Austrian State of Carinthia Hit by APLHV Ransomware Attack
The Austrian state of Carinthia was hit by a ransomware attack on Tuesday, May 24, 2022, by the ALPHV ransomware group (aka BlackCat). The attack led to severe operational disruption of government services, impacting the issuance of new passports and traffic fines as well as COVID-19 contact tracing, among others. It is estimated that 3,000 IT workstations have been affected by the attack and Carinthia's email service and website are currently offline. ALPHV has demanded a ransom of $5 million in bitcoin for decryption software, but the head of Carinthia's press service has stated that the ransom will not be paid as "there is no evidence that data was actually siphoned off, moreover, all data is backed up on backup systems." APLHV has yet to upload a posting on their leak site regarding exfiltrated data from Carinthia. A portion of machines are expected to be available for use starting today, May 27, 2022. CTIX analysts will continue to track APLHV's activity and provide necessary updates when available.
Malicious PDFs Used in New Malware Campaign
Researchers at HP Wolf Security released a report on May 20, 2022, regarding a new malware distribution campaign utilizing malicious PDFs to deliver the "Snake Keylogger" malware. A PDF document is not a common malware delivery method, as malicious emails typically involve Word ".docx" or ".xls" attachments that are laced with malicious macros, and this shift demonstrates threat actors' evolving tactics to combat users becoming more educated. The observed campaign involved a PDF document titled "REMMITANCE INVOICE.pdf" that, once opened by the researchers in Adobe Reader, prompted the victim to open an embedded ".docx" file. This Word document is interestingly titled "has been verified. However PDF, Jpeg, xlsx, .docx". This naming convention was done in order to make the file name blend into the prompt’s text and appear non-suspicious. Once the victim opened the file and protected view was disabled, Word downloaded a Rich Text File (".rtf") titled "f_document_shp.doc" from a remote web server. The file contained malformed object linking and embedding (OLE) objects in order to bypass analysis and eventually attempted to exploit a past remote code execution (RCE) vulnerability in Microsoft Equation Editor, which is tracked as CVE-2017-11882. The researchers emphasized that the exploit shellcode was encrypted, which is an example of the threat actor attempting to bypass detection. Snake Keylogger, known information-stealing malware identified as "fresh.exe," is then downloaded. Analysts noted this campaign is interesting due to it utilization of three (3) methods to stay under the radar ("embedding files, loading remotely-hosted exploits and encrypting shellcode"), its unusual use of PDF, and its use of a four (4) year-old vulnerability that appears to still be effective. CTIX analysts will continue to release updates on malware distribution campaigns' evolving intrusion methods.
Threat Actor Activity
Recent Conti Ransomware Activity
Conti Ransomware threat actors have leaked all exfiltrated data from their attack on Linn County, Oregon government servers onto their leak site. Back in January 2022, Conti threat actors compromised two (2) active directories of government servers in Oregon, causing the government website to go temporarily offline. When Conti demanded an undisclosed ransom for the exfiltrated information, Linn County authorities refused to pay. Since the ransom payment was not paid, Conti leaked the exfiltrated information to their leak site. The leaked data contained about 1,500 files considered non-sensitive information and "would likely be considered public records under Oregon Law," according to a Linn County official. Conti continues to post leaked information to their leak site despite the fact that a majority of their infrastructure has recently shut down, leading security researchers to debate what Conti’s motives and goals truly are. Whether for upgraded infrastructure, a transitional phase, or a reimagination, Conti remains to be an active key player within the ransomware landscape and is likely to continue its work in the coming months. CTIX analysts continue to monitor threat actor activity worldwide and will provide updates accordingly.
QCT Servers Vulnerable to 2019 "Pantsdown" Critical Vulnerability
Quanta Cloud Technology (QCT) patched a critical flaw after researchers from the cybersecurity firm Eclypsium disclosed the presence of the notorious "Pantsdown" vulnerability affecting multiple ASPEED Baseboard Management Controller (BMC) firmware stacks and hardware used in some QCT data center servers. The ASPEED BMC implements Advanced High-performance Bus (AHB) bridges, which allow for arbitrary read/write access to the BMC physical host address or network address. This vulnerability, tracked as CVE-2019-6260, specifically impacts the AHB bridges, and successful exploitation could allow unauthorized attackers to perform arbitrary remote code execution (RCE) to overwrite the current BMC firmware, allowing them to backdoor the login page to steal credentials, disclose sensitive information, or initiate a Denial of Service (DoS). This flaw was originally identified in 2019, and multiple exploits can be found In-the-Wild. Eclypsium researchers created a new Proof-of-Concept (PoC) exploit that demonstrates how even unsophisticated attackers can easily exploit the vulnerability today. QCT patched the vulnerability and administrators should upgrade their infrastructure immediately. Zero-day exploits are virtually impossible to efficiently predict and can introduce substantial chaos to any affected organization. The effects of zero-day exploits are problems that are out of the control of network administrators and defenders, and the chaos stemming from those surprises, need not be exacerbated by years old known vulnerabilities. CTIX analysts urge network administrators (not just QCT products) to research the flaws that have historically impacted their infrastructure and ensure that proactive defense is an ongoing process. This will allow many problems to be solved before they ever happen, instead of adding to the turmoil of surprise zero-day vulnerabilities.
Critical Vulnerabilities Affecting the OAS Platform Lead to RCE and REST API Access
Security researchers from Cisco Talos identified eight (8) vulnerabilities affecting the Open Automation Software (OAS) platform, with two (2) of them being deemed critical. OAS is a very popular one-stop-shop data connectivity solution designed to facilitate simplified data transfers between many different proprietary devices like "industrial devices (PLCs, OPCs, Modbus), SCADA systems, IoTs, network points, custom applications, custom APIs, and databases..." The most severe critical vulnerability (CVSS 9.4), tracked as CVE-2022-26833, is an improper authentication vulnerability within the REST API function of OAS that can be exploited by sending maliciously crafted HTTP packet requests, giving the attacker full access to the REST API. The second critical flaw (CVSS 9.1), tracked as CVE-2022-26082, is described as a file write vulnerability within the Engine SecureTransferFiles functionality of OAS, that can be similarly exploited by sending a series of malicious HTTP requests, ultimately leading to remote code execution (RCE). The rest of the identified vulnerabilities are still considered high severity, albeit not critical, and the details can be found in the Cisco Talos Vulnerability Spotlight linked below. Industrial environments are notoriously difficult to upgrade in a timely manner, given that they handle highly complex data connectivity systems that govern critical processes in both business and national infrastructure. Restarting systems to install upgrades will cause unavoidable negative impacts that administrators will have to mitigate and establish contingencies for, but the negative impacts of threat actors successfully exploiting these very high-severity vulnerabilities greatly outweigh the potential operational loss. These flaws have been officially patched, and the CTIX team recommends any OAS administrators upgrade immediately. Talos has worked alongside OAS to identify manual mitigations to these flaws, and if processes simply cannot be stopped all at once, administrators should consider using the manual techniques to fill in the gaps in processes, while systematically compartmentalizing and upgrading their vulnerable infrastructure.
Security Researcher Hacks Python and PHP Libraries and Steals AWS Secret Keys, Claims Research Was Not Malicious
The information security community was sent into a panic on May 24, 2022, when a Reddit user discovered that popular but out-of-date Python library "ctx" had been updated to include malicious AWS secret stealer code. A security researcher also found a PHP library called "PHPass" with a similar code sending the stolen data to the exact same endpoint. The supposed threat actor also replaced the original developers name with their own and leaked their own contact information on the Heroku endpoint used by the malware. One (1) day after the attack, a medium account named "SockPuppets" posted a blog post titled "How I hacked CTX and PHPass Modules." The author, identified as Yunus Aydın, claimed to be a security researcher conducting non-malicious research into a vulnerability. Following the release of the article, many researchers and professionals in the information security community spoke out against the use of the exfiltration of AWS secret keys. Bug bounty hunter @h4x0r_dz tweeted "What you did to show the impact was wrong!" Aydin stated that “ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED,” but provided no way for impacted organizations to confirm their secret information was not deleted, leaving them to rotate all credentials stolen by the malware. These real-world costs could have been avoided with a simpler payload, such as a log entry or basic fingerprinting information. Aydin submitted their research as a report to GitHub on HackerOne, though it was closed as a duplicate shortly after. Seemingly good faith research conducted in this way can cost companies time and money fixing the mess the researcher leaves behind following their testing. This incident follows the changes to the Computer Fraud and Abuse Act (CFAA) allowing good faith security research to be conducted without punishment but it’s not clear at this point whether this would fall under "good faith research."
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.