Ransomware/Malware Activity
New NetDooka Malware Observed in PrivateLoader Pay-Per-Install Distribution Service
Trend Micro researchers identified "NetDooka," an emerging malware framework still in its early development phase that is distributed via a pay-per-install (PPI) malware distribution service called "PrivateLoader." PrivateLoader, first discovered by Intel471 in February 2022, is a "downloader responsible for downloading and installing multiple malware into the infected system," as a part of the service. This service relies on search engine optimization (SEO) poisoning as well as laced software downloads uploaded onto torrent sites and has a history of distributing a wide array of malware. NetDooka is composed of various parts, including a loader, a dropper, a protection driver, and a remote access trojan (RAT) that implements its own network communication protocol. The infection begins with the download of PrivateLoader followed by the installation of the NetDooka dropper component, which is responsible for decrypting and executing the NetDooka loader. Next, the loader performs checks to ensure no virtual environments are running and downloads an additional malware dropper (and potentially a kernel driver) from its remote server. The loader also de-obfuscates strings, including the command-and-control (C2) address, and checks for command-line arguments that were passed (which have been observed uninstalling various programs, renaming the dropper component, and locking antivirus vendor domains). The downloaded dropper is responsible for decrypting and executing the final NetDooka payload: the RAT. The RAT can start a remote shell, gain browser data, take screenshots, and exfiltrate system information. It also has the potential to run the installed kernel driver to "protect the dropped payload." While NetDooka is still early in development, its capabilities "allow it to act as an entry point for other malware," and researchers will likely continue to monitor it for additional features added during its evolution. An in-depth technical analysis of NetDooka as well as indicators of compromise (IOCs) can be viewed in Trend Micro's report linked below.
Threat Actor Activity
Newly Discovered "Operation CuckooBees" Cyber Espionage Campaign Attributed to the Winnti APT
Researchers at Cybereason, a defense-focused cybersecurity company headquartered in Boston, discovered a sophisticated cyber espionage campaign targeting technology and manufacturing organizations in North America, Europe, and Asia. Dubbed "Operation CuckooBees," the campaign had been operating undetected since at least 2019, siphoning intellectual property from its victims. Targeted data includes sensitive documents, blueprints, diagrams, formulas, and "manufacturing-related," proprietary data as well as other information that would be used for future attacks, such as network architecture, user accounts and credentials, employee emails, and customer data. Cybereason researchers have attributed Operation CuckooBees, with a moderate-to-high degree of confidence, to the Chinese sponsored Winnti APT group (also called APT 41, BARIUM, and Blackfly). This APT group has existed since at least 2010 and specializes in cyber espionage and intellectual property theft. The researchers also uncovered new malware added to their toolkit. Dubbed "DEPLOYLOG," it assists the threat actors in executing the WINNKIT rootkit, a malware used in previous Winnti campaigns. The rootkit used in the campaign shows a compilation timestamp dating to back to 2019 but as of the time of discovery, is only detected by one (1) antivirus solution used by VirusTotal. This single detection is a testament to the devotion of Winnti to remain stealthy. The threat actor has also updated their existing tools, such as Spyder Loader and PRIVATELOG, and has developed multiple new techniques including leveraging the Windows CLFS and NTFS to conceal payloads and evade detection. The fallout of this campaign has yet to be seen and no specific organizations have admitted to being affected by this APT. CTIX analysts will continue to monitor the Winnti APT group and will provide updates on new developments.
- DarkReading: Operation CuckooBees Article
- Cybereason: Operation CuckooBees Report
- Cybereason: Winnti Techniques Report
- Cybereason: Winnti Malware Report
Four Ransomware Strains Targeting the APAC Region Attributed to North Korean Hackers
Christiaan Beek, lead scientist in Trellix's threat research division, released a report that attributed four (4) previously unaffiliated ransomware families to Unit 180, an element of North Korea’s cyber- army. Known as “BEAF,” “PXJ,” “ZZZZ,” and “ChiChi, these four ransomware strains are often found targeting Asia-based companies, where ransomware attacks are not often reported. Therefore, these malware strains are not well known to many security researchers, allowing the ransomware to spread without attempts at attribution. The researchers were able to review code similarity among the ransomware strains and found a connection between BEAF, ZZZZ, PXJ, and a DPRK attributed ransomware known as “VHD.” They then determined that ZZZZ was almost a direct clone of BEAF, sharing most of the main functionality. Research also used code visualization, mapping strings of data to colors on an image to find multiple overlaps between the four families. The same ProtonMail email address was found in ransomware notes in both the ChiChi and ZZZZ files, further connecting them. The researchers attempted to trace the Bitcoin wallet transactions but ultimately determined transactions made by each ransomware family did not overlap with the others. North Korea is unique in its financially motivated threat groups; while other countries conduct cyber espionage, North Korea is focused on creating these ransomware strains. It is well known the DPRK utilizes the money stolen from these ventures to fund their nuclear and missile programs, highlighting the dangers of paying ransoms to these threat groups.
Vulnerabilities
Critical Vulnerability in F5 BIG-IP Could Lead to Complete System Takeover
The Cybersecurity and Infrastructure Security Agency (CISA) and F5 Technologies published an advisory to warn about a critical vulnerability affecting the F5 BIG-IP Traffic Management User Interface. If exploited, this flaw could allow unauthenticated attackers to send undisclosed requests bypassing authentication, in order to perform arbitrary code execution, potentially leading to a total system takeover. BIG-IP has multiple functionalities, acting as a network load balancer, and full proxy allowing for the inspection, encryption, and decryption of any network traffic that passes through a particular network. The flaw, tracked as CVE-2022-1388, lies in the iControl REST component, which allows for rapid communication between users and F5 BIG-IP devices, with a low system resource cost. This vulnerability poses an even greater risk due to the popularity of F5 BIG-IP use by enterprise organizations. Threat actors may begin exploiting this vulnerability to gain initial access to the target network, allowing them to move laterally and conduct other malicious activity. Scans with Shodan, a popular IoT search engine, indicate that there are currently 16,142 F5 BIG-IP systems susceptible to attack, mainly located in the US, followed by China, India, Australia, and Japan. F5 has released security patches for all versions of BIG-IP except 12.1.0 - 12.1.6 and 11.6.1 - 11.6.5 and urges any administrators or users deploying an unsecure version to upgrade to the latest fix immediately. Due to its enterprise popularity, many organizations using F5 BIG-IP may not be able to patch their networks immediately because of the potential impact to business processes. In those cases, F5 has offered three (3) manual exploit mitigation techniques. The F5 and CISA advisory states that depending on the organization's capabilities, administrators can block all access to the iControl REST component, restrict the management interface to only allow access to trusted users and devices, or modify the configuration of BIG-IP httpd. CTIX analysts predict that it will only be a matter of time before threat actors identify the location of this vulnerability, and we expect to see a steady increase in scans for this flaw in the coming months. Analysts urge any and all customers deploying vulnerable instances of F5 BIG-IP to upgrade to the latest secure version or apply one of the three (3) mitigations listed above.
Cisco Patches Critical Vulnerabilities Affecting NFVIS
The Cybersecurity and Infrastructure Security Agency (CISA) published an advisory after Cisco patched multiple security vulnerabilities, two (2) of them being rated as critical. The flaws affect Enterprise NFV Infrastructure Software (NFVIS), a Linux-based software designed to deploy virtualized network functions, acting as virtual routers, switches, and other networking-related IoT devices. The exploitation of these critical vulnerabilities could allow attackers to inject commands that execute with root privileges, potentially allowing them to guest escape the virtualized devices to compromise the actual host. The first critical flaw, tracked as CVE-2022-20777, stems from insufficient guest restrictions in the Enterprise NFVIS' Next Generation Input/Output (NGIO) feature, and allows unauthenticated attackers with only guest permissions to send API calls that execute as root on the NFVIS host. The second critical flaw, tracked as CVE-2022-20779, is described as an improper input validation vulnerability, stemming from attackers installing a maliciously crafted virtual machine (VM) that allows for command injections that also execute with root privileges. The CTIX team recommends that all organizations deploying this architecture ensure that they update to the latest stable version immediately.
Emerging Technology
United States National Security Memorandum Signed Regarding Quantum Computer Risks to Cryptographic Systems
On May 4, 2022, the Biden administration published a national security memorandum (NSM) regarding government agencies mitigating all risks posed by cryptanalytically relevant quantum computers (CRQC) to US national security. The NSM's specific purpose is to identity "key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security." It detailed that a CRQC will be capable of breaking "much of the public-key cryptography used on digital systems across the United States and around the world" which poses the following potential risks: "jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions." In order to combat these risks, the White House is promoting several leadership objectives for the United States. These objectives include pursuing a "whole-of-government and whole‑of‑society strategy to harness the economic and scientific benefits of QIS, and the security enhancements provided by quantum-resistant cryptography," seeking to "encourage transformative and fundamental scientific discoveries through investments in core QIS research programs," seeking to "foster the next generation of scientists and engineers with quantum-relevant skill sets, including those relevant to quantum-resistant cryptography." The NSM also calls for mitigations for the potentially vulnerable public standards utilizing public-key cryptography. The current goals presented consist of US agencies prioritizing "the timely and equitable transition to cryptographic systems to quantum-resistant cryptography," and "mitigating as much of the quantum risk as is feasible," by 2035, as well as publicizing technical standards for specific jurisdictions by 2024. Additional goal timelines and overall details can be reviewed in the NSM linked below.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
