Ransomware/Malware Activity
Muhstik Malware Gang Actively Exploiting Recent Redis Server Vulnerability
Juniper Threat Labs has recently discovered the Muhstik malware gang actively targeting Redis Servers using CVE-2022-0543, a Redis Lua sandbox escape vulnerability as well as a remote code execution (RCE) flaw. The Muhstik gang was responsible for the targeting of Confluence Servers in September 2021 via CVE-2021-26084, as well as Apache Log4j in December 2021 via CVE-2021-44228. The Redis Server vulnerability was identified in February 2022 and exists in a portion of Redis Debian packages, which affects Debian and Ubuntu Linux distributions. In March 2022, a proof-of-concept (POC) exploit was released on Github and the Muhstik gang started exploiting the vulnerability one (1) day after the publication. The researchers identified that "the payload used is a variant of Muhstik bot that can be used to launch DDOS [distributed denial-of-service] attacks." The vulnerability has been patched in Redis package version 5.6.0.16-1 and all administrators should update as soon as possible to protect against the ongoing Muhstik attacks. An in-depth analysis of an Muhstik attack as well as indicators of compromise (IOCs) can be reviewed in Juniper Threat Labs' report linked below.
"Verblecon" Malware Loader Discovered: Powerful Malware in Unsophisticated Hands
A new malware loader recently discovered in January 2022 has been detailed in a report by Symantec researchers. The trojan, named "Verblecon," has been described as "complex and powerful" yet the unknown threat actors utilizing the malware appear to be unsophisticated, conducting "low-reward" attacks. This led the researchers to believe the threat actors do not realize the potential of the malware they created. The stand-out feature of the malware is its use of polymorphic techniques to evade detection. By changing the encryption and obfuscation techniques while creating the malicious executable, it appears to be a different executable every time it is downloaded. The base of the malware appears to be a publicly available HTTP bot called "LiteHTTP" that was originally posted to GitHub in 2015. Before Verblecon's payload is executed, the loader checks for common virtualization software as well as anti-virus running on the machine by searching for files and processes associated with these applications. While the malware loader is in its infancy, researchers have found samples installing cryptocurrency mining software on victim machines as well as a Discord token stealing malware to further spread the malicious software. Other reports have connected similar domain names used by this botnet to the Orcus remote access trojan, though the credibility of the link is not certain. CTIX analysts will continue to monitor the progress of this malware and will update if the loader is used in more sophisticated attacks.
Nation-State Activity
APT36 New Hacking Campaign Targeting India/Afghanistan Region
A newly discovered hacking campaign targeting the Indian government has been attributed to APT36, commonly known as Earth Karkaddan, Mythic Leopard, and Transparent Tribe. This threat organization operates in favor of Pakistan and often targets high-ranking individuals associated with the military and governments of India and Afghanistan. APT36 actors have also been known to target activist groups throughout the region, such as human rights activists. Transparent Tribe actors utilize a number of lightweight malicious programs and scripts to exploit their targets without being detected. These malware variants include the CrimsonRAT, ObliqueRAT, and custom built APT36 malicious scripts. This campaign lured victims in a variety of ways such as malicious documents portrayed as male Indian Ministry of Defense (MoD) resumes, Indian Central Pay Commission themed maldocs, and Covid-19 related documents also laced with malicious code. Lastly, a significant tactic of APT36 threat actors is to establish and operate cloned victim websites hosted on a typosquatted domain, which is a vital key to their attack chain to further compromise many users. CTIX continues to monitor threat actor activity on a global scale and will continue to provide additional updates accordingly.
Vulnerabilities
Google Chrome Zero-day Vulnerability Exploited In-the-Wild Allows for Arbitrary Code Execution
A critical zero-day vulnerability in Google Chrome has just received an emergency patch to fix a type confusion bug in the V8 JavaScript engine, which processes JavaScript in Chrome and Microsoft Edge browser instances. This type confusion vulnerability manifests when an application processes JavaScript instructions and operations for a specific type of input, but is tricked by the attacker into processing an incorrect type, which leads to an application memory error, allowing the attacker to execute arbitrary malicious code. This vulnerability, tracked as CVE-2022-1096, has been exploited in-the-wild, and Cyber Threat Cognitive Intel (CTCI) researchers identified the flaw being exploited on March 20, 2022. The researchers stated that "additional intelligence was found during the attack analysis on 3/25/2022, where we identified a phishing scam against a honey client that is used to identify client-side attacks on users within the crypto space. The initial vector was a Discord channel.” This campaign has not been officially attributed to a specific threat actor; however, Google's Threat Analysis Group did identify and attribute two different state-sponsored North Korean campaigns (Operation Dream Job and Operation AppleJeus) exploiting similar Chrome vulnerabilities in early February 2022. This flaw has been patched in both Chrome and Edge, and users are urged to ensure they are running the most up to date instance of their browsers.
Critical Vulnerability in Sophos Firewall Exploited In-the-Wild to Perform Remote Code Execution
A critical vulnerability in the Sophos Firewall has been patched, correcting a flaw that if exploited would allow attackers to perform arbitrary remote code execution (RCE). Sophos is a next generation cloud-based cybersecurity infrastructure that provides a single cloud management system for managing cyber threats via AI and machine learning threat-intelligence tools. The vulnerability, tracked as CVE-2022-1040, was identified by an unnamed security researcher through Sophos' bug bounty program and is described as an authentication bypass bug impacting the User Portal and Webadmin consoles of Sophos Firewall. Sophos has observed this vulnerability being exploited in-the-wild to specifically target and victimize organizations in South Asia. Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier are affected by this vulnerability, but a hotfix has been released. If a Sophos Firewall instance has automatic updates enabled (which is a default feature), then administrators and cybersecurity professionals need not take any further action. If the instance is an end-of-life version, then it will need to be manually configured by disabling WAN exposure to the User Portal and Webadmin console. This is not the first time that vulnerabilities in the Sophos infrastructure have been exploited by threat actors, and the Ankura CTIX urges all administrators and operators to ensure that the "allow automatic installation of hotfixes" setting is enabled as well as verify that their Sophos instances are all the most recent stable versions.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
