Ransomware/Malware Activity
New DDoS Attack Technique Observed in the Wild Could Create Amplified Attacks
Researchers at Akamai have observed a new distributed denial-of-service (DDoS) attack amplification technique called "TCP Middlebox Reflection" being leveraged in the wild. According to Akamai's report, this attack vector "abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack" via middleboxes employed in deep packet inspection (DPI) systems. A middle box is a device that "performs packet inspection or content filtering by monitoring, filtering, transforming packet streams exchanged between two internet devices". This attack vector is also considered powerful due to the amount of bandwidth it requires, "as the attacker needs as little as 1/75th (in some cases) that amount of bandwidth from a volumetric standpoint". Researchers have observed various middlebox attack campaigns targeting multiple sectors, including webhosting, banking, media, travel, and gaming, and are likely going to rise in popularity. CTIX analysts are continuing to monitor this up-and-coming DDoS attack technique and note campaigns utilizing it in the future. For a deeper dive into the TCP Middlebox Reflection technique, please view Akamai's Report linked below.
Nation-State Activity
UNC1151 Phishing Campaign
UNC1151 threat actors have been tied to a new phishing campaign in the wake of the Ukraine & Russia conflict. High level analysis of the campaign reveals that emails were distributed to Ukrainian military forces and European government personnel, which were laced with a malicious macro attachment. Emails would often state that the user’s contact information was originating from a spam bot, prompting the user to verify their information with a listed hyperlink. Additionally, the email contained a malicious attachment that would attempt to download a SunSeed malware variant to the user’s device. Once downloaded, the malware installs itself onto the host system followed up by outbound secure connections to actor-controlled command-and-control (2) endpoints, where additional payloads would be downloaded to the system. The payloads would exfiltrate messages and contact information from the compromised device and send it back to the threat actors where the information gathered could be exploited. CTIX analysts predict the continued attacks themed around the Ukraine-Russia conflict and expect a rise in themed phishing campaigns in the months to come.
MuddyWater Arsenal Upgrades
Threat actors associated with the MuddyWater threat organization have been observed enhancing their malware arsenal, improving, and upgrading their tactics to become more destructive than previous operations. MuddyWater is commonly known for its extensive cyber espionage campaigns throughout the Middle Eastern regions, which have seen targeted activity since the groups birth in 2017. Associated with Iran's Ministry of Intelligence & Security, MuddyWater's victims tend to fall within telecommunications, government, and industrial sectors. Improvements made to the organizations tactics include a new mainstage downloader PowGoop, masked command-and-control communications from DLL files and Telegram API endpoints, variants of the Starwhale/Canopy malware to transmit data, and the addition of two backdoors Mori and Powerstats which enable system persistence. CTIX analysts will continue to monitor for any additional activity surrounding MuddyWater and numerous other actors and provide updates accordingly.
Vulnerabilities
Critical Vulnerabilities Patched by Asterisk for the PJSIP Architecture
The security research firm JFrog recently produced a technical analysis that identified five (5) vulnerabilities in the Asterisk framework library PJSIP for videoconferencing, with three (3) of them being deemed critical. Asterisk is an enterprise level open-source framework used for building communications applications. PJSIP is utilized as an open-source multimedia communication library used in communication protocols such as SIP, and STUN. Within the PJSIP framework is an API for SIP applications known as PJSUA, and the PJSUA Media Manipulation API is where the five (5) vulnerabilities were identified. For context, Asterisk states on their website that their framework gets downloaded two million times a year, and currently persists on one million servers located in 170 countries. The vulnerabilities are described as memory-corruption flaws, with the three critical ones specifically being stack overflow vulnerabilities, which could allow attackers to perform remote code execution (RCE) if exploited. The other two vulnerabilities are harder to exploit, but if the attackers were successful, it could allow them to perform a distributed denial-of-service (DDoS) attack, which could crash the application. These flaws may impact applications like Chrome, Safari, Firefox, Facebook Messenger, Signal, and others, as well as products like Skype and Google Hangouts. All five (5) flaws have been patched by Asterisk, and they urge any administrators, developers, and users to immediately upgrade to version 2.12.
Honorable Mention
Nvidia Allegedly "Hacks Back" After Lapsus$ Stole Proprietary Data
One of the largest United States chipmakers, Nvidia, was recently involved in an extortion scheme after their data was stolen. The group, named "Lapsus$", claim they stole one (1) terabyte (TB) of internal data from the company including employee credentials, documentation, private tools, SDKs, as well as information about their proprietary drivers, schematics, and firmware. Lapsus is not a well-known name in English security news as they are most famous for targeting Spanish and Portuguese businesses. While most extortion schemes ask for money, Lapsus' goal is instead to get Nvidia to remove "LHR" limitations from their graphics card. This feature in their proprietary drivers is a way to prevent cryptocurrency miners from using consumer-grade GPUs to mine, a limitation that Lapsus states "impact[s] mining and gaming." Following the announcement, Lapsus claimed Nvidia "hacked back" and encrypted the stolen data on the attacker’s machine. The threat actors used Mobile Device Management to connect a virtual machine to Nvidia's network. Using that connection, Lapsus claims Nvidia connected back to their machine and deployed ransomware which destroyed the data, though it did not affect a backup the group had previously made. The threat actors have begun leaking data related to the GPU driver since their demands have not been met. CTIX analysts are monitoring the situation and will provide updates for any future developments.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.