Parrot TDS: A "Gateway" to Malicious Campaigns
A new Traffic Direction System (TDS), dubbed “Parrot TDS,” has recently been discovered by Avast researchers. A TDS acts as a "gateway" to other malicious campaigns by infecting legitimate websites with a script to redirect user traffic to a malicious website. Utilizing this technology allows threat actors to hide their malware from crawlers and automated scanners. While some threat actors build these systems on their own, it has become increasingly profitable for enterprising hackers to rent out infected websites to other campaigns. TDS services were brought to the attention of information security professionals in spring 2021 when the Prometheus TDS was discovered, which had major clients such as Hancitor, IcedID, and QBot. The newest TDS has been named Parrot TDS and, with a catalogue of over 16,500 infected websites, it is the largest TDS discovered to date. Targets of Parrot TDS are varied, though the threat actor most targeted content management systems (CMS) such as Wordpress or Joomla. When a victim visits a compromised webpage, the proxy code extracts the User-Agent string, cookies, and referrer header from the request to determine if the user is a real person or a bot. Once the victim is verified, they are redirected to various malicious campaigns, such as the "FakeUpdate" malware discovered in 2018. Another campaign Avast researchers have identified is a phishing campaign targeting Microsoft credentials. Notably, Parrot TDS user filtering is so advanced that the threat actors have the ability to identify a specific victim using hardware, software, and network profiling. If an individual user is targeted, they are often sent a NetSupport RAT payload which allows complete remote access to the compromised device. Avast browser antivirus reports it has protected over 600,000 clients from falling victim to this TDS, emphasizing the massive scale of this campaign. CTIX analysts recommend website administrators running a CMS scan their website(s) for malicious content. Users should always double check website links for legitimacy to ensure they do not fall victim to this campaign.
"Denonia" Malware Targets AWS Lamba Cloud Environments with Monero Cryptominer
"Denonia," a recently discovered Go-based wrapper, has been observed by Cado Security researchers to be "specifically developed to target Amazon Web Services (AWS) Lamba cloud environments." Denonia deploys "a custom XMRig cryptominer," that mines for Monero cryptocurrency and utilizes "newer address resolution techniques," for command-and-control (C2) communications in order to bypass detection measures and virtual network access controls. Though the researchers have yet to determine the method of deployment for Denonia via the actors responsible, there is speculation that leaked or stolen AWS Access and Secret keys have been utilized and then manually deployed into the compromised cloud environments. The researchers noted that this method has been used previously to deliver Python scripts that then run cryptominers. Also, Denonia execution has the ability to continue outside of a Lamba environment, "due to Lamba 'serverless' environments using Linux under the hood," despite the malware being specifically developed for the AWS environment. CTIX analysts will continue to monitor Denonia as it continues to evolve in its early stages and will provide updates as they become available.
Threat Actor Activity
FBI Disrupts Sandworm Botnet Operation
The United States Federal Bureau of Investigation has disrupted a Russian-controlled botnet targeted at home office networks. This operation involved the FBI targeting the threat organization Sandworm, a GRU Russian military intelligence cyber unit, and the core malware framework utilized to control the bots, Cyclops Blink. Operationally, the FBI copied and removed malicious payloads from vulnerable internet-facing firewall devices which were used as command-and-control nodes for the botnet. While there was no access into the malware utilized by Sandworm, the act of disabling the command-and-control mechanisms on the affected devices severed access from Sandworm's control. Even though this operation did prevent thousands of compromised devices from being utilized as bots, the majority of the originally infected devices are still operational within the greater botnet. WatchGuard, the primary manufacturer of the Cyclops Blink vulnerable devices, has released a set of detection and remediation tools for all users to utilize to further protect any WatchGuard devices living on their networks. CTIX urges network administrators and security personnel to ensure that all devices, including WatchGuard devices, are up to date to lessen the chance of threat actor compromise.
FIN7 Threat Actor Sentenced for Computer Hacking & Wire Fraud
A FIN7-attributed threat actor was sentenced on Thursday, April 7th, 2022, for his criminal activity within the FIN7 organization. Denys Iarmak, a Ukrainian national, was arrested in Bangkok, Thailand in November 2019 and subsequently extradited to the United States in May 2020. He pleaded guilty in November 2021 to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. He was sentenced to five (5) years in prison. Within FIN7, Iarmak served as a top-level "pen tester," and was involved in an undisclosed amount of FIN7 operations. Criminal work carried out by Iarmak while involved with FIN7 included malware-laced phishing emails which would extract financial card information from its victim and several other financially driven operations. FIN7 has compromised assets throughout the United States, with one (1) operation alone exfiltrating roughly 20 million customer card records from 6,500 point-of-sale terminal across 3,600 businesses. Other well-known companies that have been compromised by the FIN7 threat organization include, but are not limited to, Chili's, Arby's, Chipotle, and Red Robin. Iarmak is the third member of FIN7 to be charged and sentenced in the United States. CTIX continues to monitor threat actors worldwide and will continue to provide additional updates accordingly.
VMware Patches Critical Vulnerabilities Leading to RCE
VMware has released a security patch for eight (8) vulnerabilities, five (5) of which are labeled as critical. The vulnerabilities span across multiple products, and if exploited, could allow attackers to escalate their privileges to root and perform arbitrary remote code execution (RCE) against vulnerable instances. At this time, these flaws affect VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. There is currently no evidence that these flaws have been exploited in-the-wild, however users of these virtualization platforms are still urged to download the patch as soon as possible. VMware understands that some of their customers may not be able to install the patch immediately, due to the effect it would have on current operations and business processes, and they have released a manual workaround helping those administrators to harden their defensive posture in the meantime. The workaround is a Python-based script, but depending on the environments it's applied to, it may create follow-on problems that need to be mitigated. The specific information on these vulnerabilities is linked in the articles and advisory below. CTIX urges all administrators who cannot immediately patch their platforms begin constructing a plan to compartmentalize their operations so that the patch can systematically be applied to their entire infrastructure in as little time as possible.
OpenSSL Flaw Leaves Some Palo Alto Networks Applications and Software Vulnerable to a DoS Attack
Researchers from the cybersecurity firm Palo Alto Networks released a warning that some of their products are vulnerable to an OpenSSL bug tracked as CVE-2022-0778. This vulnerability can be exploited to trigger Denial-of-Service (DoS) conditions, and may affect PAN-OS, GlobalProtect applications, and Cortex XDR agent software. This flaw lies within the "BN_mod_sqrt()" function, and stems from maliciously crafted public and private key certificates with explicit elliptic curve parameters. Specifically, this bug affects TLS clients that accept server certificates and client certificates, as well as hosting providers, certificate authorities, and anything else that parses these same elliptic curve parameters. There is a proof-of-concept (PoC) exploit available online, however at this time there is no evidence that this vulnerability has been exploited in-the-wild. OpenSSL has already successfully patched this vulnerability; however, Palo Alto will be releasing their own security patch during the week of April 18th, 2022. Until then, Palo Alto has ensured that their customers have provided mitigations that defend them from this flaw and have programmed Threat IDs 92409 and 92411 to recognize and block attacks. CTIX recommends that Threat Prevention subscribers enable both Threat IDs and ensure that the Palo Alto hotfix is installed as soon as possible. It is vital that operators and administrators are aware of the vulnerabilities impacting the products they manage/maintain, and even if a stable patch is not available, as a best practice they should be exhausting all efforts to find ways to manually harden their environments.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.