Friday, October 14th, 2022
Cybersecurity Week in Review (14/10/22)
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers
A dozen or more attacks focusing on Israeli entities, going back to September of last year, have been linked to a threat actor known as Polonium. The highly targeted attacks have aimed at organisations in industries such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. The Polonium operation is thought to be based in the Lebanon and known to exclusively attack Israeli targets. The group first came to light earlier this June when more than 20 malicious OneDrive accounts were created by the adversary for command-and-control (C2) purposes.
Implants such as CreepyDrive and CreepyBox have been utilised in the attacks due to their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. They also deployed the PowerShell backdoor dubbed CreepySnail.
The full list of tools used include:
- CreepyDrive/CreepyBox – A PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.
- CreepySnail – A PowerShell backdoor that receives commands from the attacker’s own C2 server
- DeepCreep – A C# backdoor that reads commands from a text file stored in Dropbox accounts and exfiltrates data
- MegaCreep – A C# backdoor that reads commands from a text file stored in Mega cloud storage service
- FlipCreep – A C# backdoor that reads commands from a text file stored in an FTP server and exfiltrates data
- TechnoCreep – A C# backdoor that communicates with the C2 server via TCP sockets to execute commands and exfiltrate data
- PapaCreep – A C++ backdoor that can receive and execute commands from a remote server via TCP sockets
PapaCreep, spotted as recently as September 2022, is a modular malware that contains four different components that are designed to run commands, receive and send commands and their outputs, and upload and download files. Despite the abundance of malware utilized in the attacks, the initial access vector used to breach the networks is currently unknown, although it’s suspected that it may have involved the exploitation of VPN flaws.
New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems
A previously undocumented command-and-control (C2) framework is likely being used in the wild to target Windows, macOS, and Linux systems. Dubbed Alchimist, it has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands. Written in GoLang, Alchimist is complemented by a beacon implant called Insekt, which comes with remote access features that can be instrumented by the C2 server.
This discovery is similar to a self-contained framework identified 3 months ago. Known as Manjusaka, it has been dubbed the Chinese sibling of Sliver and Cobalt Strike. Both Manjusaka and Alchimist pack in similar functionalities, despite the differences in the implementation when it comes to the web interfaces. Alchimist C2 panel further features the ability to generate PowerShell and wget code snippets for Windows and Linux, potentially allowing an attacker to flesh out their infection chains to distribute the Insekt RAT payload. The instructions could then be embedded in a maldoc attached to a phishing email that, when opened, downloads and launches the backdoor on the compromised machine. The trojan, for its part, is equipped with features typically present in backdoors of this kind, enabling the malware to get system information, capture screenshots, run arbitrary commands, and download remote files, among others.
What’s more, the Linux version of Insekt is capable of listing the contents of the “.ssh” directory and even adding new SSH keys to the “~/.ssh/authorized_keys” file to facilitate remote access over SSH. A Mach-O dropper was also uncovered that exploits the PwnKit vulnerability (CVE-2021-4034) to achieve privilege escalation. The overlapping functions Manjusaka and Alchimist points to an uptick in the use of all-inclusive C2 frameworks that can be used for remote administration and command-and-control.
Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization
For the first time in six years the advanced persistent threat (APT) actor known as Budworm has resurfaced to target an unnamed U.S. state legislature. Budworm, also called APT27, Bronze Union, Emissary Panda, Lucky Mouse, and Red Phoenix, is believed to be a state-sponsored threat actor of China. Their attacks leverage a mix of custom and openly available tools to exfiltrate information of interest. HyperBro, is a prominent backdoor attributed to the operation and has been in use since at least 2013 and is in continuous development. Its other tools include PlugX, SysUpdate, and the China Chopper web shell. The latest set of attacks are no different, with the threat actor leveraging Log4Shell flaws to compromise servers and install web shells, ultimately paving the way for the deployment of HyperBro, PlugX, Cobalt Strike, and credential dumping software.
This is the second time in recent weeks that Budworm has been linked to an attack on the US. Earlier this month, the U.S. government revealed that multiple nation-state hacking groups breached a defense sector organization using ProxyLogon flaws in Microsoft Exchange Server to drop China Chopper and HyperBro.
Hackers Using Vishing to Trick Victims into Installing Android Banking Malware
Voice phishing (vishing) tactics are being utilized by threat actors to dupe victims into installing Android malware on their devices. A network of phishing websites targeting Italian online-banking users has been identified and is designed to get hold of their contact details. Telephone-oriented attack delivery (TOAD) involves calling the victims using previously collected information from the fraudulent websites. The caller purports to be a support agent for the bank and instructs the individual to install a security app and grant it extensive permissions. In reality, the malicious software is intended to gain remote access or conduct financial fraud.
The Android malware being used in this case is known as Copybara, a mobile trojan first detected in November 2021. It is primarily used to perform on-device fraud via overlay attacks targeting Italian users. Copybara has also been confused with another malware family known as BRATA. The RAT capabilities of Copybara are powered by abusing the operating system’s accessibility services API to gather sensitive information and even uninstall the downloader app to reduce its forensic footprint. The infrastructure utilized by the attacker then delivers a second malware named SMS Spy. This enables the adversary to gain access to all incoming SMS messages and intercept one-time passwords (OTPs) sent by banks.
This is not the first time TOAD tactics are being employed to orchestrate banking malware campaigns. Last month, a similar attack was aimed at customers of Axis Bank, an India-based bank, in a bid to install an info-stealer that impersonates a credit card rewards app.
Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys
A vulnerability in Siemens Simatic programmable logic controller (PLC) can be exploited to retrieve the hard-coded, global private cryptographic keys and seize control of the devices. These keys can then be abused by an attacker to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal while bypassing all four of its access level protections.
The critical vulnerability, assigned the identifier CVE-2022-38465, is rated 9.3 on the CVSS scoring scale and has been addressed by Siemens as part of security updates issued on October 11, 2022.
CVE-2022-38465 mirrors another severe shortcoming that was identified in Rockwell Automation PLCs (CVE-2021-22681) last year and which could have enabled an adversary to remotely connect to the controller, and upload malicious code, download information from the PLC, or install new firmware. As a means of mitigation, Siemens is recommending customers use legacy PG/PC and HMI communications only in trusted network environments and secure access to TIA Portal and CPU to prevent unauthorized connections. They have also encrypted the communications between engineering stations, PLCs and HMI panels with Transport Layer Security (TLS) in TIA Portal version 17, while warning that the “likelihood of malicious actors misusing the global private key as increasing.”
This most recent issue is the latest in a series of flaws discovered. In April 2022, the company unwrapped two vulnerabilities in Rockwell Automation PLCs (CVE-2022-1159 and CVE-2022-1161) that could be exploited to modify user programs and download malicious code to the controller.
BazarCall Call Back Phishing Attacks Constantly Evolving Its Social Engineering Tactics
The BazaCall call back phishing attackers are constantly evolving their tactics to deploy malware on targeted networks. Once a successful entry has been made the operation conducts financial fraud or facilitates the delivery of next-stage payloads such as ransomware. Primary targets of the latest attack waves include the U.S., Canada, China, India, Japan, Taiwan, the Philippines, and the U.K.
The group first came to popularity in 2020 due to its novel approach of distributing the BazarBackdoor (aka BazarLoader) malware by manipulating potential victims into calling a phone number specified in decoy email messages. A false sense of urgency informs the recipients about the renewal of a trial subscription for, say, an antivirus service. They are also urged to contact a support desk to cancel the plan, or risk getting automatically charged for the premium version of the software. The ultimate goal of the attacks is to enable remote access to the endpoint, paving the way for follow-on activities.
Similar attacks seen involved PayPal-themed campaigns deceiving the caller into thinking that their accounts were accessed from other devices spread across the world. Regardless of the scenario employed, the victim is prompted to launch a specific URL designed to download and execute a malicious executable that, among other files, also drops the legitimate ScreenConnect remote desktop software. If successful this is followed by the attacker opening fake cancellation forms that ask the victims to fill out personal details and sign in to their bank accounts to complete the refund. The development comes as at least three different spinoff groups from the Conti ransomware cartel have embraced the call back phishing technique as an initial intrusion vector to breach enterprise networks.
Meet Caffeine: A New PhaaS Campaign
A new readily available Phishing-as-a-Service (PhaaS) campaign has been recently identified. Dubbed ‘’Caffeine’’, the platform has an intuitive interface and comes at a relatively low cost. It features an open registration process, allowing anyone to jump in and start their own phishing campaigns. PhaaS platforms usually communicate with potential hackers through underground forums and encrypted messaging services or even look for an endorsement or referral before accepting a new user. The features Caffeine provides include self-service mechanisms to create customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity.
Right now, the templates only target Microsoft Office 365 login pages, via the theft of login credentials. Through a Microsoft 365 hack, a malicious actor can access all kinds of data, from private communications to images and videos, to sensitive documents.
Caffeine is fully subscription-based and does not support perpetual use licenses. The base subscription costs $250 a month (compared to the average PhaaS platform costing from $50-$80), depending on the features. Anti-detection, anti-analysis systems, and customer support services are included. Mitigation against ‘’Caffeine’’ and other PhaaS platforms is best achieved through Multi-Factor Authentication (MFA), by actively engaging your employees through educational campaigns and implementing phishing defense capabilities such as our NoPhish service.
Phishing remains a very common attack method for threat actors. The emergence of the Caffeine platform further highlights that the tools required for even a low-level attacker are cheap to acquire, simple to use, and readily available.
Mystery iPhone update patches against iOS 16 mail crash-attack
A one-bug security patch for iOS 16 has been released by Apple, taking the version number to iOS 16.0.3, and fixing a vulnerability specific to Mail. One-bug security bulletins from Apple often seem to arrive when there’s a clear and present danger such as a jailbreakable zero-day exploit or exploit sequence. We saw this in the recent emergency double zero-day fix in August 2022 that patched against a two-barrelled attack consisting of a remote code execution hole in WebKit (a way in) followed by a local code execution hole in the kernel itself (a way to take over completely).
Those bugs were officially listed as being under active abuse, presumably for implanting malware that could keep tabs on everything you did, such as snooping your data, taking secret screenshots, listening in to phone calls, and snapping images with your camera. This bug report explicitly refers to a crash due to “processing a maliciously crafted email message”. Therefore, the app may keep crashing every time it restarts as it tries to handle the messages it didn’t manage to deal with last time. This time there’s no mention that the bug patched in the update to iOS 16.0.3 was reported by anyone outside Apple or that the bug might already be known to attackers, but Apple has released a security bulletin about it nonetheless.
US airports’ sites taken down in DDoS attacks by pro-Russian hackers
The websites of several major airports in the U.S have been victims of large-scale distributed denial-of-service (DDoS) attacks linked to the pro-Russian hacktivist group ‘KillNet’. The attacks have overwhelmed the servers of these sites with garbage requests. This has made it impossible for travellers to connect and get updates about their scheduled flights or book services.
The Hartsfield-Jackson Atlanta International Airport (ATL), one of the country’s larger air traffic hubs, and the Los Angeles International Airport (LAX), are two of the high-profile websites affected. Other airports returning database connection errors include Chicago O’Hare International Airport (ORD), Orlando International Airport (MCO), Denver International Airport (DIA), Phoenix Sky Harbor International Airport (PHX), along with some in Kentucky, Mississippi, and Hawaii. KillNet listed the domains yesterday on its Telegram channel, where members and volunteers of the hacktivist group gather to acquire new targets. They are relying on custom software to generate fake requests and garbage traffic directed at the targets with the goal of depleting their resources and making them unavailable to legitimate users. These specific DDoS attacks have not directly impacted flights but do seriously threaten to disrupt or delay associated services.
KillNet has previously targeted countries that sided with Ukraine, like Romania and Italy, while its “sub-group” Legion struck key Norwegian and Lithuanian entities for similar reasons. Whilst predominantly seeming to focus on Europe the operation has seemed to have expanded to include the U.S. only last week when the DDoS group attacked government websites in Colorado, Kentucky, and Mississippi, with moderate success.
Toyota discloses data leak after access key exposed on GitHub
The personal information of customers of Toyota may have been exposed after an access key was publicly available on GitHub for almost five years. The automaker’s connectivity app, T-Connect, allows owners of Toyota cars to link their smartphone with the vehicle’s infotainment system for features such as phone calls, music, navigation, driving data, and more. A portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
This left the details of 296,019 customers potentially accessible between December 2017 and September 15, 2022, when access to the GitHub repository was restricted. On September 17, 2022, the database’s keys were changed, eliminating all potential access from unauthorized third parties and Toyota announced that customer names, credit card data, and phone numbers had not been compromised as they weren’t stored in the exposed database.
Although no signs of data misappropriation have been identified, it cannot be ruled out that someone may have accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.
Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library
Tracked as CVE-2022-36067, the vulnerability is a critical-severity defect in vm2 with a CVSS score of 10. This should put vm2 users on alert, due to its potential widespread impact.
The root cause of the vulnerability, named SandBreak, resides in the way vm2 maintainers implemented a Node.js feature that allows them to customize the call stack of errors in the software testing framework. When an error occurs, Node.js calls a specific method and provides it with an array of ‘CallSite’ objects as arguments. Some of the CallSite objects may then return objects created outside the sandbox. An attacker controlling one of the returned objects could access Node’s global objects and execute arbitrary system commands from there.
To mitigate the risk, the vm2 implementation wrapped objects and the called method (the prepareStackTrace function of the Error object) in a manner that prevented users from overriding it. However, because they did not wrap all specific methods, an attacker could provide their own implementation of the prepareStackTrace method and escape the sandbox. The SandBreak vulnerability was addressed with the release of vm2 version 3.9.11 on August 28, but technical details on the bug have not been provided until now.