In recent news, the malicious Bumblebee malware that is designed to be a stepping stone for ransomware is now targeting remote workers by taking advantage of popular applications, including Zoom, Citrix Workspace, and ChatGPT. The Secureworks Counter Threat Unit (CTU) has identified malicious advertisements being linked to these applications, creating fake download pages to install the Bumblebee malware. This malicious software is favored by ransomware gangs as a replacement for BazarLoader.
Mike McLellan, director of intelligence at the Secureworks CTU, pointed out that up to one in every hundred online advertisements contains malicious content, a worrying statistic for remote employees who are downloading software in the comfort of their own homes, believing it to be legitimate.
The CTU team reported a case of a user who had downloaded the Cisco AnyConnect VPN installer, which had been modified to include the Bumblebee malware. Within hours, an attacker had breached the system by deploying Cobalt Strike post-exploitation framework and using Kerberoasting to harvest hashed Active Directory credentials. Thankfully, network defenders reacted in time and eradicated the attacker before any more damage. If they had not intervened, ransomware could have been deployed.
In light of the rise in malicious content through ads being distributed through Google, as well as SEO poisoning, the Secureworks CTU advises companies to implement strict rules to limit access to such ads, as well as only downloading official software from trusted sources.
Secureworks is a cybersecurity company that helps organizations defend themselves against emerging forms of cyber threats. Founded in 1998, the company offers services such as cyber threat intelligence, proactive defence and detection, and vulnerability management. The company also provides incident response services, security consulting, and cyber intelligence training through the Secureworks Counter Threat Unit and Counter Threat Academy.
Mike McLellan is the director of intelligence at the Secureworks Counter Threat Unit. He is a highly experienced information and cybersecurity professional, having 25 years of knowledge in cyber operations, and threat intelligence. Before joining Secureworks, he held roles at the US Department of Defense, Symantec Corporation and Dell EMC. He has a BS from the University of Texas and an MBA from the University of South Florida.
