During the first quarter of 2023, Fortress tracked a number of events that impacted the critical infrastructure community.
In Washington, two substation attackers were tracked down and arrested. The two suspects were reportedly planning a jewelry store heist and believed that tampering with the substations would cause a power outage, allowing them to break into the store and steal goods without getting caught. It is believed their attacks caused damage lasting months. Another substation attacker, who is believed to have damaged two PG&E transformer in San Jose, California, was arrested in March and was found with improvised explosive devices in his home. Other incidents, such as the one in northern North Carolina affecting the Pleasant Hill substation, have gone without any arrests.
Fortra was breached around the end of January with a previously unknown vulnerability, CVE-2023-0669, affecting its GoAnywhere Managed File Transfer system. When exploited, this vulnerability allowed attackers to execute code remotely through the GoAnywhere administrator panel. Fortra released an advisory February 3 to report this to its clients, which affected over 100 companies and exposed hundreds of thousands of customer data. An advisory was released on February 1, but was posted behind a login wall, hindering public visibility.
Three instances of poisoned repositories on the Python Package Index (PyPI) were reported in Q1. The PyPI has been a frequent target for package poisoning projects and, while detected relatively quickly, can rack up hundreds of pulls before it is removed from the index. On January 5, Phylum reported on “pyrologin”, that allowed the threat actor to run a series of scripts with the end goal of extracting sensitive information and cryptocurrency wallet information. On January 14, Fortinet released a report about a threat actor called “Lolip0p. It also resulted in sensitive data exfiltration. In March a third poisoned repository attack was reported by Kroll. This malware, titled “Colour-Blind”, allowed an attacker to install a remote access trojan (RAT) and also included an information stealer. Colour-Blind is believed to be a spinoff of a malware strain released in November called “W4SP”, which shares enough similarities with Colour-Blind to indicate an ongoing campaign.
On February 3, 2023, the French CERT agency posted a notice about an ongoing campaign of ransomware as a service (RAAS) groups targeting VMware ESXi virtual machines. The exploitation depends on a 2021 vulnerability, CVE-2021-21974, that can allow for remote code execution by a threat actor with network access on port 443 with unrestricted privileges.1 OVHcloud noted that some exploitation was also occurring on OpenSLP port 427. On February 5, 2023, researchers with the Equinix Threat Analysis Center announced that the RAAS gang Royal, in particular, was noticed exploiting the ESXi vulnerability. Python virtual environments were commonly seen used during these attacks.
On March 1, 2023, the Slovak cybersecurity company, ESET, published a report documenting a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. This bootkit is the first publicly known malware capable of bypassing Secure Boot defenses, making it a serious threat to organizations globally. It was first announced in October of 2022, selling for approximately $5000 on a dark web malware forum. ESET added that it can also run on fully up-to-date Windows 11 systems that have UEFI Secure Boot enabled. UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process, making it possible to disable OS-level security solutions and deploy payloads during startup with elevated privileges. BlackLotus also brings its own genuine, vulnerable binaries to the targeted system to exploit the vulnerability, setting the stage for Bring Your Own Vulnerable Driver (BYOVD) attacks.
Fortress Information Security (FIS) will continue to monitor these threats and will issue a new Quarterly Threat Report at the close of the current quarter.
