APT Groups Target ICS/SCADA Devices with Custom-Made Malware Tools
Alert AA22-103A, a joint cybersecurity advisory, was recently released by the United States Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) detailing the targeting of various industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices by advanced persistent threat (APT) groups. The advisory specifically mentioned the targeting of Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs), OMRON Sysmac NJ and NX PLCs, and Open Platform Communications Unified Architecture (OPC UA) systems. The APT groups have developed custom-made malware tools that have a modular architecture that enables highly automated exploits, and a command-line interface that mirrors the interface of the targeted device. According to the joint advisory, when the modules are present in the custom tools, APT groups are able to "scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters." The joint advisory did not detail the specific malware tools that were observed, but cybersecurity firm Dragos recently published information about the "PIPEDREAM" toolset, which is the seventh ICS-specific malware identified as of April 15, 2022. PIPEDREAM was observed in January of 2022 and developed by the CHERNOVITE Activity Group (AG). Dragos researchers detailed that this toolset "can currently identify and target PLCs from Omron and Schneider Electric, however the tooling may be used to target and attack controllers from hundreds of additional vendors." It is suspected that PIPEDREAM has not yet been utilized for destructive attacks, but that the group responsible has the intention of leveraging the malware toolset in the future. CTIX analysts will continue to monitor the targeting of ICS and SCADA devices as well as monitor for additional custom-made, malicious toolsets to emerge in the wild.
"Haskers Gang" Releases Free Custom Infostealer Malware "ZingoStealer"
A new infostealing malware known as "ZingoStealer" was released on April 14th, 2022 through a dark web post for free. This malware was developed by a crimeware-related threat actor known as "Haskers Gang," though they have also stated that ownership is changing hands. Before the malware was officially given to the new threat actor, Haskers Gang decided to post a free binary of the malware, allowing any threat actor or script kiddie to utilize its functionality. The group has also offered to sell the source code of the malware for $500 and a version of the binary that is obfuscated using a custom made crypter known as "ExoCrypt" for $3. While the malware has only been in development for a month, it includes multiple functions that allow it to download additional malware, harvest data from common browsers and cryptocurrency wallets, exfiltrate data and update through a Telegram channel, and install a custom Monero cryptocurrency miner known as "ZingoMiner." Haskers Gang and customers of ZingoStealer have used it to target Russian-speaking victims by masquerading it as "game cheats and pirated software," distributed through YouTube videos and Discord channels. With the free release of this malware, CTIX analysts believe organizations as well as computer enthusiasts will be heavily targeted with ZingoStealer by unsophisticated threat actors. To mitigate this threat, organizations should utilize endpoint detection software along with antivirus to detect if this malware is downloaded or executed. As always, users should use caution when downloading software from the internet and utilize web-based virus detection software to ensure downloaded files are not malicious.
Threat Actor Activity
Karakurt Extortion Group Linked to Conti Ransomware Organization
Infinitum IT analysts have assessed a strong link between the ransomware-driven Conti threat organization and the Karakurt Hacking Team. The Conti ransomware organization is a group of threat actors that perceive themselves as the prime ransomware-as-a-service group, creating malicious scripts, dropping ransomware on compromised systems, and launching extensive ransom/phishing campaigns. Alternatively, Karakurt, first observed in the wild in 2021 is primarily known for extorting stolen sensitive information from their targets and leaking the data on their website. The connection linking these threat organizations comes from remote data storage endpoints utilized by Conti ransomware, where the DNS records revealed a hosting connection to 209[.]222[.]98[.]19. This IP address is also the hosting address for Karakurt's public facing blog page utilized for leaking data from their victims. Additional connections between both groups come from gathered SSH credentials and SSH private keys to Karakurt's blog page. It is assessed that when a Conti ransomware attack occurs on a target and the attack does not complete the encryption stage, the gathered data would be extorted by Karakurt on their blog page. CTIX analysts will continue to monitor these threat organizations for any fallout around this new information and provide additional insight accordingly.
Lazarus Phishing Campaign Continues, Targets Chemical Sector with Operation Dream Job
The North Korean-backed threat organization Lazarus continues to target entities in a sophisticated social engineering campaign, this time targeting organizations and employees in the chemical sector. This cyber-espionage driven campaign has been code named "Operation Dream Job," and carries the reputation of distributing malicious phishing emails to organizations throughout the defense, government, and engineering sectors. These phishing emails are themed around fake job offers as the key means to lure in users to download malware-laced attachments or visit malicious hyperlinks. Once a user interacts with these elements of the phishing email, an HTM file is downloaded to the system and implanted within the DLL file "scskapplink.dll". Acting as a trojanized tool, the DLL file then proceeds to download additional payloads from actor-controlled command-and-control (C2) server(s) and executes those payloads onto the user's device. Once completed, Lazarus threat actors have the capability to move laterally within the compromised user's network, exfiltrate sensitive information such as security credentials, download and install additional espionage scripts, and implant persistence mechanisms on the system. CTIX analysts continue to urge users to validate the integrity of email correspondence prior to downloading any attachments or visiting any links embedded in the email to lessen the possibility of threat actor compromise.
Windows Patches Critical Zero-Click RPC Vulnerability
As part of their Patch Tuesday security updates, Microsoft has patched a critical vulnerability affecting Windows hosts running the Remote Procedure Call (RPC) runtime, commonly utilized with the Windows Server Message Block (SMB) protocol. SMB is a Windows communication standard which allows the sharing of access to files, printers, as well as inter-process communication (IPC) across the nodes of remote severs in a network. The vulnerability, tracked as CVE-2022-26809, is a zero-click flaw, meaning that it gives attackers the ability to execute malicious code without interaction from a user. If exploited, this vulnerability allows unauthenticated attackers to leverage maliciously crafted TCP/IP packets in order to perform remote code execution (RCE) and spread laterally across the target network. Censys, a leading Attack Surface Management company, released a blog post that gives perspective to the scale of this vulnerability by detailing that, as of April 2022, 1,304,288 hosts are running the SMB protocol, and 63% of them are running a Windows-based operating system, the majority of them based in the United States. Given how little effort this vulnerability takes to exploit, the Ankura CTIX team expects to see a proof-of-concept (PoC) exploit, and an observable uptick in ransomware attacks in the near future. The CTIX team urges all Windows remote server administrators to ensure they have installed the latest Windows update on their infrastructure. If networks cannot be patched at this time due to scheduling and business processes, it is still very simple to mitigate RPC attacks in-general by simply instating firewall rules that block external connections.
Critical VMware Vulnerability Used in Remote Code Execution Attacks to Steal Cryptocurrency
The virtualization software company VMware has recently patched a critical vulnerability that has been exploited by threat actors in-the-wild, with multiple proof-of-concept (PoC) exploits published online. Specifically, this flaw affects VMware Workspace ONE Access, and VMware Identity Manager. This vulnerability, tracked as CVE-2022-22954, is described as a server-side template injection vulnerability, which if exploited, could lead to remote code execution. Researchers who have been monitoring the exploitation of this flaw state that thus far, the main purpose of attacking this vulnerability appears to be to execute coinminer payloads against vulnerable servers to steal cryptocurrency. Coinminers operate by running complex mathematical equations to maintain the blockchain ledger to generate coins. Due to the significant resource requirements, servers are a very popular target. While the exploit is currently mostly being used to pilfer digital coins, its ability to move laterally within a network suggests this vulnerability will be exploited for other operations, like ransomware and phishing campaigns. The CTIX team urges VMware users to install the latest patch. If the update cannot be installed immediately, VMware has published mitigation techniques that defend against this flaw in their April 6 blog post, linked below.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.