Ransomware/Malware Activity
"AcidRain" Identified as Seventh Wiper Malware Associated with the Russian/Ukraine Conflict
On March 31, 2022, SentinelOne researchers published a report that detailed the use of "AcidRain" malware in the late February 2022 cyberattack of Viasat, a US satellite communications provider. The cyberattack targeted the Viasat KA-SAT satellite broadband service and resulted in wiping SATCOM modems, which affected tens of thousands in Ukraine and across Europe. According to SentinelOne, AcidRain is the "7th wiper malware associated with the Russian invasion of Ukraine" and was first identified on March 15th, 2022. The researchers hypothesized that "the threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers," a theory that was supported by Viasat, who in an interview with TechCrunch affirmed the use of a "legitimate management command." SentinelOne researchers also, with medium confidence, detailed the "developmental similarities" between AcidRain and the "VPNFilter" campaign that was attributed to the Russian government in 2018. The VPNFilter campaign consisted of "an impressive array of functionality in the form of multi-stage plugins" and the researchers noted "an interesting (but inconclusive) code overlap" between a specific plugin of VPNFilter and AcidRain. An in-depth technical analysis of AcidRain and the potential VPNFilter connection, as well as indicators of compromise (IOCs), can be reviewed in SentinelOne's report linked below.
Calendly Leveraged in Phishing Attacks to Increase Legitimacy
Threat actors have discovered a new vector of attack to utilize during phishing campaigns. Calendly, a free scheduling assistant, allows threat actors to use email to invite the victim to a meeting with the title and link they choose. This increases the legitimacy of the phishing email as it appears to come from a legitimate company. INKY, an email monitoring company, found specific instances where the phishing actors titled the meeting "You have received a new fax documents" with an embedded link to "preview" the document. The link instead brought victims to a Microsoft Word phishing page where they were required to sign in to access the document. The page also included a common tactic in newer phishing campaigns to ensure credentials are free of typos, in which the user is prompted to enter their credentials twice, due to the credentials being "invalid.” The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. While most of the techniques employed in this campaign are standard, the use of Calendly has not been previously identified. CTIX analysts recommend security teams look out for and alert their users to the use of legitimate service entities such as Calendly in phishing schemes, and remind users to employ basic security protocols. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure. The use of a password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated website's. A password manager will not autofill the password, tipping users off that the website they're on is not legitimate.
Nation-State Activity
Deep Panda Targets Financial/Cosmetic Industry with Fire Chili Rootkit
Chinese threat actors tied to the Deep Panda organization have launched a new campaign with Log4Shell exploits and the Fire Chili rootkit. Deep Panda, also tracked as APT19, is a threat group that commonly exploits targets within the government, financial, defense, and telecommunication sectors with the end goal of extortion and cyber espionage. In this new campaign, Deep Panda actors are targeting the financial and cosmetic industries with Log4Shell vulnerabilities (specifically CVE-2021-44228) to infect the target with the Fire Chili rootkit. This rootkit, which is deployed alongside the Milestone backdoor, was designed to be lightweight and stealthy. Fire Chili evades detection by security systems in part because it utilizes a stolen digital certificate to authenticate itself as a non-malicious file. Once both Fire Chili and Milestone are installed on the system, these programs will begin to tamper with the system registry, establish system persistence with continuous callbacks for integrity, and conduct extortion/espionage tasks on the infected system. The Log4Shell vulnerability was patched in December of last year, but is still a viable attack vector due to many organizations failing to ensure their infrastructure and tools are running the most stable and secure versions. CTIX analysts recommend that companies continuously verify their network integrity and ensure that systems are kept up to date to reduce the risk of threat actor compromise.
Lazarus Continues to Target Decentralized Finance
On January 18th, 2022, CTIX analysts released a FLASH issue summary that BlueNoroff, a subgroup of the North Korean advanced persistent threat (APT) group Lazarus, had been observed targeting cryptocurrency companies. As of late March, Lazarus has continued this activity. By utilizing a legitimate program for decentralized finance called DeFi Wallet, Lazarus delivers malware onto an infected machine without detection. The malware itself is not just a backdoor, but also has the potential to give the actor full control of the compromised machine. Lazarus used compromised web servers in South Korea to coordinate the attack, which resulted in KrCERT and Kaspersky analysts investigating Lazarus' C2 servers. The malware is designed to carry out in two stages: the first being the trojan loading the backdoor onto the affected machine, and the second being communication between the C2 servers and the infected machines. As the situation develops and the Lazarus group deploys new TTPs, the Ankura CTIX team will continue to monitor their operations, and provide relevant updates to our readers as they develop.
Vulnerabilities
Rockwell Automation Warns of Attacks Against Critical Infrastructure Using Malware Based on the Stuxnet Worm
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of two (2) critical vulnerabilities affecting Rockwell Automation programmable logic controllers (PLC), which if exploited could allow malicious threat actors to escalate their local privileges, modify user applications, and inject undetectable logic controller bytecode (tracked as CVE-2022-1161 and CVE 2022-1159). Analysts have compared these vulnerabilities to similar ones exploited in the infamous 2010 Stuxnet worm malware attacks, which were unprecedented at the time, and caused massive damage to critical infrastructure (CIS) in Iran's nuclear and other energy sectors. Exploiting PLCs in CIS is extremely resource heavy and time-consuming, which points to the capabilities of hackers leveraging nation-state assets. Although the original Stuxnet malware was set to expire in 2012, legacy spinoffs known as “sons of Stuxnet,” have been steadily identified ever since. These exploits are so devastating because they often go completely undetected for sustained amounts of time, and engineers typically can't identify them without the use of advanced forensics tools, or until it's too late. The Ankura CTIX urges any and all users administrating Rockwell Automation PLCs to ensure they are running the most up-to-date version that patches these vulnerabilities. CISA has provided instructions for patching this flaw in their advisory linked below.
Apple Patches Critical Zero-day Vulnerabilities Exploited In-the-Wild
Apple has released an emergency update to patch two (2) critical zero-day vulnerabilities that have been exploited in-the-wild. These bugs affect Mac computers running macOS Monterey, iPhones 6s and later, and most iPads. The flaws are an out-of-bounds write vulnerability (tracked as CVE-2022-22674), and an out-of-bounds read vulnerability (tracked as CVE-2022-22675), and if exploited these flaws could allow an attacker to execute arbitrary code on vulnerable devices with kernel privileges. Apple has stated that these flaws have been actively exploited, and they do have proof-of-concept (PoC) exploits, but they are not currently publishing the details, in lieu of giving Apple users more time to install the update on their vulnerable devices. If relevant details about the exploits become public, the Ankura CTIX will publish updates in future FLASH reports. As stated, these vulnerabilities have been patched with improved input validation and bounds checking, and Apple users are urged to update their operating systems to iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 immediately.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
