a high severity rating. The vulnerability was later downgraded since further analysis revealed the vulnerabilities were less critical than first anticipated.
The vulnerabilities affected multiple Linux systems and, if exploited, could allow unauthenticated remote code execution. The vulnerabilities or risks involved crafting malicious modified and altered packets and sending them to UDP port 631, which paved the pathway for the cyber attack. However, they still posed a significant risk to unpatched software and critical systems, impacting their efficient operations and throughput.
The CUPS vulnerabilities were addressed in a patch released by the Linux Openprinting project on September 26. Experts have recommended that administrators block inbound traffic to UDP port 631 and disable unnecessary services like cups-browsed until updates are applied. The patched vulnerabilities now have CVSS scores ranging from 8.4 to 9.1. This news case highlights the importance of continuous monitoring and timely patching in Linux environments to prevent exploitation.
NIST Revises Identity Guidelines, Including Password Requirements
NIST (The National Institute of Standards and Technology) has released an updated draft of its identity and password guidelines in Special Publication 800-63-4. Several key amendments have been made to the draft, mainly addressing authentication practices for government information systems. Also, keen attention was paid, cloud storage services, Multifactor Authentication (MFA), and user privacy (need of the hour). It had significantly simplified the password rules, the new guidelines recommending:
- The password length should be eight characters (minimum).
- Passwords must be between 15 and 64 characters.
- The use of special characters is not mandatory.
The updated NIST draft highly promotes the use of phishing-resistant MFA (Multifactor Authentication), which proves to be a more secure option rather than using reusable passwords. As per the recommendations of NIST, one must not practice using knowledge-based credentials like security questions and publicly visible password hints as these security options are now considered old and vague and remain more prone to sophisticated modern attacks, eventually making your digital landscape insecure.
These updates and changes represent the urge or need to shift toward more practical and user-friendly security practices. Additionally, they encourage organizations to adopt more robust authentication measures to keep their information systems secure.