Thursday, May 25th, 2023
Cybersecurity Week in Review (26/05/2023)
Cyber Attacks Strikes Ukraine’s State Bodies in Espionage Operation
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign.
The intrusion set, attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown.
In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It’s suspected that the messages were sent from a previously compromised mailbox.
The emails come attached with a Microsoft Word document that, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware. This includes a keylogger (LOGPIE), a Python-based backdoor capable of running commands sent from a remote server (CHERRYSPY), and a tool focused on exfiltrating files with specific extensions (STILLARCH or DownEx). It’s worth noting that DownEx was recently documented as being used by an unknown actor in highly targeted attacks aimed at government entities in Kazakhstan and Afghanistan.
“Additional study of the infrastructure and related files made it possible to conclude that among the objects of interest of the group are organisations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, [and] India,” CERT-UA said.
The findings show that some threat actors are still employing macro-based malware despite Microsoft disabling the feature by default in Office files downloaded from the web.
That said, Microsoft’s restrictions have led several attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling.
Legion Malware Expands Scope to Target AWS CloudWatch Monitoring Tool
Legion, a malware first reported on in April targeting 19 separate cloud services, has widened its scope to include the ability to compromise SSH servers and retrieve additional Amazon Web Service-specific credentials from Laravel web applications.
Legion is said to target misconfigured PHP web applications and attempt to exfiltrate credentials for cloud services. Legion has especially targeted AWS credentials in AWS CloudWatch, a monitoring and management service for AWS.
If the attackers are successful and dependent on the permissions granted to the entity in which the exfiltrated credentials are attached to, it could allow unauthorised access to AWS services and the AWS console. This could result in data theft, the account being used to deploy additional resources, or the account’s resources being used in mass spamming campaigns.
Based on the Telegram distribution, it is believed this malware was developed by an individual in Indonesia. The malware has been developed with the intention to sell it to other attackers with a desire to exploit cloud services for spamming purposes.
Legion’s latest updates, especially its targeting of AWS CloudWatch, represent a concerning evolution in the capabilities of this hacking tool. The development signifies a broadening of the cybercriminal’s scope: leveraging misconfigured web servers to steal credentials and expanding their reach to manipulate cloud services.
AWS CloudWatch operates as a monitoring service for cloud resources and applications. If hackers gain unauthorised access to it, they can interfere with operational insights, potentially leading to significant disruptions or even breaches.
The shift towards exploiting cloud services is particularly alarming, considering the rapid growth of businesses relying on cloud technologies for their operations. Unauthorised access to an organisation’s AWS CloudWatch could lead to disruption of services, theft of sensitive data, and a compromise of the overall security posture resulting in financial loss, damaged reputation, and regulatory penalties.
N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems. The findings detail the advanced persistent threat’s (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads.
The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL.
DLL side-loading, similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory.
Lazarus, a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same technique in connection with the cascading supply chain attack on enterprise communications service provider 3CX.
The malicious msvcr100.dll library, for its part, is designed to decrypt an encoded payload that’s then executed in memory. The malware is said to be a variant of a similar artifact that was discovered by ASEC last year and which acted as a backdoor to communicate with an actor-controlled server.
The attack chain further entailed the exploitation of a discontinued open source Notepad++ plugin called Quick Color Picker to deliver additional malware in order to facilitate credential theft and lateral movement.
The latest development demonstrates the diversity of Lazarus attacks and its ability to employ an extensive set of tools against victims to carry out long-term espionage operations.
The findings also come as the U.S. Treasury Department sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes that aim to support North Korea’s strategic priorities. This includes the Pyongyang University of Automation, the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center, Chinyong Information Technology Cooperation Company, and a North Korean national named Kim Sang Man.
Chinese Hackers Breach US Critical Infrastructure in Stealthy Attacks
Microsoft says a Chinese cyberespionage group it tracks as Volt Typhoon has been targeting critical infrastructure organisations across the United States, including Guam, an island hosting multiple military bases, since at least mid-2021.
Their targets and breached entities span a wide range of critical sectors, including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. After breaching the targets’ networks, they launch what Microsoft describes as “living-off-the-land” attacks with hands-on-keyboard activity and living-off-the-land binaries (LOLBins) such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).
However, they were also seen using open-source tools like Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework, according to a joint advisory published today by the FBI, NSA, CISA, and Five Eyes partners cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada.
To ensure that their malicious activity blends with legitimate network traffic to evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances.
Leveraging the privileged access obtained after compromising the Fortinet devices allows the state hackers to dump credentials through the Local Security Authority Subsystem Service (LSASS). The stolen credentials allow them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.
In line with its standard procedures for addressing nation-state actor activity, Microsoft says it proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.
Iranian Tortiseshell Hackers Targeting Israeli Logistics Industry
At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack.
The attacks are being attributed with low confidence to an Iranian threat actor tracked as Tortoiseshell, which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456.
Tortoiseshell is known to be active since at least July 2018, with early attacks targeting IT providers in Saudi Arabia. It has also been observed setting up fake hiring websites for U.S. military veterans in a bid to trick them into downloading remote access trojans. That said, this is not the first time Iranian activity clusters have set their sights on the Israeli shipping sector with watering holes.
The attack method, also called strategic website compromises, works by infecting a website that’s known to be commonly visited by a group of users or those within a specific industry to enable the distribution of malware.
In August 2022, an emerging Iranian actor named UNC3890 was attributed to a watering hole hosted on a login page of a legitimate Israeli shipping company that’s designed to transmit preliminary data about the logged-in user to an attacker-controlled domain.
The development comes as Israel continues to be the most prominent target for Iranian state-sponsored crews. Microsoft, earlier this month, highlighted their new approach of combining “offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime’s objectives.”
Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
A credential phishing campaign using the legitimate SuperMailer newsletter distribution app has doubled in size each month since January 2023.
The campaign was discovered courtesy of a unique string included by SuperMailer in an embedded URL within the phishing email. This string is only visible to the email recipient by hovering the cursor over the link – but it shouldn’t have been there. It is the result of a coding error made by the threat actor, but its presence links multiple different phishes to the same campaign.
The volume of phishing emails containing this error continuously increased until, by May 2023, they accounted for 5% of all phishing emails discovered. By May 15, 2023, a colossal 14% of all phishing emails found since January were part of the same SuperMailer campaign.
The techniques used in this campaign are not new, but the combination is proving successful in getting through technological phishing defenses. These include open redirects, varied senders, URL randomisation, and reply chains appended to some of the emails which may make them more likely to pass SEG evaluation or appear legitimate to recipients. Although open redirects are discouraged, they can still be found on even high profile sites – this campaign, for example, used one found on YouTube.
The combination of these techniques with the customisation and mass-mailing capabilities of SuperMailer has enabled the phishing emails to reach inboxes protected by a variety of secure email gateways including Proofpoint, Microsoft ATP, Cisco Ironport, Mimecast, Fortinet, and TrendMicro.
The social engineering element of the emails is the tried and tested – and still evidently successful – request for password details.
For now, even large phishing campaigns are still achieved without using the evolving capabilities of artificial intelligence (AI) such as that demonstrated first by ChatGPT. This is probably just a cost/return judgment by the attackers.
The ’wide net’ cast in this campaign is reaching users in sectors including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, technology, transportation, and utilities.
The question posed by this campaign, which uses known technology and old social engineering, is how can we detect and prevent phishing.
The bottom line is that it is a cost/return issue for the attackers. For phishing campaigns such as this, a combination of technology and awareness training may eventually tilt the cost/return in favour of the defenders.
GoldenJackal state hackers silently attacking govts since 2019
A relatively unknown advanced persistent threat (APT) group named ‘GoldenJackal’ has been targeting government and diplomatic entities in Asia since 2019 for espionage.
The threat actors have maintained a low profile for stealthiness, carefully selecting their victims and keeping the number of attacks at a minimum to reduce the likelihood of exposure. Tracked since 2020, ‘GoldenJackal’ have had notable activity in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.
The infection vectors of the APT are unknown. However, researchers have observed signs of phishing operations with malicious documents that employ the remote template injection technique to exploit the Microsoft Office Follina vulnerability. Additionally, a case of trojanised ‘Skype for Business’ installers has been seen that drop a trojan alongside a legitimate copy of the software.
Code and TTP (techniques, tactics, and procedures) have been identified with similarities with Turla, they track GoldenJackal as a separate activity cluster. GoldenJackal employs a set of custom .NET malware tools that provide various functions, including credential dumping, data stealing, malware loading, lateral movement, file exfiltration, and more.
The primary payload used first to infect a system is ‘JackalControl,’ which gives the attackers remote control over the infected computer. The malware can be run as a program or a Windows service and can establish persistence by adding Registry keys, Windows scheduled tasks, or Windows services. It receives encoded commands from the C2 server via HTTP POST requests, which concern the execution of arbitrary programs, exfiltration of files, or fetching additional payloads from the C2.
The second tool used by the hackers is ‘JackalSteal,’ an implant devoted to data exfiltration from all logical drives on the compromised computer, including remote shares and even newly connected USB drives. The attackers can execute the stealer with arguments determining the targeted file types, paths, sizes, when files were last used, and exclude specific paths that security tools might monitor. All files matching the set parameters are encrypted using AES, RSA, or DES, then compressed with GZIP, and eventually transmitted to the C2 server.
The third tool in GoldenJackal’s arsenal is ‘JackalWorm,’ which infects USB drives to spread on potentially other valuable computers. It will create a copy of itself on the drive root using the same directory name and change the directory’s attribute to “hidden.” This will result in the actual directory being hidden and replaced with a copy of the malware with the directory name.
To obfuscate its nature and trick the victim into executing it, ‘JackalWorm’ uses a Windows directory icon on the removable drive. If that happens, the worm will infect the host system, establish persistence by creating a scheduled task, and then wipe its copy from the USB drive.
The fourth tool used by the Golden Jackal APT is ‘JacklPerInfo,’ a basic system information collector with the additional capabilities of identifying and exfiltrating browsing history and credentials stored in web browsers. Serving like a typical info-stealer malware, JacklPerInfo can also exfiltrate files from the Desktop, Documents, Downloads, and AppData\Roaming\Microsoft\Windows\Recent directories.
The fifth and final malware tool present is the ‘JackalScreenWatcher,’ which is used for snapping screenshots on the infected device. The operators can specify the resolution and image-capturing time intervals, and the tool will send the media to the C2 via HTTP POST requests in the form of encrypted payloads.
Although few things are known about the APT’s operational tactics, the diversity in the observed infection chains combined with highly capable malware tools leaves no doubt that this is a sophisticated threat actor.
Meta hit with record $1.3 billion EU fine over data privacy
Meta, the parent company of Facebook, has been fined a record-breaking €1.2 billion ($1.3 billion) by European Union (EU) regulators for violating EU privacy laws. The fine was imposed because Meta transferred the personal data of Facebook users to servers located in the United States, which is deemed to contravene Europe’s data privacy law, known as the General Data Protection Regulation (GDPR). This decision follows an investigation by the Irish Data Protection Commission, which is responsible for overseeing Meta’s operations in Europe.
The European Data Protection Board, in its statement, emphasised that Meta’s infringement was significant due to the systematic, repetitive, and continuous nature of the data transfers. Given Facebook’s extensive user base in Europe, the volume of personal data transferred was massive, thus warranting the unprecedented fine. The previous highest fine under GDPR was €746 million ($805.7 million) imposed on Amazon in 2021. Additionally, Meta has been instructed to cease processing the personal data of European users in the United States within six months.
Meta, which also owns WhatsApp and Instagram, plans to appeal the ruling and the accompanying fine. The company attributes the issue to a “conflict of law” between US regulations on data access and the privacy rights of Europeans. They argue that policymakers in the EU and the US are working towards resolving this conflict through a new transatlantic Data Privacy Framework. This framework aims to address concerns raised by the European Court of Justice’s decision to invalidate the previous transatlantic legal framework, Privacy Shield, due to worries about potential US government surveillance of European citizens.
Negotiations for a successor agreement to Privacy Shield have been ongoing since last year, and the absence of a replacement poses a threat to numerous businesses reliant on the ability to transfer EU user data to other jurisdictions. Meta’s president of global affairs and chief legal officer criticised the European Data Protection Board’s decision, claiming it disregarded the progress made by policymakers in resolving the underlying conflict and set a dangerous precedent affecting other companies transferring data between the EU and the US.
Prior to this ruling, the Irish Data Protection Commission had already issued nearly $1 billion in fines to Meta for alleged GDPR violations. However, in this particular case, the Commission did not support imposing fines on Meta, considering it disproportionate. Nevertheless, the Commission had to base its final decision on the European Data Protection Board’s ruling.
Ireland faces a delicate balancing act between maintaining strong ties with major US tech companies and aligning with the EU’s rigorous approach to tech regulation. The country hosts the European headquarters of Apple, Meta, Twitter, and Google, which have contributed significantly to Ireland’s economy. The country’s low corporate tax rate has been a key factor in attracting these companies. However, Ireland has also faced scrutiny, including a previous European Commission ruling demanding Apple to pay €13 billion ($14.9 billion) in taxes, a decision that was later overturned on appeal.
Overall, Meta’s record-breaking fine highlights the ongoing challenges and uncertainties surrounding the lawful transfer of EU user data to international servers and the broader complexities of data privacy regulations in the digital age.
Business Email Compromise – CEO Impersonation
A newly discovered criminal group has been discovered engaging in a significant number of scams targeting businesses through business email compromise (BEC). Since February 2021, the gang has conducted approximately 350 BEC campaigns against various companies. All the attacks conducted by this group follow a similar and successful pattern. The primary strategy employed in these attacks is based on the pretext that the targeted employee’s company is involved in a confidential merger or acquisition of another company. The employee is then requested to assist with an initial payment required for the merger. The attacks consist of two stages, with each stage involving a different persona. One persona is an internal figure, typically the CEO, while the other persona is an external party, usually an attorney specializing in mergers and acquisitions. While most BEC scams typically target members of a company’s finance or accounting team, this group specifically goes after high-ranking corporate officials.
KeePass bug lets attackers extract the master password from memory
A vulnerability discovered last week in the open-source password manager KeePass Password Safe lets attackers extract the master password directly from the software’s memory.
In a blog posted on May 18, researchers said the vulnerability — CVE-2023-32784 — presents an exploitable loophole that compromises the primary key needed to unlock the user’s password database. KeePass posted that it plans to issue a patch by early June.
The new vulnerability was the second time this year researchers had posted information on significant vulnerabilities involving KeePass. The first was in January when an independent security researcher reported a flaw in the KeePass password manager.
The most recent vulnerability exists in versions prior to 2.54 of KeePass 2.x and exposes the risk of malicious actors recovering the clear text master password from various memory sources. The Vulcan Cyber researchers said these sources include KeePass process dumps, swap files, hibernation files, or even full-system RAM dumps.
The researcher who uncovered the flaw known as “vdohney” posted a proof-of-concept tool on GitHub. The tool effectively demonstrates the retrieval of the master password from KeePass’s memory, except for the first character. What’s important is that this exploit does not require code execution on the targeted system and attackers can accomplish this even if the workspace becomes locked or KeePass is no longer active.
Password managers are a popular way to create and use unique complex passwords for every site or application without having to remember each and every one. With a password manager, the user only needs to remember the password for one application, rather than potentially dozens. Unfortunately, these password managers become very valuable to a threat actor if they can somehow find a flaw and exploit it.
While this new vulnerability in Keepass is a concern, it’s also heartening to see that a fix has already been made and planned for release soon. KeePass users would probably have been better served had the researcher privately disclosed this vulnerability to KeePass and waited for the fix before releasing the exploit code.