Business Email Compromise Attacks on the Rise: Cyber Threat Intelligence Roundup

Up first this week is a look at the most notable cybercrime trends from the first half of 2022, which includes a rise in business email compromise (BEC) attacks which rely heavily on human targeting and manipulation. Next, we analyze the latest evolution of the Bumblebee malware loader and its associated botnet. Finally, we end with a report on the emergence of GitHub scam repositories in which cybercriminals are attempting to monetize the industry-wide buzz generated by the discovery and reported exploitation of the ProxyNotShell zero-days by suspected state-backed APTs.

1. Surge in BEC attacks indicative of a rising trend in extortion w/o encryption attacks

Arctic Wolf recently released its “1H 2022 Incident Response Insights” report. Here are some of the top takeaways:

• The median ransomware demand from threat actor groups was $450,000, with the technology and shipping/logistics industries experiencing demands more than double the global median.
• While the human element is a common attack vector that threat actors can exploit, over 80% of incidents are driven by the exploitation of unpatched vulnerabilities or remote access tools.
• Incidents tied to the well-publicized ProxyShell and Log4J vulnerabilities continue to be twice as costly for organizations to respond to than a median incident.

Uptick in BEC and relation to lack of MFA

Arctic Wolf’s data suggests a shift away from ransomware among cybercriminals as hackers turn to “extortion-without-encryption” schemes with increasing frequency. One of the most significant changes in the threat landscape is the successful number of BEC attacks observed during the second quarter of 2022.

According to Arctic Wolf, BEC cases, when viewed as contributor to all examined incident response cases, more than doubled in the second quarter of the year, comprising 34% of all cases as compared to just 17% in the first quarter of 2022. Business services, legal/ government, and finance/insurance saw a significant increase in the number of organizations suffering from this attack type. Worryingly, a glaring common thread emerged from the data: 80% of the impacted organizations lacked MFA.

Why BEC attacks are surging

Social engineering attacks that focus on tricking people are often able to circumvent email and other defensive security solutions. In some cases, they are more successful than attacks that attempt to take advantage of hardware or software weaknesses.

This is not to say that external vulnerabilities don’t play a significant role. In fact, Abnormal Security found in its threat report earlier this year that the vast majority of all cybercrime incidents (81%) involved external vulnerabilities in a few highly targeted products — namely, Microsoft’s Exchange server and VMware’s Horizon virtual-desktop software — as well as poorly configured remote services, such as Microsoft’s Remote Desktop Protocol (RDP).

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Aside from reporting a few notable ransomware-related details, Arctic Wolf’s “1H 2022 Incident Response Insights” report largely avoids lending its voice to the cacophony of conflicting ransomware trends coming from intelligence firms.”

“While some statistics support a trend involving more incidents than ever, others have been said to indicate a significant decline in reported ransomware attacks.”

“Considering Arctic Wolf’s latest findings, it’s impossible to overstate the importance of a comprehensive phishing and social engineering awareness and education training program. It’s also a good idea to emulate the latest cyberattacks in which humans represent the most likely ingress point during exercises, in the most realistic way possible.”

“Other than that, reports such as those referenced above should serve as another wake-up call that it’s not always the most sophisticated malware or TTPs which bring high-profile organizations to their knees, either financially or reputationally.”

2. Malware update: Popular Bumblebee malware loader implements new features, advances TTPs

The ever-popular Bumblebee malware loader has made headlines once again, this time in the form of Check Point’s new analysis of the constantly evolving malware.

About Bumblebee malware loader

Bumblebee replaced BazarLoader as one of the top ‘precursor’ malware strains used by threat actors to initiate ransomware infections — taking its rightful spot among household names like QBot, Emotet, and TrickBot.

The time it took for Bumblebee to climb that ladder is nothing short of remarkable. As we have previously reported, Bumblebee’s success is largely due to the sophistication of the spear-phishing emails via which it is typically delivered — a theory that may be related to the malware’s link with a well-known initial access broker.

An update on Bumblebee malware loader

According to Check Point’s latest research, the spring of 2022 saw a significant increase in activity featuring the Bumblebee malware loader.

The Bumblebee malware loader had already been the subject of intense scrutiny from the information security community, due to its apparent links to several well-known malware families.

Check Point calls out a few key takeaways:

• Bumblebee is in constant evolution, which is best demonstrated by the fact that the loader system has undergone a radical change twice in the range of a few days — first from the use of ISO format files to VHD format files containing a PowerShell script, then back again.
• Changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicate that the attackers may have shifted their focus from extensive testing of their malware to reach as many victims as possible.
• Although the threat contains a field called group_name, it may not be a good indicator for clustering-related activity: samples with different group_name values have been exhibiting similar behavior, which may indicate a single actor operating many group_names. The same is not true for encryption keys: different encryption keys generally imply different behavior, as expected.
• Bumblebee payloads vary greatly based on the type of victim. Infected standalone computers will likely be hit with banking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike.

Check Point’s report goes on to state that certain unusual characteristics of recently observed Bumblebee activity (such as C2 servers ceasing communication with any infected hosts generating client_id submissions from an organization’s external IP after receiving the first client_id from that network) led its researchers to conclude that “if several computers in an organization, accessing the internet with the same public IP were infected, the C2 server will only accept the first one infected.”

Interestingly, this feature was suddenly turned off a few weeks ago, drastically increasing the number of established connections to infected hosts. What the feature was meant to accomplish remains anybody’s guess, though it seems likely it was enabled during a period of intensive testing.

This odd behavior prompted Check Point Research to monitor the behavior of Bumblebee across a variety of environments in which it had been executed. All seems to point towards these suddenly connected IP addresses actually acting as fronts for a main C2 server, through which all Bumblebee connections are relayed (i.e., typical botnet behavior).

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The in-depth analysis performed by Check Point’s researchers paints a clear picture of a threat that we already knew was focused on continuously updating its capabilities, while adding to our Bumblebee knowledge base by explaining the changes in its infection chain and the botnet activity designed to drastically expand the number of active victims and increase the overall volume of C2 traffic.”

“Bumblebee remains a unique and credible threat, setting itself apart from other third-party packers and evasion tools by using its own packer not just for itself, but also for the malware samples it deploys on vast numbers of victim devices. This is a trait Bumblebee may have picked up from other top-tier precursor malware families, but which yields to far greater effect and with a much greater degree of flexibility when it comes to changing its behavior and adapting to new environments.”

3. Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub

According to an October 3 article posted to cybersecurity blog BleepingComputer, threat actors are taking advantage of the buzz surrounding the much-publicized pair of Microsoft zero-day vulnerabilities dubbed ProxyNotShell by impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits.

Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub – @LawrenceAbramshttps://t.co/N5E15T43nO

— BleepingComputer (@BleepinComputer) October 3, 2022

What is ProxyNotShell?

ProxyNotShell refers to what Microsoft describes as “two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.”

The pair of security flaws were reportedly first discovered by security researchers at Vietnamese cybersecurity outfit GTSC, and summed up admirably in a September 29 article written by long-time, trusted CTI source Kevin Beaumont, a prominent security researcher.

State-affiliated APT group suspected in ProxyNotShell attacks

Microsoft’s Threat Intelligence Center (MSTIC), which claims to have observed attacks targeting the ProxyNotShell flaws in less than 10 organizations globally, has assessed with medium confidence that the activity is likely the work of a state-affiliated APT group.

While nobody has come out and specifically attributed the activity to an actor or nation-state, the attackers have been observed chaining the pair of zero-days in attack cycles that result in the deployment of the China Chopper web shell on compromised servers to further persistence, facilitate data theft, and enable lateral movement.

Researchers have identified GitHub repositories as sites of scam exploit activity

As we’ve often observed, whenever a story such as this grabs the attention of the entire infosec community, cybercriminals of all stripes are quick to attempt to monetize the buzz surrounding the incident and its subsequent developments. This often manifests as phishing campaigns featuring lures related to the issue at hand. With ProxyNotShell, we’re seeing something a bit different.

John Hammond, a researcher at Huntress Labs, has kept an eye on the activity on one particular scammer, who has been busy creating various GitHub repositories in which they are attempting to flog fake POC exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities – even offering multiple copies in what is likely a ham-fisted attempt at increasing the appearance of the POCs legitimacy.

There looks to be multiple of these, another one with a different SatoshiDisk link and “only selling FIVE copies”…. scam methinks. Multiple files to look more legitimate?

I’ve reported the account & repository to GitHub.

https[:]//github[.]com/TimWallbey/CVE-2022-41082-RCE https://t.co/BVvi0gtZqN pic.twitter.com/jrprZLYmct

— John Hammond (@_JohnHammond) September 30, 2022

In another example, a scam account found by Paulo Pacheco impersonated CTI’s Kevin Beaumont. This is undoubtedly an effort to monetize the reputation of this well-known security researcher, who has been tirelessly and selflessly documenting the new Exchange vulnerabilities and available mitigations.

What’s contained in these GitHub repositories?

From BleepingComputer:

“The repositories themselves don’t contain anything of importance, but the README.md describes what is currently known about the new vulnerabilities, followed by a pitch on how they are selling one copy of a PoC exploit for the zero days.”

“This means it can go unnoticed by the user and potentially by the security team as well. Such a powerful tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it: hxxps://satoshidisk[.]com/pay/xxx,” reads the text in the scam repository.”

The scam POC exploit is currently for sale at the low, low price of 0.01825265 Bitcoin, worth approximately $420.00 (far less than a true POC would be worth, and significantly less than other organizations are shelling out to those able to produce Microsoft Exchange RCE zero-days. Zerodium, for example, is reportedly offering at least $250k).

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“As hard-to-find as the technical details surrounding the ProxyNotShell flaws may be, it’s only a matter of time before a legitimate POC surfaces. In fact, various sources put the average time between a vulnerability’s disclosure and the emergence of working POC exploits at somewhere around 10-14 days. For this reason, CTI takes the proactive measure of creating and maintaining active searches for the emergence of POC exploits designed to target high-profile zero-days such as this the moment we learn of them.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.