Thursday 29th August 2024

Good morning everyone! Thank you for joining me for today's edition of Cyber Daily. Today's instalment is covering China’s Volt Typhoon hackers who are targeting network servers with zero-day exploits and the U.S. State Department is putting a $2.5 million bounty on a Belarusian malware mastermind, the notorious BlackByte ransomware group is upping its game with lightning-fast exploits and new tricks to evade detection.

China's Volt Typhoon Exploits Zero-Day Bug

China-backed hacking group Volt Typhoon is actively exploiting a zero-day vulnerability in Versa Networks' Director Servers, aiming to harvest credentials for future attacks. The flaw, tracked as CVE-2024-39717, impacts all versions of Versa Director before 22.1.4 and has been linked to a GUI customization feature. Versa Director is a key component of Versa's SD-WAN technology, used by large organisations and service providers to manage network traffic and security policies.

Volt Typhoon's attacks leverage high-availability management ports (4566 and 4570) left exposed to the internet, enabling attackers to escalate privileges and gain admin-level access. The group has been exploiting the bug since June, using compromised small-office/home-office devices to access vulnerable systems.

While the bug is rated as moderately severe (6.6/10 on the CVSS scale), Versa warns that its potential impact is significant. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-39717 to its list of known exploited vulnerabilities, urging federal agencies to apply mitigations by mid-September.

Versa advises customers to patch their systems and follow strict firewall guidelines to avoid falling victim to these attacks.

U.S. Offers $2.5M for Belarusian Cybercriminal

The U.S. Department of State has announced a $2.5 million reward for information leading to the arrest of Volodymyr Kadariya, a Belarusian national accused of orchestrating a mass malware distribution campaign. Kadariya, along with associates Maksim Silnikau and Andrei Tarasov, faces charges of wire fraud conspiracy and computer fraud conspiracy related to his alleged role in distributing the Angler Exploit Kit (AEK) from 2013 to 2022.

The indictment claims Kadariya leveraged malvertising tactics—embedding malicious ads in legitimate websites—to spread ransomware and other malware to millions of victims worldwide. The campaign included “scareware” ads, tricking users into downloading harmful software or disclosing personal information. Kadariya and his co-conspirators also sold access to compromised systems and stolen data, such as banking details and login credentials, on Russian cybercrime forums.

The U.S. Secret Service has warned that the malvertising campaigns appeared legitimate but redirected users to sites hosting malware. Federal authorities are urging anyone with information on Kadariya's whereabouts to come forward to help bring him to justice.

BlackByte Ransomware Exploits New Flaw in VMware

The BlackByte ransomware group is at it again, exploiting a recently patched security flaw in VMware ESXi hypervisors (CVE-2024-37085) while also employing various vulnerable drivers to bypass security protections. The group has a reputation for quickly adopting new tactics, and their latest campaign highlights a shift towards more aggressive and sophisticated techniques.

According to a report by Cisco Talos, BlackByte is leveraging the VMware vulnerability—an authentication bypass flaw—to gain administrative control over affected systems, even creating new accounts with elevated privileges on VMware vCenter servers. This move represents a pivot from their usual methods, which often involve exploiting public-facing vulnerabilities for initial access.

BlackByte’s continued use of the “Bring Your Own Vulnerable Driver” (BYOVD) technique enables them to disable security protections. They’ve been observed dropping four specific drivers to disarm defences, including RtCore64.sys and DBUtil_2_3.sys. The group has also expanded their malware’s programming base to include C/C++, bolstering its resilience against detection.

Talos researchers noted the rapid exploitation of CVE-2024-37085, just days after it was publicly disclosed, underscoring BlackByte's swift adaptation to newly identified vulnerabilities. With ongoing campaigns targeting sectors like professional services, manufacturing, and education, the group continues to pose a significant threat to critical infrastructure and businesses worldwide.

Organisations are urged to update their systems and employ robust security measures to defend against these evolving attacks.