Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More


The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now

(published: October 1, 2021)

Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day

Hydra Malware Targets Customers of Germany’s Second Largest Bank

(published: October 1, 2021)

A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany’s largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim’s phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user’s contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan

New APT ChamelGang Targets Russian Energy, Aviation Orgs

(published: October 1, 2021)

A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hide its malware and network infrastructure under legitimate services of established companies such as Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed. In one of the cases analyzed by Positive Technologies, “the group compromised a subsidiary and penetrated the target company’s network through it”.
Analyst Comment: Many threat actors are successful in breaching organizations via exploits that have patches available. It is vital to have good asset and vulnerability management programs, especially in an organization that is a supplier to other companies.
MITRE ATT&CK: [MITRE ATT&CK] Trusted Relationship – T1199 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Windows Management Instrumentation – T1047 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] Remote System Discovery – T1018 | [MITRE ATT&CK] System Network Connections Discovery – T1049 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Exploitation of Remote Services – T1210 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Protocol Tunneling – T1572 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041
Tags: CVE-2021-31207, CVE-2021-34473, CVE-2017-12149, CVE-2021-34523, FRP, Cobalt Strike Beacon, Tiny Shell, ProxyT, BeaconLoader, DoorMe, Government, Russia, ChamelGang, APT, Supply Chain, ProxyLogon

GhostEmperor: From ProxyLogon to Kernel Mode

(published: September 30, 2021)

The Advanced Persistent Threat (APT) group, “GhostEmperor,” has been identified to be using a previously unknown Windows kernel mode rootkit, dubbed “Demodex”, and a sophisticated multi-stage malware framework to provide remote control over Exchange servers, according to Trend Micro researchers. GhostEmperor is believed to have been active since at least July 2020, and has been targeting South East Asian targets. Researchers note that the actor is highly skilled and accomplished in their craft, both of which are evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques. The actor is primarily targeting governmental entities and telecommunication companies in South East Asia, as well as in Egypt, Afghanistan and Ethiopia.
Analyst Comment: Vulnerability management is critical in order to timely remediate flaws within organizations infrastructure, especially once these vulnerabilities have been publicly described. Anomali Threatstream can be an invaluable assistance in acquiring current threat intelligence to assist organizations in discovering indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) known to be used by threat actors.
MITRE ATT&CK: [MITRE ATT&CK] Hooking – T1179 | [MITRE ATT&CK] Rootkit – T1014 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Valid Accounts – T1078
Tags: APT, Lucky Mouse, Cobalt Strike, Derusbi, PsExec, Government, China, Middle East, GhostEmperor, ProxyLogon

A Wolf in Sheep’s Clothing: Actors Spread Malware by Leveraging Trust in Amnesty International and Fear of Pegasus

(published: September 30, 2021)

Threat actors are impersonating Amnesty International, a human rights-focused non-governmental organization, as part of a scheme to deliver malware, according to Trend Micro researchers. The actors behind this campaign are posing as Amnesty International and pretending to be an anti-virus tool to protect against the NSO Group’s “Pegasus” spyware. The threat actors are distributing the “Sarwent” Remote Access Trojan (RAT) via a fake website that purports to be Amnesty International’s, but actually installs the malware. Sarwent contains the usual abilities of a remote access tool, mainly serving as a backdoor on the victim machine, and can also activate the remote desktop protocol on the machine, potentially allowing the adversary to access the desktop directly. This campaign has the potential to infect many users given the recent spotlight on Pegasus.
Analyst Comment: Users need to apply a high level of vigilance and research before downloading and installing software from any source, especially a third party.
MITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools – T1219 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Remote Desktop Protocol – T1076
Tags: NSO Group, Pegasus, beacon, Banking And Finance, EU & UK, North America, Russia, Sarwent, RAT

PixStealer: A New Wave of Android Banking Trojans Abusing Accessibility Services

(published: September 29, 2021)

Check Point researchers have discovered a new wave of Android banking trojans abusing Accessibility Services. The trojan, dubbed “PixStealer,” is an evolution of a known family of Brazilian banking malware and was once distributed on Google Store. PixStealer is a very minimalistic malware that functions without performing any “classic” malware functions such as stealing credentials from targeted bank applications and communicating with the C2. On the other hand, it’s “big brother” “MalRhino” contains a variety of advanced features and introduces the use of open source Rhino JavaScript Engine to process Accessibility events.
Analyst Comment: Banking applications should be carefully vetted as authentic before being installed, even if the application is hosted on a trusted platform.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Exploitation of Remote Services – T1210
Tags: MalRhino, Banking And Finance, Middle East, PixStealer

Exploit Released for VMware Vulnerability After CISA Warning

(published: September 28, 2021)

A working exploit for CVE-2021-22005, a vulnerability with VMware vCenter Server, has been released and is reportedly being used by threat actors, according to experts tracking the issue. On September 21, VMware warned of a critical vulnerability in the analytics service of the vCenter server and urged users to update their systems as soon as possible. On September 24, VMware confirmed reports that the vulnerability was being exploited in the wild and dozens of security researchers online reported mass scanning for vulnerable vCenter Servers and publicly available exploit codes. CISA has also sent out an alert regarding widespread exploitation of this vulnerability.
Analyst Comment: Many threat actors are successful in breaching organizations via exploits that have patches available. It is vital to have an asset and vulnerability management program.
Tags: CVE-2021-22005, EU & UK, VMware

FoggyWeb: Targeted NOBELIUM Malware Leads to Persistent Backdoor

(published: September 27, 2021)

The Advanced Persistent Threat (APT) group, “NOBELIUM,” has been identified to be using a post-exploitation backdoor called “FoggyWeb” to gain administrator-level access to Active Directory Federation Services (AD FS) servers, according to Microsoft’s Threat Intelligence Center (MSTIC). The actor behind the SUNBURST backdoor, TEARDROP malware, and related components uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as download and execute additional components. The actor is believed to have been observed in the wild as early as April 2021. The actors behind this campaign are believed to be utilizing custom-built malware and tools.
Analyst Comment: Having a threat intelligence platform (TIP) such as Anomali Threatstream is an important part of a defense in depth program, allowing for the rapid ingestion and dissemination of current threat indicators.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Install Root Certificate – T1130 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Access Token Manipulation – T1134
Tags: NOBELIUM, TEARDROP, SUNBURST, FoggyWeb

Threat Analysis Report: Inside the Destructive PYSA Ransomware

(published: September 27, 2021)

Cybereason Global Security Operations Center (GSOC) has released a report regarding the PYSA ransomware. The PYSA is a human-operated ransomware that does not have self-propagation capabilities. Threat actors manually deploy the ransomware as part of attack operations with high-stake targets, such as government authorities, educational institutions, and the healthcare sector. The ransomware is implemented in the C++ programming language and uses the open-source CryptoPP C++ library for data encryption. The actors behind the PYSAs use a hybrid encryption approach to encrypt data by combining the Advanced Encryption Standard-Cipher Block Chaining (AESCBC) and the Rivest, Shamir, Adleman (RSA) encryption algorithms to maximize both encryption performance and security. The threat actors typically gain initial access to target systems by compromising credentials or phishing emails.
Analyst Comment: Having a good and well tested backup and recovery process is a critical part of a defense in depth program, which may allow organizations to recover without paying ransom. In addition, patch management can often prevent initial exploits.
MITRE ATT&CK: [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Native API – T1106 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Data Encrypted – T1022
Tags: Mespinoza, Pysa, Mimikatz, PsExec, Koadic, PowerShell Empire, PYSA, Government, Healthcare, Military, EU & UK, North America





Source link