RansomHub-linked EDR-killing malware spotted in the wild

Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and more

Infosec in brief Malware that kills endpoint detection and response (EDR) software has been spotted on the scene and, given it's deploying RansomHub, it could soon be prolific.

Discovered by Sophos analysts after a failed attack and dubbed EDRKillShifter, the malware leverages legitimate but vulnerable drivers on Windows machines to deliver ransomware to targets. 

Both variants tested by Sophos analysts make use of known vulnerable drivers with publicly available proofs of concept, with the ultimate goal of shutting down endpoint detection and response software and ransoming the victim's machine. The tactic of using publicly-known driver vulnerabilities is common for EDR-killing malware, Sophos said.

RansomHub – which appeared earlier this year and has quickly become one of ransomware actors' most widely used tools – indicates that EDRKillShifter could already be on the verge of becoming a serious threat. But a look inside the malware indicates it's not as dangerous as it appears at first glance, provided proper precautions are taken. 

Sophos's research does not mention the ingress route for attackers using EDRKillShifter, but notes that "this attack is only possible if the attacker escalates privileges they control, or if they can obtain administrator rights." 

Once an attacker has the necessary permissions, they have to execute the malware via the command line, and have to enter a password to get it started. At that point, things start to get a bit more complicated – EDRShiftKiller obfuscates its activity with self-modifying code and several different EDR killers, which are written in Go and also obfuscated.

If its initial attempts at embedding itself into memory are successful, EDRShiftKiller then deploys one of two payloads that creates a new service for the compromised driver, forcing it to enter an endless loop that kills any of its targets. 

Given a threat actor first has to gain access to their target machine with elevated privileges in order to execute EDRShiftKiller and deploy ransomware, Sophos recommends the best prevention against it is to practice good Windows security role hygiene. This means clearly separating users from administrators, checking to ensure EDR software has tamper protection enabled, and keeping systems and drivers updated. 

Nonetheless, it's a good idea to keep an eye out for this threat, given its close associations with so prolific a ransomware.

Critical vulnerabilities of the week: SolarWinds again?

Having just gone through a Patch Tuesday week, we don't have many vulnerabilities to report that haven't already been covered. 

That said, there was one big bug to report in the form of a SolarWinds vulnerability (CVE-2024-28986) that the business software provider disclosed last week, but which is now believed to be under active exploitation. 

The critical vulnerability, with a CSVV score of 9.8 in severity, can be found in the SolarWinds Web Help Desk. It's a Java deserialization remote code execution vulnerability that, if exploited, allows an attacker to run commands on the host machine. 

"While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing," the vendor stated. "However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available."

Public NetSuite sites can leak data

Organizations running NetSuite SuiteCommerce or SiteBuilder are being urged to check their setups, as thousands of externally-facing sites have been discovered to be exploitable to leak customer PII.

Aaron Costello, chief of SaaS security research at AppOmni, wrote in a blog post last week that poor access control configuration, combined with the improper use of record and search APIs, will allow an unauthenticated user to extract data. 

There are plenty of caveats here – like the need for the attacker to know which customer record types (CRTs) are in use – but the advice remains the same: Go check your NetSuite setups, tighten access control to CRTs, and lock down those public-facing sites.

"I would highly recommend that administrators begin assessing access controls at the field level and identify which, if any, fields are required to be exposed," Costello added.

Ransomware miners strike gold (mining company)

An Australian gold mining company has admitted to being hit by a ransomware attack, but has shared few other nuggets of information aside from acknowledging the incident occurred. 

Evolution Mining put out an advisory [PDF] of the incident last week, explaining that it believed the incident had been contained and that there wouldn't be any material impact on its operations. 

"The incident has been proactively managed with a focus on protecting the health, safety and privacy of people, together with the Company's systems and data," Evolution noted.

Aside from mentioning that its IT systems were affected, no details were shared. 

Evolution's report is far less detailed than an attack on another Australian mining operation that took place in March. Northern Minerals Limited experienced a "cyber incident" that led to the theft of personal details of its employees, including scans of their passports. 

Data pertaining to research, mining projects and other corporate details were also stolen during the Northern Minerals attack and published online by the BianLian ransomware gang in June.

Idaho-based healthcare firm has half a million patient records stolen

Kootenai Health, based in Idaho, has admitted to an unspecified incident that resulted in the theft of personal details belonging to nearly half a million patients after a breach in late February. 

Kootenai wrote in a letter sent to victims that name, birthdate, Social Security, ID documents and medical data may have been stolen – but there was no mention of ransomware.

That said, several sources have reported that the 3AM ransomware gang was behind the attack. The Russian-speaking 3AM crew, which first appeared last year, has reportedly published some 22GB of data stolen from Kootenai to its leak site.

Consider this another warning to keep your systems updated and your defenders on high alert if you work in the healthcare industry. 

Five malware variants that made a mark in Q2

ReliaQuest has published a list of five malware variants it asserted had a big impact in the second quarter of 2024. Surprisingly, Infostealers continue to be popular

Windows infostealer LummaC2 topped the list after what ReliaQuest indicated was a quarter of considerable growth – compared to the first quarter of 2024, Russian market listings for LummaC2 rose by 51.9 percent.

Next up on the list is any and all types of Rust-based infostealers, which ReliaQuest claimed are becoming increasingly popular due to Rust being fast, easy to code to evade antivirus software, and cross-platform capable. 

The SocGholish remote access trojan, long a popular tool, continues to be so thanks to a new Python-leveraging infection change used to establish persistence, and AsyncRAT has been surging in popularity, too.

The Oyster backdoor malware distributed by websites hosting supposed legitimate software infected with malware brings up the rear. ReliaQuest observed that Oyster – also known as Broomstick and CleanUpLoader – has been linked to some of the top Russian malware gangs, including Wizard Spider.

Make sure your security systems are hardened against the various tricks those malware families use, which are discussed in the ReliaQuest report. ®

More about

TIP US OFF

Send us news


Other stories you might like