Anomali Cyber Watch: North Korean APTs Used Chrome Zero-Day, Russian Energy Sector SCADA Targeting Unsealed, Lapsus$ Breached Microsoft – Finally Arrested, and More


The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Drive-by, ICS, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Hive Ransomware Ports Its Linux VMware ESXi Encryptor to Rust

(published: March 27, 2022)

The Hive ransomware operators actively copy features first introduced in the BlackCat/ALPHV ransomware to make their ransomware samples more efficient and harder to reverse engineer. They have converted all their builds (targeting Windows, Linux, VMware ESXi) from Golang to the Rust programming language. They also moved from storing the victim’s Tor negotiation page credentials in the encryptor executable to requiring the attacker to supply the user name and login password as a command-line argument when launching the malware.
Analyst Comment: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140
Tags: Hive, Ransomware, BlackCat, VMware ESXi, Rust, Tor

US Says Kaspersky Poses Unacceptable Risk to National Security

(updated: March 25, 2022)

On March 25, 2022, the US Federal Communications Commission (FCC) added three new entities to its Covered List: China Mobile International USA Inc., China Telecom (Americas) Corp, and AO Kaspersky Labs. The action is aimed to secure US networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests. Previously the FCC Covered List had five Chinese entities added in March 2021 including Huawei and ZTE. Kaspersky denied the allegations and stressed that the company “will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate.” Earlier the same day, HackerOne blocked Kaspersky from its bug bounty program.
Analyst Comment: It seems that the FCC decision does not directly affect private parties using Kaspersky antivirus and other security products. There is no public data showing directly that Kaspersky is currently involved in cyberespionage or some malware distribution activity, but such suspicions were raised in previous years. Direct connections of Kaspersky to Russia and its own Federal Security Services (FSB) makes it both a potential security risk and a reputation risk as the military conflict in Ukraine leads to new sanctions and increased cyber activity.
Tags: Russia, USA, China, Ukraine, Kaspersky, FCC, FSB, Huawei, ZTE, China Mobile, China Telecom

Countering Threats from North Korea

(published: March 24, 2022)

Two distinct North Korea-sponsored campaigns exploited CVE-2022-0609, a remote code execution (RCE) zero-day vulnerability in Google’s Chrome web browser. The exploitation started on January 4, 2022, and continued after the fix was released on February 14, 2022. Operation Dream Job, involved sending job-search-related emails with phishing links to 250 individuals working for domain registrars, news media, software vendors, and web hosting providers. Users opening the link were served a hidden iframe that would trigger the exploit kit. Another campaign, Operation AppleJeus targeted fintech and cryptocurrency industries serving iframes via drive-by compromise or trojanized cryptocurrency applications. The exploit kit contained multiple stages employing fingerprinting, obfuscation and session-specific AES encryption of each stage and responses. First stage, serving fingerprinting javascript, second, Chrome RCE and additional javascript, and third, a SBX (Sandbox Escape) script.
Analyst Comment: Your organization should conduct anti-phishing training. System administrators should block identified malicious and compromised websites and ensure all the connected devices receive timely updates. Users are advised to enable Enhanced Safe Browsing for Chrome.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Obfuscated Files or Information – T1027
Tags: Operation AppleJeus, Dream Job, CVE-2022-0609, Chrome, Government, USA, North Korea, APT, News media, IT, Cryptocurrency, Fintech, Javascript, Phishing, Drive-by, target-country:US, source-country:KP

Muhstik Gang Targets Redis Servers

(published: March 24, 2022)

Vulnerability CVE-2022-0543 affects some Redis Debian packages, allowing Lua sandbox escape. It was first discovered in January 2022, proof of concept (PoC) was published on March 10, 2022, and the next day its exploitation began to install the Mahstik botnet operated by a China-based threat actor. In the past, Mahstik operators exploited vulnerabilities in Oracle WebLogic Server, Drupal, Confluence Servers, and Apache Log4j. Muhstik bot that can be used to launch a DDOS attack or to download additional malware such as the Monero mining software XMRig.
Analyst Comment: If vulnerable, patch your Redis Debian/Ubuntu service. Security advisories listing affected versions are available here: Debian and Ubuntu.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Network Denial of Service – T1498 | [MITRE ATT&CK] Brute Force – T1110
Tags: CVE-2022-0543, Redis, Muhstik, IRC, China, Debian, Ubuntu, DDoS, source-country:CN

Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide

(published: March 24, 2022)

The US Department of Justice unsealed two indictments from the previous year regarding Russian government actors attacking the energy sector. One indictment involves Evgeny Viktorovich Gladkikh, who was employed researching IT-related threats to critical infrastructure in one of the Russian Ministry of Defense’s leading research institutes (TsNIIKhM). In 2017, Gladkikh used Triton malware to attack industrial control systems (ICS) and operational technology (OT) of a Middle East oil refinery, which forced two emergency shutdowns. In 2018, he participated in an unsuccessful attack on a US company owning similar refineries in the US. Another unsealed indictment covered a group of Russia’s Federal Security Service (FSB) employees whose activity was tracked by researchers as Energetic Bear (Berzerk Bear, Crouching Yeti, Dragonfly, Dragonfly 2.0, and Havex). They are responsible for thousands of compromises around the energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies, including the US Nuclear Regulatory Commission, and the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas. This group employed various intrusion techniques: spearphishing, watering-hole compromise, and supply-chain attacks on software updates. They specifically targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.
Analyst Comment: Network isolation is critical in protecting valuable ICS and SCADA systems. Having a TIP such as Anomali ThreatStream is increasingly recognized as a vital component of a defense in depth program. The capability to easily ingest and correlate threat intelligence as it is disseminated and correlate it against an organization’s infrastructure as provided by Anomali XDR (Match) can greatly ease the burden of finding and remediating both vulnerabilities and attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Data Manipulation – T1565 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Valid Accounts – T1078
Tags: ICS, SCADA, Dragonfly, Energetic Bear, Havex, Backdoor.Goodor, Crouching Yeti, FSB, Russia, Energy, Oil and gas, Nuclear, APT, Triton, Trisis, TsNIIKhM, USA, target-country:US, source-country:RU

Mustang Panda’s Hodur: Old Tricks, New Korplug Variant

(published: March 24, 2022)

ESET researchers discovered an ongoing campaign by China-sponsored group Mustang Panda (TA416, RedDelta, or PKPLUG). The campaign features a previously undocumented PlugX (Korplug) variant, named Hodur. Mustang Panda spend just a few days to incorporate the newest news trends into their phishing lures, be it COVID-19 or 2022 military conflict in Ukraine. The targets included diplomatic missions, internet service providers (ISPs), and research entities with Mongolia being the most heavily targeted followed by Vietnam, Myanmar, Greece, Russia, Cyprus, South Sudan, and South Africa being the least targeted.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threat groups (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Native API – T1106 | [MITRE ATT&CK] Shared Modules – T1129 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Hijack Execution Flow – T1574 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Hide Artifacts – T1564 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] System Time Discovery – T1124 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Data from Removable Media – T1025 | [MITRE ATT&CK] Data from Network Shared Drive – T1039 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Non-Application Layer Protocol – T1095 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Fallback Channels – T1008 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Non-Standard Port – T1571 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041
Tags: Hodur, Mustang Panda, PlugX, Korplug, TA416, RedDelta, PKPLUG, China, Mongolia, Vietnam, Diplomatic missions, ISP, Phishing, target-country:MN, target-country:MM, target-country:VN, source-country:CN

Lapsus$ Suspects Arrested for Microsoft, Nvidia, Okta Hacks

(published: March 24, 2022)

On March 24, 2022, Lapsus$, a prolific data extortion threat group, announced on their Telegram channel that several of its members are taking a vacation. The same day, the City of London Police announced the arrest of seven individuals aged 16-21 connected to the group. The group leader previously known under online aliases WhiteDoxbin and Breachbase is likely an arrested minor from Oxford, England. Earlier Lapsus$ leaked closed source code and proprietary data from high-profile companies like Nvidia, Samsung, Microsoft, and Okta, and claimed attacks on game developer Ubisoft, telecom company Vodafone, and e-commerce giant Mercado.
Analyst Comment: Review access policies in your organization, make sure that the company’s source code and other proprietary information is not accessible by the employees who don’t currently need it. Implement data loss prevention (DLP) monitoring. Implement Multi-factor Authentication (MFA) and network segmentation.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Create Account – T1136 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Subvert Trust Controls – T1553 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Steal Web Session Cookie – T1539 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Cloud Service Dashboard – T1538 | [MITRE ATT&CK] Cloud Service Discovery – T1526 | [MITRE ATT&CK] Domain Trust Discovery – T1482 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Internal Spearphishing – T1534 | [MITRE ATT&CK] Lateral Tool Transfer – T1570 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Data Destruction – T1485 | [MITRE ATT&CK] Automated Exfiltration – T1020
Tags: Lapsus$, Breachbase, WhiteDoxbin, UK, Nvidia, Okta, Microsoft, SIM swapping, Data extortion

Operation Dragon Castling: APT Group Targeting Betting Companies

(published: March 22, 2022)

Avast researchers discovered a complex, multistage campaign targeting betting companies in Hong Kong, the Philippines, and Taiwan. Infections were started by either a phishing email with an infected installer or through a zero-day in WPS Office updater exploiting a vulnerability that was consequently identified, reported to the vendor and currently fixed (CVE-2022-24934). Infection chain involves downloaders, dropping multiple files, and sideloading additional modules and malware. Three persistence mechanisms include editing registry keys, registering itself into the list of security support providers (SSPs) to be loaded into the Local Security Authority (LSA) process, and registering a Remote procedure call (RPC) interface. One of the final payloads, the MulCom backdoor has code similarities with previously described FormerFirstRat (FFRat) that was attributed to China-sponsored DragonOK group.
Analyst Comment: Keep your systems updated. Check the sender authenticity and use extra suspicion when receiving an email asking you to run a certain attached software. Implement behavior-based detection for advanced threats.
MITRE ATT&CK: [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140
Tags: Operation Dragon Castling, MulCom backdoor, CVE-2022-24934, FormerFirstRat, FFRat, DragonOK, South East Asia, Taiwan, Philippines, Hong Kong, China, APT, Registry key, RPC interface, WPS Office, LSA process

Observed Threats

Additional information regarding the threats discussed in this week’s Anomali Cyber Watch can be found below:

Lapsus$
The extortionist cybercriminal group, Lapsus$ (DEV-0537), was first found to be active since at least mid-2020. Lapsus$ is believed to be based in South America, likely Brazil, however it is also possible that the group consists of members located in different geographic locations. The threat group primarily-focused on stealing cryptocurrency wallets and funds prior to moving on to larger, Portuguese-speaking targets in Latin America and Portugal. The frequency and scale of their attacks have increased since December 10, 2021, when the group conducted a data-theft and followed by extortion demands against the Ministry of Health of Brazil. Lapsus$ is a highly-active group that utilizes insider recruitment and phishing combined with exploitation of publicly-known vulnerabilities, followed by malware and tools to escalate privileges and steal data. Once the data has been exfiltrated, it is subsequently deleted.

Mustang Panda
Malicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.

CVE-2022-24934
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.





Source link