1. Patch for AKIRA and LockBit Ransomware Cyberthreats

Ransomware groups AKIRA and LockBit targeted transportation and logistics companies in Illinois and Montana, respectively. These attacks highlight the vulnerability of this sector to ransomware attacks. It is important to ensure that your systems are patched and up-to-date, and that you have strong backups in place. You should also educate your employees about the dangers of phishing attacks and how to avoid them.

2. Malware Phishing Operation Hits Oil and Gas Sectors with Rhadamanthys Intrusion

A phishing campaign targeting oil and gas companies used a lure from the U.S. Department of Transportation (DOT) to deliver Rhadamanthys information-stealer malware. This campaign highlights the evolving tactics of cybercriminals and the importance of employee awareness training. Employees should be trained to be suspicious of unsolicited emails, even if they appear to come from a legitimate source. They should also be careful about clicking on links or opening attachments in emails.

3. Chinese Threat Actor Earth Freybug Uses New Technique to Evade Detection

A China-linked threat actor called Earth Freybug is using a new technique that combines DLL hijacking and API unhooking to evade detection. This technique highlights the increasing sophistication of cyberattacks and the need for robust security defenses. Organizations should keep their systems up-to-date and implement security measures that can detect and prevent these types of attacks.

Krypton Alert: LockBit Ransomware Targets Tri-State Truck & Equipment

On April 20, 2024, analysts identified a communication that the ransomware group LockBit posted on its dark web (DW) leak site in which it claimed to have targeted Tri-State Truck & Equipment, a Montana-based truck manufacturing and repair company. LockBit did not indicate how much or what data it acquired but did state all data was made publicly available on April 19, 2023 via a download link on its DW leak site.

LockBit appears to be a financially motivated group, which emerged in September 2019. The ransomware group targets victims operating in various sectors including transportation, logistics, healthcare, manufacturing and engineering, with most notable previous victims based in the United States, Latin America, Europe, China, India and Indonesia. 

In a reference to LockBit’s tactics, techniques, and procedures (TTPs), analysts note that the group usually implements a double-extortion tactic for an additional leverage to collect ransom payments. In order to target networks, the group uses various methods, including unpatched vulnerabilities, insider access, and zero-day exploits. Additionally, the group functions as ransomware-as-a-service (RaaS), which enables LockBit to sell or rent predeveloped ransomware tools to its affiliates to execute ransomware attacks. 

Chinese Threat Actor Uses DLL Hijacking and API Unhooking in New Malware Campaign

A China-linked threat cluster tracked as “Earth Freybug” has been deploying a unique dynamic-link library (DLL) hijacking and application programming interface (API) unhooking technique. This process is intended to prevent child processes from being monitored via the employment of a malware dubbed UNAPIMON. This malware also assists the threat actor in maintaining persistence and avoiding detection with a compromised network. The Earth Freybug threat cluster employs a combination of living-off-the-land binaries (LOLBins) and custom malware strains in its attacks. The group has also modified additional techniques such as dynamic-link library (DLL) hijacking and application programming interface (API) unhooking. UNAPIMON is a C++-based malware, and is designed to prevent child processes from being monitored by leveraging an open-source Microsoft library called Detours to unhook critical API functions, thereby evading detection in sandbox environments that implement API monitoring through hooking. A child process is a process created by another process. The creator process is called the “parent process.” The benefit of a child process is that it can start or stop at will without affecting the parent process. The child process, however, is typically dependent on the parent process. If the parent process dies, the child process becomes an orphan process. 

Earth Freybug is an established threat actor that has been conducting operations since 2012. The threat actor is primarily known for espionage and financially motivated campaigns targeting entities in various industry verticals. The Earth Freybug group is assessed to be a subset of another threat actor known as APT41 (AKA Winnti), which is a prominent China state-sponsored cyber espionage advanced persistent threat (APT) group. APT41 has conducted multiple software supply chain compromises, and specializes in gaining access to software companies to inject malicious code into legitimate files before distributing updates. The APT41 group has targeted a broad spectrum of organizations, including governments, hardware vendors, software developers, think tanks, telecommunication service providers, and educational institutes. APT41 is unique among China-based actors in that it leverages non-public malware that is commonly used in cyber espionage operations in what may be activity that falls outside the scope of state-sponsored missions. Use of this malware is assessed as a tactic, technique, and procedure (TTP) to avoid any attribution to China. Because of their operational nexus, Earth Freybug and APT41 share overlapping TTPs. Earth Freybug’s use of UNAPIMON and its sophisticated anti-monitoring capabilities pose a significant threat to organizations. Use of this malware allows the threat actor to evade detection and maintain persistence. These capabilities significantly enhance the potential for data hijacking, exfiltration, lateral movement within a compromised environment, and activity logging.

Connect:fun Campaign Targets Fortinet Exploit to Deploy Multiple Malware Families 

A group of threat actors operating as part of a collective dubbed Connect:fun were found to be exploiting a critical-severity vulnerability in Fortinet’s FortiClient enterprise management service (EMS) devices in order to deploy three separate malware families on compromised networks. The relevant vulnerability, a SQL injection exploit tracked as CVE-2023-48788, allows a threat actor to execute commands and malicious scripts on compromised devices. Multiple attack chains have been identified as part of this campaign, and the earliest began with the threat actor scanning for vulnerable Fortinet devices on which to exploit the vulnerability, and then downloading the remote desktop software known as ScreenConnect and installing it on compromised devices using the msiexec.exe command. In later attacks, the Powerfun script, which allows threat actors to manipulate shells and execute commands via command-and-control (C2) infrastructure.  

The vulnerability was first identified on March 12, 2024 in an advisory from Fortinet, which subsequently published a proof-of-concept (PoC) exploit on GitHub on March 21, 2024. Shortly thereafter, the threat actors behind the Connect:fun campaign began exploited the vulnerability in cyber attacks in what is assessed to be a targeted campaign rather than a blanket, automatic adoption by a botnet or similar operation. The speed with which the threat actor swiftly began to exploit the vulnerability and integrate it into its malware arsenal demonstrates the imperative of installing patches as soon as software developers make them available. The use of ScreenConnect is also notable given the manner in which threat actors have used legitimate remote management and monitoring (RMM) software as a way to maintain control over compromised networks while avoiding detection by anti-malware programs. 

Implement strong security measures. This includes using firewalls, antivirus software, and data encryption to protect your systems from unauthorized access. You should also regularly update your software and patch vulnerabilities.