Ransomware/Malware Activity
Cookware Giant Meyer Discloses Data Breach Following Late 2021 Cyberattack
Meyer Corporation, a global cookware distributor giant headquartered in the United States, recently disclosed a data breach affecting its employees. Meyer sent out a notification letter early last week to potentially impacted employees and detailed that the data breach is following a cyberattack that occurred in late October of 2021. Meyer conducted an investigation in early December that revealed "potential unauthorized access" to sensitive, personal information of Meyer employees and its subsidiaries' employees (including Hestan Commercial Corporation, Hestan Smart Cooking, Hestan Vineyards, and Blue Mountain Enterprises, LLC). This information includes the following data types: full names, physical address, date of birth, gender, ethnicity, driver's license, passports, government identification number, Social Security number, immigration status information, dependent information, permanent resident cards, health insurance data, medical condition, drug screening results, and COVID-19 vaccination cards. Meyer's notification letter did not reveal the threat group responsible for the October 2021 cyberattack, but the Conti ransomware group did publish a posting on their leak site in early November 2021 about Meyer Corporation. The posting only contains 2% of the allegedly exfiltrated data in a ZIP file and, since November, there have been no updates providing the additional 98% of data. CTIX analysts are continuing to monitor Conti's leak site for Meyer Corporation updates as well as additional data dumps.
Phishing Campaign Targets UK's Largest Digital Banking Platform
Monzo, one of the most popular digital banking applications in the United Kingdom, has been targeted by phishing attacks since the start of 2022. The attacks start with an SMS message with multiple different calls-to-action depending on the victim. Ultimately, the text urges the user to visit a phishing webpage which collects the user’s email and email account credentials, Monzo PIN, name, and phone number. While this is enough to compromise a user's email and Monzo account, the attackers leverage a special method of authentication unique to Monzo. Once the attackers can access the user’s email, they have Monzo send a "golden ticket" login link. This email is usually used to initially access the account before the user's credentials are created. With this link, the attacker can log into the Monzo account without needed to enter credentials or two factor authentication. After further analysis on the phishing websites, the threat actors appeared to be using the Cazanova Morphine kit to create the landing pages. This phishing kit is one of the most advanced and professional phishing platforms sold on the dark web. The DNS records also unveiled another target, Revolut, a popular online payments service. Both domains used Chinese registrars as well as Russian IP addresses which complicates the attribution process. Users are urged to reset login details if they are believed to have clicked on these links.
Nation-State Activity
APT10 Actors Campaign Extended Due to Misclassification of Attack
A significant campaign has been operating against Taiwanese financial firms within the industry by the hands of APT10 threat actors. APT10 is an espionage threat group affiliated with the Chinese government, responsible for campaigns worldwide including Operation Cloud Hopper where actors targeted managed service providers on a global scale. In their most recent campaign, APT10 unleashed an espionage campaign in November where threat actors went undetected for months due to a misclassification on the type of attack against financial companies. Initially analysts believed the attack vector was credential stuffing in order to gain access to trading accounts, however it was later verified that APT10 exploited a security tool software utilized by the corporations and were able to infect devices with ASPXCSharp shells followed by network reconnaissance with Impacket. Furthermore, actors uploaded a version of Quasar RAT on the compromised devices for further information capture including keylogging, camera screenshots, registry editing, and credential harvesting. CTIX analysts are predicting that Chinese espionage actors will continue to target infrastructure within Taiwan in order to gain power over the region, escalating their geopolitical tensions further.
Spear-Phishing Campaign from Unknown Threat Actors Target Professors
An unknown threat group is operating a significant spear-phishing campaign against higher education institutions and their employees. These attacks have been observed being sent to professors at universities and loaded with malicious email attachments claiming that the associated documents are related to North Korean paper requirements. Analysis of some captured emails include similar file naming structure to "{Month} Monthly KIMA Paper_Requirements.doc". Additionally, KIMA is a popular magazine published by the Korean Institute for Military Affairs relaying information in security, military, and defense industries. The attached documents are macro-enabled documents that upon execution reach out to threat actor command-and-control (C2) servers where malicious code is downloaded and deploying them from random access memory. The malicious scripts gather a wide variety of system information from the infected host ranging from computer hostname, model, OS type, and owner information to anti-malware configurations, recent office documents, file listing, and hardware information. Information is extracted back to the C2 server where the threat actors receive the collected information. CTIX will continue to monitor any additional fallout from this campaign and update accordingly.
Vulnerabilities
WordPress Plugin Vulnerability Leaves More Than Three Million Instances of the Tool Susceptible to Attack
A critical vulnerability within WordPress's popular plugin "UpdraftPlus," has been identified and patched. UpdraftPlus is a WordPress tool used by more than three million websites that allows administrators to create, restore, and migrate backups of website data, as well as the associated databases. If exploited, the flaw, tracked as CVE-2022-0633, affects all distributions from before March 2019, and allows any logged-in user on a WordPress website running the vulnerable UpdraftPlus plugin to download existing site backups that should only be available to authenticated privileged users (such as site administrators and owners). The flaw was due to an improper code validation that checks for the current backup status and could lead to the leaking of sensitive information like password credentials, user PII, and other extremely sensitive data, as well as potentially being able to take over the entire website. A spokesperson from the WordPress security company WordFence stated that it could, in some cases, lead to a "site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database." For perspective, a skilled attacker could exploit this vulnerability to obtain database config files containing the administrator password, which they could then change to be whatever they want, effectively locking the administrators and engineers out of their own site. Security researchers state that a site takeover is far less likely, due to the technical difficulty of successfully exploiting the database credentials. WordPress urges all UpdraftPlus administrators to upgrade to the latest stable version immediately (advisory linked below), and Ankura CTIX analysts will continue to monitor this matter as well as report on the latest WordPress vulnerabilities and patches.
Exploiting a Flaw in Apache's Cassandra Database Can Lead to Remote Code Execution
JFrog’s Security Research team has identified a critical vulnerability affecting Apache's popular Cassandra open-source NoSQL distributed database that could be exploited to allow attackers to read or manipulate sensitive data, and ultimately perform remote code execution (RCE). The Cassandra database allows for the creation of user-defined-functions (UDFs), giving the users the ability to customize the way the database processes information. The flaw, tracked as CVE-2021-44521, stems from the creation of UDFs for custom processing that are written in JavaScript, which defaults to the Nashorn engine in the Java Runtime Environment (JRE), and gives access to arbitrary Java classes. The problem is that the Nashorn engine cannot guarantee security when untrusted code is accepted unless the execution is wrapped in a sandbox environment. In their writeup, JFrog states that through manipulating the Cassandra configuration options, they were able to abuse Nashorn, escape the wrapped sandbox environment, and ultimately achieve the remote execution of arbitrary code. Given that the PoC exploit was unsuccessful against default distributions of Cassandra, it is less likely that this exploit will be as impactful as it could be, but given its popularity, there will still be many vulnerable distributions. Apache has officially patched this flaw, and JFrog researchers recommend that administrators upgrade to one of the three (3) stable versions or perform the manual mitigation techniques listed in the JFrog writeup.
Honorable Mention
NFT Users Lose $2 Million in Phishing Attack
Non-Fungible Tokens (NFTs) are quickly becoming the most expensive collectable items on the market today. These NFTs allow investors to buy and sell unique digital assets as if they were real-life paintings. One of the most popular marketplaces for these tokens, OpenSea, has started to deal with the issues that come with trading high-value assets. Following a migration to new technology on February 17th, seventeen (17) users found their NFT accounts completely emptied. The hackers took advantage of OpenSea's announcement of the migration to phish the users. Some attackers took the email OpenSea legitimately sent to its users announcing the change and changed the hyperlinks to point to a phishing website. This website would then ask the users to sign a transaction that looks similar to a legitimate transaction example found on OpenSea's blog. By clicking the "sign" button, the user would unknowingly send all of their NFTs to the attacker’s wallet. For the seventeen (17) users affected, more than 250 NFTs were stolen worth around $2 million. While OpenSea itself was not breached, they are looking into the issue and are exploring possible solutions to this growing issue. Though this wave of attacks has stopped, users are encouraged to be cautious when clicking on links from emails regarding their NFT accounts.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.