Ransomware/Malware Activity
New Phishing Campaign Utilizing Chatbot-Like Applications to Trick Victims
On March 19, 2022, Trustwave SpiderLabs Blog researchers reported the discovery of a new phishing campaign that utilizes chatbot-like applications to gain victims' contact and payment details. The campaign begins with a phishing email that disguises itself as a shipping update and e-receipt from "DHLexpress," which does not have an email address visible to the victim. The email body contains a button labeled "Please follow our instructions," and contains a hyperlink to a browser that downloads a PDF file. This PDF contains two (2) options for redirecting the victim to the phishing website. The first is through a button labeled "Fix delivery" and the second is through a link below the button. The phishing website is a chatbot-like page that researcher said is used to "engage and establish trust with the victim.” The researchers emphasized that this page does not contain an actual chatbot, as the application has predefined responses hardcoded into the Javascript. The victim is then asked to confirm the tracking number of the "supposedly ordered item." Upon clicking "yes," a picture of a package is shown and the "chatbot" asks the victim to confirm if a home address or business address was used when ordering. Once confirmed, the victim is prompted to click on the "Schedule delivery" button and complete a fraudulent CAPTCHA, which is just an embedded JPEG image file. Once "completed," the user is asked for login credentials, a delivery address, and a form of payment (specifically credit/debit card information). The campaign attempts to further gain the victim's trust by having legitimate-looking input validation methods, specifically in the payment page to check if the card number is valid and to determine what type of card has been entered as well as redirecting the victim to a one-time password (OTP) page after submitting the payment information. Researchers noted this OTP page as interesting because the victim never had to enter their mobile number. The researchers entered in ransom strings of characters five (5) times before the page redirected to a site that claimed the submission was received successfully. This phishing campaign was active as of March 19, 2022. Indicators of compromise (IOCs) associated to this phishing campaign can be viewed in Trustwave's report linked below.
Threat Actor Activity
Twisted Panda Espionage Campaign Against Russian Research Organizations
Russian government agencies are the latest victims of a recent phishing campaign by Chinese threat actors. These actors utilized several tactics, techniques, and procedures (TTP) that possibly link with recent Stone Panda (APT10) espionage campaigns. While some TTPs may correlate with Stone Panda, CheckPoint security researchers have classified them as their own threat group dubbed Twisted Panda. The campaign itself was first discovered in July 2021 targeting entities throughout the Russian nation; in recent events, however, threat actors have targeted two (2) research institutes operated by Rostec, a state-operated defense organization. The phishing emails were themed around institutions being targeted by United States sanctions related to the ongoing Russia-Ukraine conflict. Once opened, the user is met with both a hyperlink and a malware-laced document. The hyperlink directs the user to a malicious cloned website claiming to be the Russian Ministry of Health. The document claims it is from the Russian Ministry of Health but is laced with a multi-layered payload which installs the SPINNER backdoor on the infected system. The specific information being harvested from this backdoor is currently undisclosed, however by targeting research institutions it is likely threat actors are exfiltrating sensitive project documentation and other information wherever possible. CTIX analysts continue to urge users to validate the integrity of all emails prior to downloading any attachments to lessen the chance for threat actor compromise.
Researchers Detail the Inner Workings of the Wizard Spider APT
Researchers from cyber-intelligence company PRODAFT released a report detailing the inner workings of the cybercriminal group Wizard Spider. Wizard Spider (aka. TEMP.MixMaster, GOLD BLACKBURN, FIN12) is the Russian-based operator of the TrickBot banking malware. Following the discontinuation of the TrickBot malware, the operators started working closely with the Conti ransomware gang. In the report, PRODAFT mentions Wizard Spider is uniquely "capable of monetizing multiple aspects of its operations." Typical attacks consist of the group utilizing spam campaigns to distribute malware, such as Qakbot and SystemBC. That malware is used to launch additional tools, such as Cobalt Strike (for lateral movement), and ransomware once all actions have been completed. Wizard Spider has also developed an advanced exploit toolkit allowing them to easily utilize vulnerabilities such as Log4Shell to gain access to networks. In addition, the group has built a "cracking station," which it uses to crack the hashes of domain credentials, Kerberos tickets, KeePass password manager files, and other hashed data. If a company does not respond to ransom demands, operators cold-call victims using a VoIP setup to pressure them into paying. The group has amassed a large number of compromised devices that allow them to send spam and scan for potentially vulnerable systems to add to their botnet. The leaders of Wizard Spider have the operational skills to manage all of these workflows, employees, and compromised devices and are considered one of the most powerful APT groups active today.
Vulnerabilities
CISA Issues Directive Ordering Agencies to Patch a Critical Chain of Vulnerabilities Being Actively Exploited
UPDATE to 4/15/22 FLASH UPDATE: The Cybersecurity and Infrastructure Security Agency (CISA), has published an emergency directive (22-03) titled “Mitigate VMware Vulnerabilities," alongside an alert titled "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control." The directive warns Federal Civilian Executive Branch (FCEB) agencies that they are at great risk for compromise and must comply with the order immediately. The directive follows the active exploitation of two (2) VMware vulnerabilities that the company successfully patched on April 6, 2022. The flaws, tracked as CVE-2022-22954 and CVE-2022-22960, are a server-side template injection remote code execution (RCE) vulnerability, and a local privilege escalation vulnerability, respectively. If exploited, unauthorized threat actors are able to escalate their privileges to root, giving them the access they need to perform the RCE of malicious payloads. At the time the flaws were patched, threat actors had been exclusively exploiting them to execute coinminer payloads in VMware infrastructure that hijack server resources to maintain a blockchain ledger to generate cryptocurrency. However, the exploit also offers threat actors the ability to move laterally across the network, which opens up the opportunities to conduct devastating malicious activity. Depending on the enterprise deployment of VMware instances, shutting down systems to install the new patches may induce a substantial negative impact to business processes. Due to this procrastination, there are still many instances of VMware distributions vulnerable to these flaws, and agencies and companies are beginning to suffer attacks from both state-sponsored and financially motivated threat actors. The issue with vulnerabilities like these, which support massive technical business processes, is that when researchers eventually publish the exploit, bad actors reverse engineer the exploits and patches to find new attack vectors and methods. On May 18, 2022, VMware patched two (2) new vulnerabilities tracked as CVE-2022-22972 and CVE-2022-22973, described as an authentication bypass, and another local privilege escalation vulnerability, respectively. They pose very similar threats to the same VMware products, and now that the exploits are public, threat actors will again, work tirelessly to reverse-engineer them, knowing that many organizations will hesitate to patch. This is why CISA has published the directive, to ensure that this does not happen again, and to hold the FCEB agencies who don't comply accountable. Leaving these types of vulnerabilities unpatched poses a great risk not only to the agencies themselves, but to the third parties they work with. In the alert CISA confirms they have "received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties," however the names of the organizations and threat actors have not been made public. CTIX analysts will continue to monitor this chain of vulnerabilities, and publish updates as needed. We recommend that all administrators leveraging the VMware products listed in the below advisories update to the latest patch immediately.
Honorable Mention
US DOJ Announces New Changes to the Notorious Computer Fraud and Abuse Act
The U.S. Department of Justice (DOJ) revised its policy on how federal prosecutors should handle "good-faith" security research that would have normally fallen under the Computer Fraud and Abuse Act (CFAA). The main part of the act states that it is unlawful to "having knowingly accessed a computer without authorization or exceeding authorized access" but does not define the terms "without authorization," and "exceeding authorized access." This uncertainty has in the past led security researchers to harbor concerns that their good-faith security efforts would expose them to criminal proceedings. The new change is a much-needed step in the right direction, allowing "good-faith testing, investigation, and/or correction of a security flaw or vulnerability," as long as the activity does not harm individuals or the public and promotes security or safety for the tested device, application, or user. This allows security researchers to test devices and online services without the fear of legal prosecution. The new policy even accounts for malicious researchers who attempt to pass off their hacking as good faith research, a technique that has been used by multiple ransomware groups already. Notably, the somewhat new group Black Basta is known to even provide a security report after a company pays their ransom. The policy specifically states that "discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services—might be called “research,” but is not in good faith." While the new policy is a step in the right direction, it still requires federal prosecutors to determine if a particular researcher was acting in good faith. The Electronic Frontier Foundation (EFF) has called for reforms to the CFAA for many years and has developed multiple proposals to address other issues with the act.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
