Ransomware/Malware Activity
Ukraine's CERT-UA Releases Advisory Regarding Wave of Chemical Attack-Themed Phishing Emails
The Computer Emergency Response Team of Ukraine (CERT-UA) published an advisory on May 7, 2022, detailing a recent wave of "Jester Stealer" malware utilizing chemical attack-themed lures in phishing emails targeting individuals living in Ukraine. This scare tactic is designed to take advantage of the war between Russia and Ukraine as well as maximize the chance that recipients open the email and attachment. The machine-translated text says the following: "Today the information was received that chemical weapons will be used at 01.00 at night, the authorities are trying to hide it in order not to panic the population. Urgently get acquainted with the place where chemical weapons will be used and the places of special shelters where we will be safe. Help us to disseminate the information attached to the document in the letter as much as possible. map of the zone of chemical damage." The message includes a Microsoft Excel document that, upon opening, enables malicious macros that then run an executable from a remote server on the victim computer. The executable downloads Jester Stealer, which is a known information-stealing trojan that, "steals data stored in browsers such as account passwords, messages on email clients, discussions on IM apps, and cryptocurrency wallet details." The CERT-UA advisory detailed that this use case has anti-analysis functionality implemented but does not have any persistence measures. Jester Stealer is sold for $99/month and $249 for lifetime access, and the threat actor behind this current use against Ukraine is unknown at this time. CTIX analysts will continue to monitor for malware utilizing the Russian/Ukraine war as an advantage.
Threat Actor Activity
Costa Rica Issues State of Emergency Over Conti Ransomware Attack
Following a massive Conti ransomware attack against the Costa Rican government in mid-April, the President of Costa Rica declared a state of national cybersecurity emergency. The attack crippled the country's government organizations' internet capabilities, and they are not yet fully operational again. Conti threat actors demanded a $10 million dollar ransom from the President, to which the President refused to comply. Thus far, the Ministries of Finance, Technology, Science, Innovation, Telecommunications, and Labor & Social Security have been affected alongside the Social Development and Family Allowances Fund, National Meteorological Institute, Costa Rican Social Security Fund, and the Interuniversity Headquarters of Alajuela. On May 8, 2022, Conti threat actors that "It is impossible to look at the decisions of the administration of the President of Costa Rica without irony, all this could have been avoided by paying you would have made your country really safe, but you will turn to Bid0n and his henchmen, this old fool will soon die." Conti actors also dumped the majority of the 672 gigabytes (GB) worth of data exfiltrated by the attack. Due to the ongoing analysis of the massive amount of leaked data, it is difficult at this time to identify every type of personal identifiable information (PII) that was exfiltrated during the attack, and what other information the threat actors were able to exfiltrate. CTIX continues to monitor threat actors worldwide and will provide additional updates accordingly.
Vulnerabilities
Critical Microsoft Azure Vulnerability Named "SynLapse" Could Allow Attackers to Take Control of Other User's Synapse Workspaces
Microsoft has successfully patched a critical vulnerability dubbed “SynLapse,” which impacts the Azure cloud platform’s Data Factory and Synapse Pipelines. If exploited, this vulnerability could allow an attacker running jobs in a Synapse pipeline to perform Remote Code Execution (RCE) across the Integration Runtime (IR). The successful exploitation could allow malicious attackers to pilfer sensitive data like service certificates/keys, passwords, and API tokens, ultimately gaining access and control of other customers' Synapse instances. The flaw, tracked as CVE-2022-29972, specifically exists in the third-party Open Database Connectivity (ODBC) driver utilized for connecting with Amazon Redshift in the IR computing infrastructure used by Azure. Although this flaw has been patched, researchers from Orca Cloud Security state that they have repeatedly bypassed the security fixes, suggesting that the weaknesses lie in the general architecture of Azure Synapse and Data Factory. Microsoft urges all of their Data Factory and Synapse customers to update to the latest stable version immediately, as well as configuring a Managed Virtual Network to isolate their workspaces from the internet. At this time there is no evidence that this flaw has been exploited In-the-Wild, and the CTIX team will continue to track this matter, providing updates as needed.
A Critical Vulnerability Affecting F5 BIG-IP is Being Actively Exploited by Threat Actors
UPDATE TO 5/6/22 FLASH UPDATE: As predicted by CTIX analysts, a critical vulnerability affecting F5's BIG-IP module's iControl REST component is being actively scanned for and massively exploited by threat actors. The flaw, tracked as CVE-2020-1388, allows unauthenticated attackers to send undisclosed requests bypassing authentication in order to perform arbitrary code execution, potentially leading to a complete system takeover. On May 9, 2022, researchers announced on Twitter that multiple working Proof-of-Concept (PoC) exploits had been created, demonstrating how attackers can utilize the working PoC to access an internet-exposed F5 application endpoint. A researcher from Cronup security has reportedly observed threat actors dropping PHP webshells, executing them, and then purging them from vulnerable systems. While this vulnerability has been successfully patched, however due to the enterprise popularity of F5's BIG-IP, many organizations have yet to update their instances, due to the negative impact it would have on business processes. If administrators cannot patch their instances at this time, there are three (3) mitigation techniques, which are blocking iControl REST access through the self IP address, blocking iControl REST access through the management interface, and modifying the BIG-IP httpd configuration. According to Shodan, there are still thousands of unpatched vulnerable instances, and the Ankura CTIX team expects to see a steady increase in exploitation of this vulnerability now that working PoC's are publicly available.
Emerging Technology
New Malware Found Hiding in Windows Event Logs
Kaspersky researchers discovered a new malware dubbed "SilentBreak," which deploys malware in-memory inside Windows event logs. A custom malware dropper copies the legitimate executable file "WerFault.exe" to the "C:\Windows\Tasks" directory, allowing the program to launch as an automatically executed task. The dropper then copies a DLL file named "wer.dll" that stores the malicious code to the same directory, tricking the legitimate program into running it. The entry point to the malware is launched where it adds the malicious shell code to the event logs then compiles the data into a program in-memory and executes it. The main piece of the malware uses code from GitHub as well as proprietary tools such as Cobalt Strike to gather more information on the infected machine. Kaspersky researchers have determined this threat actor to be sophisticated, and as this malware is modular, it is likely still in development. The researchers were not able to attribute the malware to a specific threat actor or location as there are no code similarities to other known malware. CTIX analysts predict more malware will utilize this new technique, especially since Proof-of-Concept (PoC) code for hiding malware in Windows event logs have been released on GitHub.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
