Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers

Hackers Use ModernLoader to Infect Systems with Stealers and Cryptominers

Stealers, Cryptominers and RATs

As many as three disparate but related campaigns between March and Jun 2022 have been found to deliver a variety of malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners onto compromised systems.

“The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRat, to enable various stages of their operations,” Cisco Talos researcher Vanja Svajcer said in a report shared with The Hacker News.

The malicious implant in question, ModernLoader, is designed to provide attackers with remote control over the victim’s machine, which enables the adversaries to deploy additional malware, steal sensitive information, or even ensnare the computer in a botnet.

Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.

Infection chains discovered by the cybersecurity firm involve attempts to compromise vulnerable web applications like WordPress and CPanel to distribute the malware by means of files that masquerade as fake Amazon gift cards.

Stealers, Cryptominers and RATs

The first stage payload is a HTML Application (HTA) file that runs a PowerShell script hosted on the command-and-control (C2) server to initiate the deployment of intertim payloads that ultimately inject the malware using a technique called process hollowing.

Described as a simple .NET remote access trojan, ModernLoader (aka Avatar bot) is equipped with features to gather system information, execute arbitrary commands, or download and run a file from the C2 server, allowing the adversary to alter the modules in real-time.

Cisco’s investigation also unearthed two earlier campaigns in March 2022 with similar modus operandi that leverage ModerLoader as the primary malware C2 communications and serve additional malware, including XMRig, RedLine Stealer, SystemBC, DCRat, and a Discord token stealer, among others.

“These campaigns portray an actor experimenting with different technology,” Svajcer said. “The usage of ready-made tools shows that the actor understands the TTPs required for a successful malware campaign but their technical skills are not developed enough to fully develop their own tools.”

Google Expands Bug Bounties to its Open Source Projects

Google plans to pay out cash rewards for information on vulnerabilities discovered in any of its open source projects as part of an ongoing effort to improve the security of open source code.

The new Open Source Software Vulnerability Rewards Program (OSS VRP), which extends Google’s existing Vulnerability Rewards Program, was announced in a blog post published today.

Google will pay researchers up to $31,337 for information on vulnerabilities in open source software projects — particularly those managed by Google — that impact the firm’s software and services. Google’s goal is to secure its own software supply chain, but because many non-Google developers use the company’s open source software — such as the Go programming language and Angular Web framework — the initiative promises to help secure the wider open source ecosystem as well.

At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.

“We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program,” he says. “Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers.”

Supply Chain Security Challenges

Securing the software supply chain has become a major effort of technology firms and the policymakers. In January, the Biden administration met with technology companies and open source organizations to find ways to promote secure coding, find more vulnerabilities, and speed patching of open source projects.

Last year, Google pledged to spend $10 billion over five years, supporting efforts by the OpenSSF, adding a cybersecurity advisory group, and bolstering its Invisible Security zero trust initiative.

“Governments and businesses are at a watershed moment in addressing cybersecurity,” Kent Walker, president of global affairs for Google and its parent company Alphabet, said in the 2021 announcement of the company’s $10 billion pledge. “Cyberattacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges.”

Over the past decade, Google has paid out more than $38 million in rewards to researchers who have submitted 13,000 vulnerabilities to the company, as part of its Vulnerability Rewards Program. 

Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021.

Paying for “Eleet” Bug Finds

With its Open Source Software Vulnerability Rewards Program (OSS VRP), Google is creating a standard framework to reward researchers who find issues in the open source software projects maintained by the company.

Google will allow submissions for “[a]ll up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations,” the company stated in its blog post. In addition, the company has focused on rewards for several critical projects, including the Go programming language, the Angular Web framework, and its nascent operating system for connected devices, Fuchsia.

The company currently asks for submissions of vulnerabilities that affect the supply chain, design issues that could result in vulnerabilities in Google’s products, and security weaknesses such as compromised credentials, weak passwords, or insecure installation configurations. As part of its focus on the supply chain, the company will reward researchers who submit vulnerabilities to third-party open source projects on which Google’s software depends.

“This program focuses on Google-produced open source projects, and the proposed short list of flagship projects listed includes projects also driven by Google,” says Google’s Perron. “The rules also include the ‘Standard’ tier, which does incorporate a vast amount of projects.”

The company plans to pay researchers anywhere from $100 to $31,337 — a special number because it spells out “eleet,” or elite, in hackerspeak — with the higher payouts going to more severe, or more creative, vulnerabilities.

With the additional bounty programs, some vulnerabilities rewards may overlap with other programs. Google pledged to work with researchers to submit their vulnerability reports to the right programs to maximize their payout, the company said.

How security professionals can stay ahead of ransomware – Microsoft Security Blog

The “as a service” business model has gained widespread popularity as growing cloud adoption has made it possible for people to access important services through third-party providers. Given the convenience and agility of service offerings, perhaps it shouldn’t be surprising that the “as a service” model is being used by cybercriminals for nefarious purposes.

Ransomware as a service (RaaS) involves cybercriminals purchasing and selling access to ransomware payloads, leaked data, RaaS “kits,” and many other tools on the dark web. We explore this topic in the second edition of Cyber Signals, Microsoft’s quarterly brief that shines a spotlight on threat topics informed by our 43 trillion signals of data and research by more than 8,500 security experts. It’s one of the many resources available on Microsoft Security Insider, a site where you’ll find the latest cybersecurity insights and threat intelligence updates.

At Microsoft, we have been tracking the trend of human-operated ransomware. These threats are driven by humans who make decisions at every stage of the attack, making them particularly impactful and destructive to organizations. RaaS operations, such as REvil and the now-shutdown Conti, have the malware attack infrastructure and even stolen organizational data necessary to power ransomware activities. They then make these tools available on the dark web for a fee. Affiliates purchase these RaaS kits and deploy them in company environments. Like legitimate “as a service” offerings, RaaS may even include customer service support, bundled offers, and user review forums.

Ransomware as a service: Appealing to cybercriminals, challenging for companies

In more than 80 percent of ransomware attacks, the cybercriminals exploited common configuration errors in software and devices, which can be remedied by following security best practices. This means that ransomware actors are not using any new and novel techniques. The same guidance around timely patching, credential hygiene, and a thorough review of changes to software and system settings and configurations can make a difference in an organization’s resilience to these attacks. The other challenge is that some actors have opted to forgo the ransomware payload. They exfiltrate the victim organization’s data and extort money by threatening to release their data or sell it on the dark web.

As a result, companies that limit their hunting efforts to looking for signs of just the ransomware payload are at a greater risk of a successful breach and extortion. Finally, the ease of RaaS for cybercriminals means it is highly likely to remain a challenge for organizations worldwide.

Cybercrime—including ransomware, business email compromise schemes, and the criminal use of cryptocurrency—comes at a significant cost. The Federal Bureau of Investigation’s 2021 Internet Crime Report found that potential losses exceeded USD6.9 billion in 2021.1

In the European Union, the European Union Agency for Cybersecurity (ENISA) reported that about 10 terabytes of data were stolen each month by ransomware threat actors between May 2021 and June 2022, and a whopping 58.2 percent of that stolen data involved employees’ personal information.2

Ransomware as a service offers a few advantages to cybercriminals:

  • Lowers the barrier to entry for cybercriminals interested in committing ransomware attacks because these ransomware kits enable people with minimal technical expertise to deploy ransomware.
  • Conceals the identity of the cybercriminals behind the attack because anyone with a laptop and a credit card can search the dark web, purchase RaaS kits, and join the RaaS gig economy. As a result, governments, law enforcement, media, security researchers, and defenders face a bigger challenge in determining the culprit behind the attacks.

What Microsoft is doing to share threat intelligence insights

Microsoft gains deep insights into the ever-evolving threat landscape and threat actors by analyzing more than 43 trillion threat signals daily and leveraging the unique skills of more than 8,500 experts—threat hunters, forensics investigators, malware engineers, and researchers supporting our threat intelligence community and customers. These experts specialize in dedicated areas, such as vulnerabilities, threat actors, ransomware, supply chain risk, social engineering, and geopolitical issues.

Microsoft focuses on gathering intelligence about these cybercriminals’ behaviors, tactics, tools, and techniques to truly understand the end-to-end scope of their attacks and operations. We believe cybersecurity intelligence should be shared broadly. You can see our insights in our security intelligence blogs, the Microsoft Digital Defense Report, and Cyber Signals, our quarterly briefing, which can be found on Security Insider, our source for threat insights and guidance.

We understand that managing the myriad tasks necessary to grow a business gives organizations precious little time to stay updated on the latest security threats, let alone to preempt and disrupt extortion threats. We are committed to sharing the threat insights we have gathered with the cybersecurity community to help organizations secure their employees, customers, and partners. We are all cybersecurity defenders. Together, we can stay ahead of these threats.

Strategies to protect your organization

Because cybercriminals rely on security vulnerabilities they can exploit, companies can help block attackers by investing in integrated threat protection across devices, identities, apps, email, data, and the cloud. Here are three major strategies to help protect your environment from RaaS attacks:

  1. Prepare to defend and recover: Adopt a Zero Trust approach, which means never trusting an identity but instead always fully authenticating, authorizing, and encrypting every access request before granting access. This strategy also involves taking measures to secure your backups and protect your data.
  2. Protect identities from compromise: Safeguard network credentials and prevent the lateral movement used by attackers to evade detection while moving through your organization in search of assets to exfiltrate or destroy.
  3. Prevent, detect, and respond to threats: Leverage comprehensive prevention, detection, and response capabilities with integrated security information and event management (SIEM) and extended detection and response (XDR). This means understanding typical attack vectors, like remote access, email and collaboration, endpoints, and accounts, and taking steps to prevent attackers from getting in. And, very importantly, ensure that along with outside-in protection you are also doing inside-out protection focused on data security, information protection, and insider risk management.

You can find more in-depth security guidance in Cyber Signals and Security Insider.

A great security posture starts with understanding the threat landscape. Microsoft remains deeply committed to partnering with our entire community on sharing intelligence and building a safer world for all together. 

Learn more

To stay up-to-date on ransomware as a service and other threat insights and guidance, bookmark Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Internet Crime Report, Federal Bureau of Investigation. 2021.

2Ransomware: Publicly Reported Incidents are only the tip of the iceberg, European Union Agency for Cybersecurity. July 29, 2022.

Hackers have laid siege to U.S. health care and a tiny HHS office is buckling under the pressure

Hackers have laid siege to U.S. health care and a tiny HHS office is buckling under the pressure

Cyber crooks steal medical information of tens of millions of people in the U.S. every year, a number that is rising fast as health care undergoes its digital transformation.

It leads to millions of dollars in losses for hospitals, insurers and other health care organizations, threatens care delivery and exposes patients to identity theft.

But the Department of Health and Human Services’ Office for Civil Rights, which is tasked with investigating breaches, helping health care organizations bolster their defenses, and fining them for lax security, is poorly positioned to help. That’s because it has a dual mission — both to enforce the federal health privacy law known as HIPAA and to help the organizations protect themselves — and Congress has given it few resources to do the job.

“They’re a fish out of water … They were given the role of enforcement under HIPAA but weren’t given the resources to support that role,” said Mac McMillan, CEO of CynergisTek, a Texas firm that helps health care organizations improve their cybersecurity.

Due to its shoestring budget, the Office for Civil Rights has fewer investigators than many local police departments, and its investigators have to deal with more than a hundred cases at a time. The office had a budget of $38 million in 2022 — the cost of about 20 MRI machines that can cost $1 million to $3 million a pop.

Another problem is that the office relies on the cooperation of the victims, the institutions that hackers have targeted, to provide evidence of the crimes. Those victims may sometimes be reluctant to report breaches, since HHS could then accuse them of violating HIPAA and levy fines that come on top of costs stemming from the breach and the ransoms often demanded by the hackers.

Depending on the circumstances, it can seem like blaming the victim, especially since the hackers are sometimes funded or directed by foreign governments. And it’s raised questions about whether the U.S. government should be doing more to protect health organizations.

In an Aug. 11 letter to HHS Secretary Xavier Becerra, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), past co-chairs of a cybersecurity commission that examined the danger, raised that point, questioning the government’s “lack of robust and timely sharing of actionable threat information with industry partners.”

‘A stronger hammer’

The scope of the threat is massive and the consequences of breaches severe. According to a 2021 survey by the Healthcare Information and Management Systems Society, more than two-thirds of health care organizations had a “significant” incident in the previous year — mostly phishing or ransomware attacks.

These episodes pose potentially significant financial consequences and can threaten patients’ lives. A recent report from cybersecurity company Cynerio and the Ponemon Institute, a cybersecurity research center, found that about 1 in 4 cyberattacks resulted in increased mortality by delaying care.

Experts said the health care sector is particularly vulnerable to attacks, partly due to its digital transformation and partly due to its vulnerability to ransomware. Disrupting care could endanger patients’ lives, which can leave health care organizations feeling forced to fork over ransoms. In 2021 alone, hackers accessed records of nearly 50 million people, raising privacy concerns and leaving many vulnerable to fraud.

The HHS office expects to see 53,000 cases in the 2022 fiscal year. As of 2020, it had 77 investigators, some of whom are assigned to other things, like civil rights violations.

The Biden administration official who runs the Office for Civil Rights, Melanie Fontes Rainer, said her investigators have to pick their battles because they are “under incredible resource constraints and incredibly overworked.”

She frames the problem as one of funding and the Biden administration has asked Congress to give the agency a roughly 58 percent budget increase in fiscal 2023, to $60 million, that would allow it to hire 37 new investigators.

But advocates for victims want to be sure those new hires would favor helping them prevent future attacks over penalizing them for failing to stop past ones.

“If OCR is looking for money that will protect hospitals … good. That’s HHS’ role — not just to penalize the victim,” said Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, which represents a number of sectors within health care targeted by the hackers.

For the most part, that’s what the office does, but fines are always a possibility and Fontes Rainer said more resources will yield more enforcement that will encourage health care organizations to meet their obligations under HIPAA. Tim Noonan, a high-ranking official under Fontes Rainer, also expects it will bolster the agency’s ability to offer guidance and technical assistance.

A budget increase “will give us a stronger hammer,” Fontes Rainer said. “Enforcement … stops the conduct, but is also a deterrent for others.”

In July, HHS levied its first major fine on breaches since President Joe Biden took office, $875,000 on Oklahoma State University’s Center for Health Services. Agency investigators found that the center may not have reported a breach in a timely manner and that it also had failed to take steps to protect data.

And Fontes Rainer is pressing to increase fines following a legal setback at the end of the Trump administration.

In January 2021, the 5th Circuit Appeals Court struck down a $4.3 million penalty that the Office for Civil Rights had assessed the University of Texas M.D. Anderson Cancer Center over data breaches. The court called it “arbitrary” and “capricious,” giving ammunition to critics of the office’s enforcement efforts.

The Trump administration levied more than $50 million in fines related to breaches over four years. But the director of the Office for Civil Rights at the time, Roger Severino, also moved to reduce fines for entities that weren’t found in “willful neglect” of the privacy law or had taken corrective action, saying the office had misinterpreted the law.

‘A cop on the side of the road’

If HHS were to further back off from enforcement, it could prompt more negligence, some experts said.

More than half of the health care industry is “woefully underprepared” to protect against cyber threats, said Carter Groome, CEO of First Health Advisory, a health care risk management consulting firm.

At organizations with few resources, that lack of preparedness is understandable. But it’s not at large health systems.

“We know of a CIO in a small rural facility … he’s also in charge of … everything from snow shoveling to making sure the air conditioning is working,” said Tom Leary, head of government relations at the Healthcare Information and Management Systems Society. “But if they’re well-resourced and they’re not meeting their responsibilities, [enforcement] absolutely needs to be a part of the process.”

Leary’s group has found that cybersecurity budgets are often meager.

Stepped-up enforcement could prompt health care organizations to increase them.

Others are more skeptical. “HHS enforcement is like ninth on the list of reasons to have a good security program,” Kirk Nahra, a privacy attorney at law firm WilmerHale said, adding that aggressive enforcement could hamper data sharing that the government is otherwise trying to encourage. “Why would I open up access to you … if there’s a risk it could go wrong and I could get hammered.”

There are other ways government could help health care organizations improve their cybersecurity. Advocates for industry point to two key areas: cash for better defense systems and funding for workforce development.

John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, has called for federal support in training workers and grants to help organizations boost their security efforts. And in testimony to Congress, Erik Decker, chief information security officer at hospital chain Intermountain Healthcare, called for the Centers for Medicare & Medicaid Services to look into developing payment models to “directly fund” cyber programs.

In contrast to King and Gallagher, many in the industry said they are encouraged by progress on information sharing. HHS’ Health Sector Cybersecurity Coordination Center has helped, they said, and the public-private 405(d) Program and Task Group has received high marks for its work to develop guidelines to help health care organizations defend themselves. Congress called for the collaboration in section 405(d) of a 2015 law.

Still, King and Gallagher in their letter to Becerra said they worried the information sharing was not robust enough, given the growth in cyberattacks. They called for an urgent briefing from HHS and suggested they’d be willing to propose funding and laws extending the agency new powers to take on the hackers.