Ransomware/Malware Activity
Largest Russian Meat Producer, Miratorg, Hit with Destructive Cyber Attack
Russian meat producer giant Miratorg Agribusiness Holding has been targeted by a major cyber-attack. The systems used by the company were encrypted using the built-in Windows feature BitLocker. Miratorg personnel stated they believe the attackers did not intend to financially extort the company, as with most ransomware attacks, but rather sabotage Russia's largest food supplier. While attribution has not been made yet, Russia's various agencies believe this attack came from "the West". Russia's food safety authority Rosselkhoznadzor released an announcement stating this cyber-attack "is a manifestation of the informational and economic 'total war' that the collective West unleashed against Russia." The attack originated from a state information system used by Miratorg as well as veterinary services across Russia called "VetIS", making this breach a supply chain attack. It has also affected many of Miratorg Holding's subsidiaries across the country. The company has assured Russian citizens that this attack will not affect the food supply to the country during critical times as they "have a track record of good reputation" and are putting systems in place to rebuild.
New Phishing Campaign Targets French Entities with Rare Chocolatey Use and Steganography Technique
A newly discovered phishing campaign, identified by Proofpoint researchers, has been observed targeting French organizations with cyberattacks leveraging Chocolatey, an open-source package installer. The targeted French organizations are within the construction, real estate, and government sectors, and the phishing emails contain macro-enabled Microsoft Word documents disguised as General Data Protection Regulations (GDPR) documentation. Researchers detailed that once macros are enabled, an encoded PowerShell script is grabbed via an image URL and steganography. The script "downloads, installs, and updates the Chocolatey installer package and repository script", which the researchers noted has not been previously observed in campaigns. Through the attack chain, a backdoor called "Serpent" is attempted to be installed that has the potential to "enable remote administration, command and control (C2), data theft, or deliver other additional payloads", but the objective of the threat actor responsible for this campaign is still currently unknown. It is emphasized, however, that the threat actor is likely an "advanced, targeted threat" due to the rarity of steganography being utilized in campaigns as well as additional tactics, techniques, and procedures (TTPs) being observed. An in-depth analysis and indicators of compromise (IOCs) can be reviewed in Proofpoint's report linked below.
Nation-State Activity
DarkHotel & InvisiMole APT's Phishing Operations
Phishing campaigns from threat groups continue to be on the rise, with two new campaigns from the DarkHotel and InvisiMole APT's. First, DarkHotel threat actors have spun up a new phishing campaign targeted against luxury hotels throughout Macao, China, and the surrounding areas. These spear-phishing emails possess the end goal of exfiltrating sensitive data from high-profile individuals staying at the resorts, such as Wynn Palace and Grand Coloane Resort. Historically, DarkHotel is a South Korean espionage-driven threat organization that has been around for roughly fifteen (15) years, who commonly target entities throughout Russia, China, Taiwan, Japan, and their neighbor North Korea. However, this is not the first time the group has utilized hotels to gather information on individuals; the first occurrence happened in May 2012. Shifting to InvisiMole, these Russian-linked threat actors have deployed a phishing campaign against Ukrainian state organizations. The goal for these actors is to have a user download a customized LoadEdge backdoor onto the host machine, which would give threat actors access to deploy further payloads on the system for data collection and reconnaissance. InvisiMole activity was first spotted in 2018 and sets its sights on high profile organizations and individuals within Eastern Europe military and diplomacy industries. Researchers have found connections between InvisiMole and the Russian Primitive Bear organization, but they remain their own entity due to their differing tactics and techniques. CTIX analysts continue to track threat actors worldwide and will provide additional insight accordingly.
RaaS Affiliate AvosLocker Targets Organizations with ProxyLogon/Shell Vulnerabilities
AvosLocker, a ransomware-as-a-service threat affiliate, has been observed shifting to Microsoft Exchange server vulnerabilities as their point-of-compromise tactic in their recent cyberattacks against organizations domestically. Historically, AvosLocker targets organizations within the financial services industry, critical manufacturing operations, and state/national government facilities. Microsoft Exchange servers have a high number of critical vulnerabilities that have been discovered over the last year, including commonly exploited flaws in CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, and CVE-2021-26855; otherwise commonly referred to as the ProxyShell attack chain. In addition to these vulnerabilities is CVE-2021-26855, which relates to the ProxyLogon vulnerability, which allows threat actors to drop malicious web shells onto Exchange servers to do any number of malicious activities. AvosLocker continues to be one of the key ransomware affiliates targeting critical infrastructure and are expected to continue their operations throughout the coming months. Additionally, CTIX urges organizations throughout the globe to verify that their technological infrastructure is up-to-date and security defenses are in place to protect company employees and assets.
Vulnerabilities
Critical Windows Vulnerability Receives Unofficial Patch
The 0patch vulnerability micropatching firm has released an unofficial security fix for a Windows zero-day flaw that has been active since the summer of 2021. The vulnerability, tracked as CVE-2021-34484, exists in the Windows User Profile Service, and if exploited, allows local attackers to escalate their privileges to SYSTEM under certain conditions. The vulnerability has been patched by Microsoft since last August, however security researchers eventually submitted a Proof-of-Concept (PoC) exploit that bypassed the fixes. In November when 0patch released the original unofficial patch to the exploitable "profext.dll" DLL file, it fixed the bug, however shortly thereafter when Microsoft officially patched the PoC bypass exploit (CVE-2022-21919), they replaced "profext.dll" which rendered the 0patch micropatch ineffective. 0patch has since ported their fix for "profext.dll" to work with the latest Microsoft update (March 2022), and due to the zero-day status of the vulnerability, the patch can be downloaded for free by creating a free account on 0patch central. The Ankura CTIX recommends all users and administrators running vulnerable instances of Windows 10 (v21H1, v20H2, v1909, and Windows Server 2019 64 bit) to download the micropatch immediately. Once 0patch is installed, the patch will be applied to the operating system automatically.
Dell BIOS Vulnerabilities Allow Arbitrary Code Execution
A series of five (5) critical vulnerabilities have been identified and disclosed affecting the Dell BIOS, and their exploitation could allow local authenticated attackers to execute arbitrary code on vulnerable systems. The flaws are improper input validation vulnerabilities that affect the System Management Mode (SMM) of the BIOS firmware, which is responsible for implementing power management and other hardware control features. These operations are entered via the System Management Interrupt (SMI), which executes the SMM BIOS code at the SYSTEM/root privilege. Multiple Dell products like Alienware, Inspiron, Vostro line-ups, and Edge Gateway 3000 Series are affected, and Dell urges their customers to upgrade to the latest BIOS firmware version immediately. These types of vulnerabilities are virtually unavoidable, due to complex technological changes that develop over time. What may have been the most secure today, could be the most vulnerable tomorrow. The specific vulnerabilities are listed in the article below. The Ankura CTIX urges all readers to regularly ensure the devices and software they utilize are as secure as possible, and we will continue to report on interesting critical vulnerabilities and zero-day bugs in coming issues.
Emerging Technology
New Phishing Toolkit Steals Single Sign-On Credentials Using Browser in the Browser
A new phishing toolkit created by a security researcher known as "mr.dox" has sparked conversations on a new type of phishing attack. The toolkit, called Browser in the Browser (BITB), attempts to create a popup phishing window that appears to look legitimate. Many websites use third-party accounts for single sign-on (SSO), such as Google or Facebook, to authenticate without having to create a new account. When this type of authentication is used on a legitimate website, a small popup window is opened that prompts the user for their credentials to the third party. The new attack uses this authentication flow to gather user credentials for the third-party websites. By using HTML, CSS, and Javascript, the tool creates a fake popup window inside the browser window that asks the user for their credentials. In the false window, everything from dragging the window, highlighting the URL, and the username and password fields work as expected. To test if a popup window is legitimate, users are expected to drag the window outside of the original webpage as this is currently the only way to detect the attack. While this attack has been seen in the wild as early as 2020, the new toolkit has brought the attack mainstream and allows penetration testers to easily test organizations using this technique.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.