CTI Roundup: The FBI takes down Qakbot and Bumblebee returns from hiatus

In this week’s roundup, CTI revisits some of the top developing cyberthreats from the last several months. First is an overview of the FBI’s recent Qakbot malware takedown, followed by a look at machine learning models as an emerging attack vector. Also included are updates on ESXiArgs, Bumblebee, the Andariel and APT29 groups and the current state of ransomware.

1. FBI disrupts the Qakbot botnet

In December 2022, CTI warned about an uptick in Qakbot infections in customer environments belonging mostly to U.S.-based companies.

At the time, researchers attributed the increase to a widespread ransomware campaign run by Black Basta — a relatively new ransomware group that emerged in April 2022. At the time, Black Basta leveraged Qakbot to enter and move laterally across target networks.

Qakbot — also known as Quackbot, Qbot, Pinkslipbot, and TA570 — is one of the most notorious botnets and is responsible for thousands of global malware infections. It was first discovered in 2008, making it one of the longest-running botnets.

Operation Duck Hunt is a success

In late August, a global law enforcement operation successfully dismantled the Qakbot botnet. The campaign, dubbed Operation Duck Hunt, is reportedly the largest U.S.-led financial and botnet disruption to date.

Operation Duck Hunt involved redirecting traffic to government-controlled servers, enabling agents to control the botnet. The FBI instructed Qakbot-infected machines to download a proprietary uninstaller, which separated victim machines and prevented further malware installations from occurring.

Security Boulevard explains that the FBI’s strategy during the Qakbot takedown closely resembles “hacking back” — a tactic that authorities typically discourage organizations from trying due to the potential risks associated with executing commands on remote systems.

During the operation, the FBI and its international partners seized Qakbot’s infrastructure in Europe and the U.S. The U.S. Department of Justice also took over $8.6 million in stolen cryptocurrency from the Qakbot group. The operation revealed about 700,000 devices with Qakbot infections, with more than 200,000 in the U.S. However, the FBI believes there could be millions of Qakbot victims.

While the FBI dealt Qakbot a heavy blow, there was a possibility that the botnet could potentially return. Since the takedown, Qakbot-affiliated threat actors have been observed distributing Ransom Knight ransomware and Remcos malware. While the threat actors are not distributing Qakbot itself, they are still operational, meaning there is a chance they will choose to rebuild the Qakbot infrastructure.

CTI will continue to monitor the situation for developments.

2. Machine learning: An emerging attack vector

Over the last year there has been an explosion in powerful AI and ML chat services — and this is only the beginning of what’s to come. A recent study from Gartner reveals that 70% of organizations are now in the “exploration” stages of generative AI research and investigation.

ChatGPT — which uses OpenAI’s GPT-3.5 and GPT-4 models — remains one of the most popular AI tools on the market, mainly for its versatility and ease of use. Business adoption could increase even more in the months ahead following the announcement of ChatGPT Enterprise, which OpenAI claims is the most powerful version of ChatGPT yet. ChatGPT Enterprise also features enterprise-grade security and privacy.

Some additional AI chatbots to know about include:

• Bing Chat, which uses OpenAI’s GPT-4 model. The new Bing has internet access and works like a search engine.
• Google Bard, powered by PaLM 2 and a lightweight version of LaMDA.
• Claude, an LLM developed by Anthropic and based on Constitutional AI.
• Perplexity AI, an internet-connected chatbot that runs on GPT-3 and GPT-4.
• Jasper, a popular writing chatbot based on GPT-3.5.

The ongoing cybersecurity debate about Machine Learning

As highlighted by CTI following the emergence of ChatGPT in late 2022, the security community remains divided on the role of ML in cybersecurity. Some call it the savior of cybersecurity, while others are deeply concerned about its position as a dangerous new attack vector.

On one hand, recent advancements in this space make it easier for companies to manage and respond to emerging threats. For example, Exabeam has added generative AI capabilities to its New-Scale security information and event management (SIEM) platform — enabling users to quickly classify threats, summarize risks, and discover remediation recommendations. There are many other generative AI security services available today including Google Cloud Security AI Workbench, Microsoft Security Copilot, and CrowdStrike Charlotte AI.

But while ML and AI offer promise, they are still emerging technologies. It’s common for ML-based alert systems to generate excessive false positives and notifications, posing challenges for incident responders. Additionally, the meaning and significance of these alerts can be difficult to interpret.

What’s more, cybercriminals are increasingly targeting AI models using tactics like data poisoning, model theft, supply chain compromise, and AI backdoors. Around 20% of companies have experienced AI model attacks or compromise incidents within the last year, while 49% of security leaders are worried about threat actors poisoning AI and ML models to bypass security protections.

Considering this, companies and security professionals should consider embracing AI and ML, while recognizing the need for a careful and strategic approach to their implementation.

NSA announces new AI security center

On September 28, the National Security Agency (NSA) announced a new AI security center to oversee the development and integration of AI capabilities within U.S. national security systems.

According to the U.S. Department of Defense, the AI Security Center will become the focal point for developing AI best practices, evaluation methodology, and risk frameworks.

The center will promote the secure adoption of emerging AI capabilities across the national security enterprise and the defense industrial base. It will also consolidate the agency’s AI and security-related activities.

3. ESXiArgs: Still in the wild

Back in February CTI sounded the alarm about the rapidly spreading ESXiArgs ransomware campaign. At the time, attackers were actively targeting VMware ESXi servers — specifically those that were unpatched and vulnerable to CVE-2021-21974.

By the middle of February, more than 500 hosts were compromised by the ESXiArgs strain, with most victims in France, the Netherlands, Germany, the U.K., and Ukraine.

What’s new with ESXiARGS?

ESXiArgs is still active and spreading, making it something to keep on your radar. Companies that have not patched their ESXi servers remain at risk of becoming victims.

VMware advises customers to upgrade to the latest supported release of vSphere components to address all disclosed vulnerabilities. VMware also recommends disabling the OpenSLP service in ESXi.

4. Bumblebee malware returns after a two-month break

In May, CTI warned how Google Ads is spreading new Bumblebee malware. Threat actors are using Google Ads to promote trojanized versions of installers for popular applications and deliver the Bumblebee malware loader to victims.

The Conti team most likely developed Bumblebee to replace the BazarLoader backdoor, making it easier for threat actors to access networks and distribute ransomware and other secondary payloads. Recent campaigns have seen the enterprise-targeting Bumblebee malware distributed through Google Ads, employing SEO poisoning to create promotions designed to appeal to users eager to facilitate the easy download of popular software, such as Zoom, Citrix Workspace, and Cisco AnyConnect.

Bumblebee’s latest campaign

After taking a summer hiatus, Bumblebee returned in September with a campaign that uses new distribution techniques.

According to Bleeping Computer, Bumblebee is now abusing 4shared WebDAV services. WebDAV is an extension of the HTTP protocol and enables clients to execute remote authoring operations like creating, accessing, updating, and deleting web server content.

Bleeping Computer reports that the latest Bumblebee campaign relies on spam emails that pretend to be scans, invoices, and notifications. The campaign attempts to lure recipients into downloading harmful attachments. Most attachments are Windows shortcut LNK files. However, there are also some ZIP archives with LNK files — meaning Bumblebee’s operators are most likely experimenting to find the best approach.

Analysts have also discovered an updated version of the Bumblebee malware loader in this campaign. The loader has switched from the WebSocket protocol to TCP for C2 communications. Furthermore, the new loader is no longer using hardcoded C2 addresses. Instead, it uses a domain generation algorithm to create 100 domains on the “.life” TLD space after execution.

From Bleeping Computer:

The domains are generated using a 64-bit static seed value, and Bumblebee connects to them by iterating through the created list until it finds one that resolves to an active C2 server IP address.

Bumblebee has been previously associated with ransomware payload distribution, including Conti and Akira, so adopting a more efficient and elusive distribution channel is a worrying development.

Also, adopting DGA makes it harder to map Bumblebee’s infrastructure, block its domains, and significantly disrupt its operations, adding additional complexity in implementing preventive action against the malware loader.

5. Andariel deploys numerous malware strains in attacks

A July CTI update explained how the North Korea-backed threat actor tracked as Andariel deployed EarlyRat malware during 2022 in a series of cyberattacks exploiting the Log4j vulnerability.

Andariel — also known as Silent Chollima and Stonefly — is a sub-group of North Korea’s Lazarus Group APT actor. The group routinely engages in cyberespionage operations aimed at foreign government and military entities of strategic interest to North Korea. Andariel mainly generates revenue and supports the North Korean government’s military operations.

Andariel’s primary targets include financial institutions, defense contractors, universities, government agencies, energy companies, and cybersecurity vendors.

Researchers issue a new Andariel warning

Andariel has recently been detected using various malicious tools and tactics in cyberattacks against target organizations.

For example, the group uses spear-phishing, supply chain attacks, and watering holes to launch payloads. Andariel also uses a mix of malware families such as Gh0st RAT, NukeSped, DTrack, YamaBot, Phandoor, Rifdoor, Andarat, TigerRAT (along with successor MagicRAT) and Andaratm. Plus, the group is using new strains such as Black RAT, Goat RAT, AndarLoader, and DurianBeacon. Black RAT and Goat RAT are written in Go, while AndarLoader is written in .NET. DurianBeacon uses Go and Rust.

From the AhnLab Security Emergency Response Center (ASEC):

The Andariel group is one of the highly active threat groups targeting Korea along with Kimsuky and Lazarus. The group launched attacks to gain information related to national security in the early days but now carries out attacks for financial gains.

For a deep dive into Andariel’s latest attack activities, check out ASEC’s full report.

6. Ransomware remains a top enterprise threat

In a July report, CTI revealed how ransomware attacks and payments are skyrocketing with researchers observing an overall rise in the number of successful payments both big and small. According to Chainalysis, ransomware is on track to break previous records.

From BleepingComputer:

Ransomware is the one form of cryptocurrency-based crime on the rise so far in 2023,” reads the Chainalysis report. “In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June.

Ransomware continues to accelerate

Cyber insurance provider Coalition research reveals ransomware payments increased by 12% YoY in 2023.

Ransomware demands now account for roughly one-fifth of all claims, making it the single most significant factor in claims filings. Ransomware claims also increased by 27% during the first half of 2023. The cost of claims increased by 42% during the first half of the year, with claimants reporting an average loss of more than $115,000.

Here are some recent noteworthy ransomware attacks:

• Johnson Controls was recently hit by a disruptive cyberattack, with the Dark Angels ransomware group making off with 27 TB of information.
• Thousands of patients had their information stolen following a ransomware attack that shut down computers at two Connecticut hospitals, including Waterbury Health and Prospect Medical Holdings.
• Rock County, Wisconsin was forced to take some of its systems offline after a ransomware attack on against its public health department.

Now trending: Dual ransomware attacks

The FBI is now warning about a rising trend known as dual ransomware attacks, where threat actors conduct separate attacks just hours or days apart.

From Dark Reading:

These ransomware attacks happen to the same victim within a short time span and, in the wild, have occurred with threat actors deploying different ransomware variants for each leg of the attacks, such as AvosLocker, Diamond, Hive Karakurt, LockBit, Quantum, and Royal. These variants are released in different dual combinations, ultimately resulting in a mix of data encryption, exfiltration, and extortion.

Organizations struggle with ransomware payment decisions

Most cybersecurity experts advise against making ransomware payments since companies who pay a ransom are more likely to suffer subsequent attacks. In addition, ransomware payments can also support and enable criminal organizations and extortion groups.

However, it’s not always possible for companies to avoid making payments. As First Sentier Investors CISO Lorraine Dryland recently explained at the Gartner Security & Risk Management Summit, CISOs often struggle to prevent executives from paying ransoms.

“To force an executive down that path can only end up in negative results and bad experiences because these are very willful individuals – they don’t get to where they are because they shy away from things, they will want to make a decision,” Dryland explained.

Dryland recommends using a scoring mechanism that allows executives to calculate the risks involved in their choice. However, making a payment should always be a last resort.

White House considers banning ransomware payments

Several states already prohibited jurisdictions from paying threat actors in ransomware attacks. Now, the White House is considering implementing a federal ban on ransomware payments to reduce financial incentives for cybercriminals. If enacted, this policy would prevent companies from making ransomware payments to recover encrypted data.

Proponents argue that this would put more pressure on senior leadership to prevent and respond to data breaches and make cybersecurity more of a shared relationship. However, a nationwide ransomware payments ban could also create confusion for small business owners, and give cybercriminals leverage to keep extorting companies that break the rules. At the same time, attackers may shift their focus to victims who feel compelled to pay.

At this point, it’s unclear whether the federal government will move forward a plan to curb ransomware payments. This is a story worth following in the months ahead.

7. APT29 remains a growing threat

In July, CTI reported that the Russia-backed advanced persistent threat group APT29 (also known as Nobelium and Cozy Bear) is now using trusted services like Google Drive and Dropbox to evade detection, deliver malware and hacking tools, and exfiltrate data.

APT29 most likely operates at the behest of Russia’s Foreign Intelligence Service (SVR). The group’s motivation is primarily espionage and is attributed with sophisticated and effective spear-phishing campaigns targeting government, military, and diplomatic entities that appear to align with the state and interests of the Russian government.

The group is known for spreading phishing emails and documents on foreign policy topics, and directing victims to phony websites to infect them with backdoors. Researchers also recently observed the group using a BMW car advertisement to target diplomats in Kyiv.

The latest on APT29

APT29 has ramped up the scope and frequency of its espionage attacks in 2023, with the Kremlin seeking more intel to assist its war on Ukraine.

The Cyber Risk Alliance reports that APT29 has made substantial changes to increase efficiency and evade detection. In addition, APT29 has increased routine espionage operations against global diplomatic entities. The group is now prioritizing European foreign affairs ministries and embassies, while also conducting operations that further Russia’s global interests.

According to Mandiant, APT29 is continuing its initial access campaign targeting Microsoft cloud-based services, and evolving its TTPs. For example, this year APT29 shifted to hosting first-stage payloads on compromised web services.

“Migrating the first-stage payload server side has likely provided APT29 a greater degree of control over its malware delivery chain and allowed the group to be more judicious about the exposure of its later-stage capabilities,” Mandiant’s researchers stated.

The group added a new layer of obfuscation to a campaign in March, leveraging TinyURL to create malicious phishing links. Researchers also observed APT29 embedding Rootsaw in a PDF for the first time.

APT29 is still in the wild and is becoming more dangerous. As the war in Ukraine continues to escalate, it’s possible that APT29 and similar groups could intensify their efforts even more.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.