The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
Featured Developments
LAPSUS$ Members Arrested Following Breaches of Microsoft, Okta
The City of London Police has claimed to have arrested seven (7) members of the infamous LAPSUS$ cyber-extortion group. The group is most well known for their attacks targeting Nvidia and Samsung, as well as a recent attack against Microsoft. In the Microsoft breach, LAPSUS$ leaked screenshots of their internal devops instance and claimed to have access to the source code for Bing and Cortana. They have also been in the news recently for their attacks against multi-factor authentication company Okta. Investigators discovered LAPSUS$ gained access to a third-party provider Sitel which gave them access to 366 companies through their Okta accounts. Following this attack, the LAPSUS$ Telegram posted a message stating, "A few of our members has a vacation until 30/3/2022. We might be quiet for some times." The next day, the City of London Police reached out to the BBC stating they arrested seven (7) individuals including a sixteen (16) year-old which they then accused to being the leader of LAPSUS$. The teenager, whose name cannot be disclosed, resided in Oxford, England and goes by the nickname "White" or "Breachbase" online. His past connections to the doxing forum "doxbin" have caused him trouble in the recent months. In January of this year, the new owners of the site put up a bounty of $100,000 for a "full dox" on White, leading to his personal information being posted to the site. While this may have sparked the arrests, the police as well as multiple cybersecurity companies claim to have had his information for close to a year. The other six (6) members, whose ages range from sixteen (16) to twenty-one (21), are currently under investigation for their role in the group. Following the arrests, the LAPSUS$ group claims that none of their "core members" have been arrested. Many security researchers are not surprised from this relatively quick arrest as LAPSUS$ has been known to make simple Operational Security (OPSEC) mistakes since their first breaches.
- LAPSUS$ Microsoft Breach Article
- LAPSUS$ Okta Breach Article
- LAPSUS$ Arrests Article 1
- LAPSUS$ Arrests Article 2
Ransomware/Malware Activity
Vishing Attacks Target and Compromise Stanley Morgan Customer Accounts
Morgan Stanley Wealth Management, the wealth and asset management division of Morgan Stanley, recently disclosed that a portion of its customers' accounts were compromised via social engineering attacks. Morgan Stanley is a multinational investment bank and financial services company headquartered in the United States and serves governments, corporations, institutions, and individuals. The social engineering attacks consisted of vishing (otherwise known as voice phishing) that targeted Morgan Stanley customers for banking and login credentials. In Morgan Stanley's breach notification letter to affected individuals, the company stated that the attack occurred "on or around February 11, 2022" and that the actor "was able to obtain information relating to [the victim's] Morgan Stanley Online account, subsequently access this account and initiating unauthorized Zelle payments". Zelle is an online payments platform that allows easy digital transfers between bank accounts. The letter also detailed that the following information was potentially exposed during the attacks: name, address, and account number(s) as well as the victim's trusted contact(s) name, address, and phone number. CTIX analysts will continue to monitor social engineering attacks targeting the financial sector.
New Instances of Hackers Targeting Hackers with Disguised Clipboard Stealers Observed by Researchers
Various security researchers have identified new instances of hackers targeting other hackers via clipboard stealers on underground forums. The observed clipboard stealers, which are used to monitor a target's clipboard content in order to identify and replace cryptocurrency wallet addresses, were disguised as legitimate cracked remote access trojans (RATs) as well as malware building tools. Cyble researchers, in their report linked below, specifically noted the sighting of a new malware dubbed "AvD cryto stealer" that is actually a disguised variant of a well-known Clipper malware. The researchers detailed that the threat actor behind AvD crypto stealer is providing "one month of free access to entice more individuals to use it" and that "the primary target appears to be other TAs". ASEC researchers, in their report linked below, detailed the distribution of "ClipBanker", a malware that monitors infected systems' clipboards, being disguised as a malware building tools such as "Quasar RAT". It is not unusual for hackers to scam other hackers, but these described instances specifically prey on inexperienced actors who welcome free malware without a second thought. Cyble and ASEC provided in-depth reports regarding their observations as well as indicators of compromise (IOCs) to review.
Nation-State Activity
Scarab Threat Actors Targeting Ukraine
Chinese hackers from the Scarab threat organization have targeted Ukraine in a recent social engineering campaign. The Scarab threat group was first seen in the wild in 2015, however tactics and indicators of compromise tied to the group date back to 2012. These threat actors have targeted entities on a global scale, but commonly target United States and Russian individuals. In their recent attack against Ukraine, Scarab lured individuals with documents laced with macro-malware, which would deploy a payload once the document was opened or they were enabled by the user. Similar attacks related to this operation against Ukraine have been seen in the wild back in mid-2020. The payload in this campaign deploys the executable loader onto the system which in itself contains the first stage HeaderTip malware variant. HeaderTip's sole directive is to establish a connection back to threat actor-controlled command-and-control (C2) servers to pull down additional second-stage malware. CTIX analysts continue to recommend that all users verify the contents of an email prior to opening any email attachments or clicking any external links to lower the potential for compromise.
Mustang Panda Upgraded Espionage Campaigns
Another Chinese-backed threat organization is ramping up their cyber espionage efforts by incorporating new malware variants into their social engineering campaigns. Mustang Panda, additionally tracked as TA416, RedDelta, and HoneyMyte, is an espionage-driven threat organization that first appeared in 2017, with historical indicators of compromise dating to 2014. These actors primarily target government, religious, and nonprofit entities throughout the United States, Germany, Myanmar, Pakistan, and Vietnam. In their latest phishing campaign, these threat actors are targeting European diplomats, research institutions, and Internet Service Providers throughout Russia, Greece, South Africa, Mongolia, and Myanmar with their upgraded malware capabilities. Mustang Panda actors lure in these individuals into downloading decoy documents which unveil four (4) documents after download: the fake document, an executable, malicious modules, and an encrypted Korplug file. When executed, these files create a hidden system directory in order to evade detection, followed by the execution of additional modules to relay back to actor-controlled command-and-control (C2) servers. The malware has capabilities to gather system information of the compromised user, delete registry keys, download file listings and directories, and opening remote sessions to the infected device. CTIX analysts continue to track threat actors worldwide and will continue to provide updates accordingly.
Vulnerabilities
Lazarus Google Chrome Exploit Campaign Stayed Hidden for a Month
Researchers from Google’s Threat Analysis Group (TAG) have published a report attributing a notorious North Korean state-sponsored threat actor known as "Lazarus", to campaigns facilitated by exploiting a specific zero-day Google Chrome vulnerability. The flaw, tracked as CVE-2022-0609, is a use after free vulnerability that if exploited, could allow attackers to perform remote code execution (RCE). The campaign targeted individuals from the media, IT, cryptocurrency, and fintech sectors. The victims were targeted with fraudulent job-hunting scams utilizing fake emails, fake websites, and real websites that had already been compromised by Lazarus to execute the exploit kit. After interacting with one of the attack vectors, the victims would unknowingly execute the malware. Google TAG first identified the critical vulnerability in early February and proceeded to release an emergency security patch that fixed the flaw, but upon further research, they found signs that the campaign had actually been in full effect since the beginning of January. As already stated, this vulnerability has been successfully patched, so users running updated versions of Chrome are not susceptible to this attack. The Ankura CTIX recommends all users run the most stable versions of their browsers, and more significant exploit campaigns like this will continue to be reported on in the future.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
