Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Services – T1569 | [MITRE ATT&CK] Windows Management Instrumentation – T1047 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Create Account – T1136 | [MITRE ATT&CK] Create or Modify System Process – T1543 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Hijack Execution Flow – T1574 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Abuse Elevation Control Mechanism – T1548 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Hide Artifacts – T1564 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218
Tags: Earth Lusca, China, APT, Winnti, Government, Microsoft Exchange, Oracle GlassFish Server, Spearphishing, Watering hole, Cobalt Strike, BioPass RAT, Doraemon, FunnySwitch, ShadowPad
At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates
(published: January 14, 2022)
In an extremely rare cooperation with the US authorities, the Russian Federal Security Service (FSB) announced the arrest of 14 members of Russian Ransomware group, REvil. In 2019 and earlier, these threat actors were operating as GandCrab, a Russian-language ransomware-as-a-service. In 2021, REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel supply disruptions in the US. REvil’s ransom proceeds are estimated as hundreds of millions of US dollars, millions were recovered during the arrest. Among the arrested are Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov.
Analyst Comment: This rare cooperation from Russian law enforcers was likely an attempt to ease political tensions as Russian troops threatened Ukraine together with the increased cyber activity in the region. As the disconnection of Russia from SWIFT is reportedly no longer considered, this cooperation might have been successful and we might see more of this in the future, but it is far from certain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Arrest, Ransomware, RaaS, REvil, GandCrab, Russia, USA, Roman Muromsky, Andrey Bessonov
Massive Cyber Attack Knocks Down Ukrainian Government Websites
(published: January 14, 2022)
In the worst cyberattack hitting the Ukrainian government in the last five years, 70 government websites were defaced and forced offline including the Ukrainian Ministry of Foreign Affairs. Incident responders blamed supply-chain compromise and specifically CVE-2021-32648 vulnerability affecting OctoberCSM content management system. Ukraine attributed the cyberattack to the Russian government, while Russia is denying involvement.
Analyst Comment: Update OctoberCMS to the latest version (in version 1.0.472, 1.1.5 the vulnerability has already been fixed). Block access to the CMS admin panel from the Internet but for your internal administrative network or internal IP address of the administrator. Politically-exposed entities and government agencies should implement a defense-in-depth approach to protect from advanced cyber attacks.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Supply Chain Compromise – T1195
Tags: Ukraine, Government, Russia, Defacement, Supply-chain, OctoberCSM, CVE-2021-32648, Laravel
The BlueNoroff Cryptocurrency Hunt is Still On
(published: January 13, 2022)
Kaspersky researchers describe BlueNoroff as a financially-motivated unit inside the Lazarus government-sponsored North-Korean group. BlueNoroff is known for their 2016 attack on the Bangladeshi Central Bank. Since 2017, the attackers switched to targeting cryptocurrency-related businesses, and the attacks are still active with the newest campaign detected in November 2021. BlueNoroff use extensive research to produce convincing spear-phishing attacks; at times they use compromised websites and social media accounts. Their macro-enabled malicious document fetches a remote template that contains a VBA macro that spawns a new process to inject and execute the binary code from the original document, but also de-weaponizes the original document as a measure of operational security. Another common infection vector in this campaign was a malicious Windows shortcut file disguised as a text file containing the password to a document in a phishing email. After the infection, attackers were seen collecting credentials and monitoring certain victims, and going to a great extent to steal their cryptocurrency including replacing a popular browser extension to manage crypto wallets (such as the Metamask extension for Ethereum) with a malicious version.
Analyst Comment: Beware that spearphishing exploits your common contacts, topics, and exciting subjects such as a proposal from an investor. If you use Developer mode, make sure your important extensions (such as MetaMask) come from the Web Store and not from a local source on your machine. Double-check your irreversible transactions before sending them out, even if the intended transaction amount is small.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Office Application Startup – T1137 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Indicator Removal on Host – T1070
Tags: BlueNoroff, Lazarus, North Korea, SnatchCrypto, Cryptocurrency, Blockchain, Smart contracts, DeFi, FinTech, APT, CVE-2017-0199, Spearphishing, Dccw, MetaMask, Powershell, Maldoc, Malicious shortcut, Remote template, VBS
GootLoader Hackers Are Compromising Employees of Law and Accounting Firms
(published: January 13, 2022)
eSentire researchers detected a fresh GootLoader campaign targeting law and accounting companies. GootLoader is a stealthy initial access malware that was previously seen distributing Sodinokibi ransomware, but now pivoted to different payloads such as Cobalt Strike. The GootLoader group identifies WordPress websites, exploits known WordPress vulnerabilities and uploads numerous malicious pages featuring alleged business agreements for a specific municipality. The volume and tailored approach allows the attackers to have their malicious agreement documents come up in the top Google searches. When a user opens an alleged agreement document, the computer is being infected with the GootLoader malware.
Analyst Comment: Employees should also be aware of files from the internet, especially executable ones. While GootLoader-infected files are often disguised as a document, right clicking the downloaded file and clicking properties will show it is a JavaScript (.js) file. Administrators can use Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: GootLoader, Law, Accounting, Cobalt Strike, WordPress, Website compromise
Wormable Windows HTTP Hole – What You Need to Know
(published: January 12, 2022)
The first Microsoft Patch Tuesday of 2022 included a patch for CVE-2022-21907 that was assigned a base score of 9.8 (Critical). The underlying vulnerability allows remote code execution on HTTP Protocol Stack. Microsoft confirmed the wormable nature of this vulnerability. It affects Windows servers, versions 2019, 20H2, and 2022, and Windows 10 and 11 desktop machines.
Analyst Comment: It is essential to implement January 2022 security updates on the affected systems. Possible mitigation for machines that can not be updated, includes temporarily blocking HTTP.sys by setting the registry entry HKLMSYSTEMCurrentControlSetServiceHTTPStart value to 4 marking the driver as “service disabled”.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Exploitation of Remote Services – T1210 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068
Tags: CVE-2022-21907, HTTP protocol stack, RCE, Vulnerability, Windows, Windows Server, Patch Tuesday, Wormable
New SysJoker Backdoor Targets Windows, Linux, and macOS
(published: January 11, 2022)
Intezer researchers discovered SysJoker, a new multi-platform backdoor that targets Windows, Mac, and Linux. At the time of publication, its Mac and Linux versions had zero detections by antivirus engines. SysJoker doesn’t show significant similarities to previously known malware, and is likely operated by advanced persistent threat (APT) actors. This campaign started in the second half of 2021. SysJoker is written in C++ and has three versions tailored for the specific operating system. It masquerades as a system update and discovers its C2 by from an encoded text file hosted on Google Drive. SysJoker uses random duration sleep before starting the system information collection and between the collection steps.
Analyst Comment: Linux and MacOS users are being targeted alongside Windows users, especially by sophisticated attackers. Use indicators in Anomali ThreatStream and detection content from Intezer to detect SysJoker in your environments.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Data Encoding – T1132
Tags: SysJoker, Multi-platform backdoor, Windows, Mac, Linux, Google Drive, Education, npm package
Joint Cybersecurity Advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
(published: January 11, 2022)
US-Russian diplomatic tensions are high after another fruitless round of talks regarding Ukraine, and a joint Cybersecurity Advisory on Russian government threat actors is issued by three US agencies: the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA). The advisory covers activity of Russian state-sponsored groups since 2011, and their use of 18 vulnerabilities documented in 2018-2021, with the newest targeting Microsoft Exchange. The actors have used sophisticated capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in Defense, Healthcare, Energy, Telecommunications, and Government.
Analyst Comment: Follow the guidance from the joint Advisory. Minimize gaps in security personnel availability. Ensure security monitoring and ability to identify anomalous behavior. Create, maintain, and exercise a continuity of operations plan. Apply the best practices below for identity and access management. Update software and firmware in a timely manner prioritizing patching known exploited vulnerabilities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Brute Force – T1110 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets – T1558 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Exploitation for Credential Access – T1212 | [MITRE ATT&CK] Unsecured Credentials – T1552 | [MITRE ATT&CK] Proxy – T1090
Tags: APT, Russia, USA, Ukraine, Critical infrastructure, Defense, Energy, Telecommunications, Government, Fancy Bear, Cozy Bear, GRU, Sandworm Team, CVE-2021-26855, Microsoft Exchange, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
(published: January 11, 2022)
TellYouThePass ransomware was first discovered in 2019 with samples written in traditional programming languages like Java or .Net. Starting December 2021, it is making a comeback being rewritten in Golang, targeting both Linux and Windows. New TellYouThePass variants were detected as Log4Shell post-exploitation payloads.
Analyst Comment: Keep your servers exposed to the Internet updated. Monitor for post-exploitation threats such as TellYouThePass ransomware.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: TellYouThePass, Ransomware, Golang, Windows, Linux, Log4Shell
FBI Warns of Hackers Mailing Malicious USB Sticks to Businesses
(published: January 10, 2022)
In 2020, threat group FIN7 started its malicious USB attacks by impersonating Best Buy to mail packages to hospitality and retail businesses and started raising trust by including additional items such as teddy bears. Since August 2021, FIN7 has been targeting the US transportation and insurance sectors, and since November 2021, the US defense industry. Packages imitating Health and Human Services (HHS) are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB. Once plugged in, a BadUSB attack starts: the USB device would register itself as a keyboard and execute a number of pre-configured keystrokes that lead to PowerShell commands being executed and to the download and installation of a variety of malware: Metasploit, Cobalt Strike, Carbanak, and Griffon. The attackers aim to get administrative privileges, move laterally and install BlackMatter or REvil ransomware on a maximum number of computers.
Analyst Comment: Users should be educated on the danger of plugging in devices of a questionable origin. Organizations should have a defense-in-depth approach to detect the second stage malware and unauthorized lateral movement. Defense contractors can consider physically locking USB ports.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059
Tags: FIN7, USB, BadUSB, Ransomware, Cobalt Strike, Metasploit, Carbanak, Griffon, BlackMatter, REvil, PowerShell, USA, Russia, Defence, Transportation, Insurance
Observed Threats
Additional information regarding the threats discussed in this week’s Weekly Threat Briefing can be found below:
APT29
The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.
APT28
The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.
Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.