Ransomware/Malware Activity
New Ransomware-as-a-Service Family LokiLocker Identified Targeting Windows Machines
LokiLocker, a new Ransomware-as-a-Service (RaaS) family, has recently been identified by BlackBerry Threat Intelligence researchers targeting English-speaking victims as well as Windows machines and was first observed in the wild in August of 2021. The ransomware encrypts files on local drives as well as network shares and contains an optional wiper functionality. LokiLocker's victims are scattered globally with a main concentration in Asia and Eastern Europe. Researchers noted that the earliest samples of this ransomware were "initially distributed inside Trojan brute-checker hacking tools", including PayPal BruteChecker, Spotify BruteChecker, PiaVPN Brute Checkeer By ACTEAM, and FFSN Checker by Angeal. There are approximately thirty (30) unique "VIP" affiliates currently across LokiLocker samples. BlackBerry researchers have not determined an origin for LokiLocker but do emphasize that "all the embedded debugging strings are in English, and - unlike the majority of malware originating from Russia or China - the language is largely free of mistakes and misspellings". There is speculation that Iran is involved - either through the RaaS group originating from Iran or the true threat group is attempting to "cast the blame on Iranian attackers". This speculation comes from the first samples of LokiLocker ransomware involving cracking tools that were potentially developed by AccountCrack, an Iranian cracking team, and approximately three (3) known LokiLocker affiliates utilizing "unique usernames that can be found on Iranian hacking channels". CTIX analyst will continue to monitor the LokiLocker RaaS group as it evolves, and in-depth technical analysis containing indicators of compromise (IOCs) can be found in BlackBerry's report linked below.
Newly Discovered Botnet Exploits Log4J, Utilizes DNS Tunneling
While most of the Log4J vulnerability hype has died down, a new botnet utilizing the exploit to spread was discovered by Qihoo 360 Netlab researchers. The botnet, named B1txor20 after it's file extension, encryption algorithm, and key length, has been under active development since at least February 9th, 2022. The researchers did not state how it utilized the Log4J exploit or the number of devices affected. While it is still relatively young, the botnet appears to have sophisticated features such as a backdoor, rootkit functionality, and a SOCKS5 proxy. The standout feature in the B1txor20 is the use of DNS tunneling techniques to obscure its communications with the command-and-control (C2) server. They do this by sending a DNS request to the C2 server with "stolen sensitive information, command execution results, and any other information that needs to be delivered" as an encoded string prepended to the attacker's domain name. The C2 server then responds to the DNS request with a payload that indicates what function the bot should perform next. This botnet is a prime example that the fallout of the Log4J vulnerability has not been fully discovered yet.
Nation-State Activity
Exotic Lily, 'Locksmith' For Russian Threat Organizations
An initial access threat actor working in unison with the Conti ransomware gang has been outed by security researchers this week, linking the user to multiple ransomware strains and affiliates. Code named Exotic Lily, this threat actor is seen as one of the digital world’s pristine locksmiths, compromising targets so that a threat organization can exploit that compromise or sell the access to the highest bidder. Exotic Lily in particular seems to favor Russian threat groups and ransomware strains, with significant attribution and involvement with Diavol and Conti ransomware strains; linking to threat organizations such as Conti and Wizard Spider. Tactics utilized by Exotic Lily include rogue email accounts where they would push out sophisticated social engineering lures to capture their target(s). Primarily, Exotic Lily's favorite industries to target were IT, cybersecurity, and healthcare organizations/service providers but has changed course since November 2021. Lastly, this threat actor relied significantly on file-sharing services such as WeTransfer, OneDrive, TransferNow, and similar applications to deploy malicious payloads, including BazaarBackdoor deployments. CTIX continues to monitor threat actors throughout the landscape and will provide updates accordingly.
Threat Insight: Blackcat RaaS Threat Group & BlackMatter Connections
Blackcat ransomware organization, otherwise known as ALPHAV, is a newly emerging threat group first seen in the wild in November 2021. These threat actors discovered only months ago have made a significant name for themselves and have a reputation for double ransom attacks; holding the target's infrastructure and exfiltrated files for a significant ransom. While Blackcat targets entities worldwide, roughly 30% of their attacks occur against United States-based corporations. There has been speculation surrounding the group in recent months, alluding to Blackcat being a rebrand of the BlackMatter/DarkSide threat organization. However, security researchers believe that Blackcat is more of a home for threat actors from numerous ransomware-as-a-service affiliates. There have been connections made between the Blackcat and BlackMatter ransomware groups, including a domain and IP address used by BlackMatter actors during a cyberattack in September 2021. Deeper analysis of this connection revealed commonalities between ransomware variants' tactics, such as tools, file naming structure, and deployment techniques. While Blackcat is still new to the threat landscape, their backbone actors have been working for significantly longer with other affiliates. CTIX analysts believe that regardless of seniority, Blackcat is a threat group not to be taken lightly and will most likely continue their campaigns in the months to come.
Vulnerabilities
Virus Total Queries Identify Improperly Configured Firebase Databases that Makes Thousands of Mobile Applications Vulnerable to Attack
Security professionals from the firm Check Point Research (CPR) have leveraged Virus Total queries to identify improperly configured Firebase cloud-based mobile application databases that leave thousands of applications vulnerable, and susceptible to threat actor exploitation. Some of these applications are so popular that they've been downloaded tens of millions of times, and include "dating, fitness, bookkeeping, logo design, e-commerce and more." These vulnerabilities are being exploited by attackers, allowing them to alter configurations, and read/write to the databases. This opens up an incredibly broad range of potential attacks, from injecting malicious values to corrupt or wipe the databases, to deploying malware, and exposing sensitive information like, "chat messages in popular gaming apps, personal family photos, token IDs on … healthcare applications, data from cryptocurrency exchange platforms, and more.” There are many reasons why databases may be configured and hardened improperly. Often times, just like with average users unknowingly compromising themselves, there's a component of complacency, such as not altering default configurations, or forgetting to re-harden their infrastructure after purposely exposing it for testing purposes. Virus Total is a valuable tool in this scenario due to many applications being uploaded to the platform, whether it be automatically due to a policy, or manually by developers using Virus Total for its sandbox features and identifying if their products have been flagged by the platform as malicious. Over the course of three months, CPR found 2,113 mobile applications utilizing Firebase that were uploaded to Virus Total. In their blog post located below, CPR has made some cloud-based hardening recommendations for database administrators and application developers, and Ankura CTIX analysts urge our readers to make security a constant priority to stop easily preventable breaches like this from happening.
Honorable Mention
Russian State Censorship Thwarted by Activists and Hacktivists Alike
In the news this week are two stories of like-minded citizens attempting to circumvent Russian censorship. The first group is a team of Polish programmers who go by the name of Squad303, a reference to the British Royal Airforce Unit of Polish pilots during World War II. The team created a website to send texts, WhatsApp messages, emails, and phone calls to random Russian citizens with pre-generated messages translated to Russian to initiate the conversation. These messages often state that while the sender does not know the recipient, they have heard news of the conflict in Ukraine. The message then asks about what it is like in Russia, if the conflict is being shown on TV, and similar questions to start a conversation. The group believes starting these open lines of communication between the west and Russian citizens is the best way to combat censorship. They also understand that the average person wants to support Ukraine and, as they state, "we knew that they can’t buy guns and shoot Russians, so we came up with this idea for them to engage, to be a part of Operation Russia." While some groups are enabling the average person to spread Ukrainian propaganda, other more technical groups, such as Anonymous, have taken a different approach. These hacktivists have breached over 80 CCTV camera feeds located in Russia to send a message to the Russian people. Superimposed over the camera's feed are various messages stating "Putin is killing children", "352 Ukrainian civilians dead", and "Slava Ukraini! Hacked by Anonymous". They then posted the feeds directly to their website "behindenemylines[.]live". These stories show the persistence and determination of activists working towards a cause they believe in. With many wars being fought not on the battlefield but online through propaganda and hacking, civilians with programming and cybersecurity skills could tip the scales in their favor.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
