Enemybot Botnet Observed Exploiting Critical Vulnerabilities to Expand Its Potential Targets
"Enemybot," an internet of things (IoT) botnet, has been observed expanding its potential target scope by exploiting critical vulnerabilities that allow it to spread to new types of devices. AT&T Alien Labs researchers detailed that the malware is now targeting IoT devices, web servers, Android devices, and content management system (CMS) servers via exploiting recently disclosed critical vulnerabilities in various software and systems. Some of the targeted services include VMware Workspace ONE, WordPress, Adobe ColdFusion, and PHP Scriptcase. Enemybot was first discovered in March 2022 by Securonix researchers and is suspected to be distributed by the Keksec threat group (also known as Kek Security or FreakOut). The original botnet code used by Enemybot is comprised of Mirai, Qbot, and Zbot, as well as custom developments made by the threat actor. The malware exploits twenty-four (24) vulnerabilities, including Log4j (CVE-2021-44228 and CVE-2021-45046), a F5 BIG IP remote code execution (RCE) flaw (CVE-2022-1388), and a VMware Workspace ONE RCE flaw (CVE-2022-22954). Enemybot also exploits vulnerabilities not yet tracked via CVE, such as a Razer Sila command injection flaw (April 2022), a PHP Scriptcase 9.7 RCE flaw (April 2022), and an Adobe ColdFusion 11 RCE flaw (February 2022). It is recommended that administrators enable automatic software updates, utilize a configured firewall, maintain minimal exposure to the Internet, and monitor network traffic for unusual activity. A full list of exploited vulnerabilities, indicators of compromise (IOCs), and a deeper technical analysis of Enemybot can be viewed in Alien Labs report linked below.
FBI Alerts of an Increase in Higher Education Credentials Sold on Hacker Forums
The FBI released a new warning to colleges and universities across the US about an increase in network and virtual private network (VPN) credentials appearing on underground forums and on the dark web. The credentials are "often a byproduct of spear-phishing, ransomware, or other cyber intrusion tactics," suggesting that these credentials are not specifically targeted by threat actors, but instead are the side effect of attacks aimed at higher education. These credentials are often sold by initial access brokers to cybercriminals, such as ransomware operators and state-sponsored threat actors who can leverage them to pivot across the network and deploy ransomware, malware, or spy on the organization. The FBI noted a specific campaign from 2017 targeting .edu email accounts by cloning college's login pages and using them in targeted phishing attacks. These types of phishing attacks against higher education have increased with new COVID themed campaigns and could explain a part of the increase in stolen credentials identified on underground forums and marketplaces. The FBI has detailed a list of recommendations in their alert, which can be found below. CTIX analysts recommend universities and colleges recently impacted by a cybersecurity breach consider engaging a dark web monitoring service to discover potential credential leaks on underground forums.
Threat Actor Activity
SilverTerrier Organization Leader Arrested
After a year-long investigation conducted with the assistance of Interpol, Nigerian authorities arrested the suspected leader of the SilverTerrier threat organization in March 2022. SilverTerrier primarily targets entities throughout the technology, education, and manufacturing industries and has been active in the threat landscape since 2014. The operation, dubbed Operation Delilah by authorities, was assisted by intelligence from the private sector, including Trend Micro, Palo Alto, and Group-IB. According to security researchers from Unit 42, the SilverTerrier leader was involved in the creation of over 200 domains, some of which are command-and-control (C2) nodes for the group's malicious payloads, including LokiBot. The arrest of SilverTerrier’s leader is the third in a series of law enforcement actions against the group. In November 2020, three (3) SilverTerrier-connected threat actors were arrested by Nigerian authorities and charged with a series of schemes that ultimately impacted over 500,000 entities across 150 countries since 2017. In December 2021, eleven (11) additional threat actors, six (6) of whom were believed to be part of SilverTerrier, were arrested in an operation dubbed Operation Falcon. Specific charges against the group's leader have not yet been disclosed by authorities, however CTIX continues to track the operation and will provide additional insight once more information is released by authorities.
Multiple WSO2 Products Vulnerable to Remote Code Execution
Trend Micro Research observed and disclosed the active exploitation of a vulnerability affecting WSO2 products that was patched in April 2022. WSO2 is a popular middleware vendor that sells open source, cloud-ready application program interface (API) management software, allowing users to efficiently design, and maintain APIs. The vulnerability, tracked as CVE-2022-29464, is an improper input validation flaw that allows for unrestricted file upload, and its successful exploitation would allow an attacker to upload a maliciously crafted payload via an arbitrary remote code execution (RCE). According to Trend Micro, the exploitation of this flaw is rather simple, and vulnerable WSO2 devices can be easily found via Google or Shodan searches. WSO2 products are considered some of the most valuable infiltration assets for threat actors because they are open-source Identity Access Management (IAM) products and are leveraged in virtually every sector including healthcare, finance, and energy due to their industry popularity. If threat actors successfully exploit the targeted IAM servers, they could access all of the data and services provided by the servers. Although this vulnerability was successfully patched in April, there are still many WSO2 products In-the-Wild that haven't implemented the patch for this flaw. CTIX analysts urge all administrators leveraging and maintaining these WSO2 products to update to the most recent secure version. Since this flaw continues to be a valuable vector regardless of the patch, threat actors have been modifying and working tirelessly to circumvent the latest security measures. Administrators should exercise persistent due diligence with regard to their networks to defend against these types of attacks, to include an ongoing process of manually checking defense around WSO2 products, to delete anything that doesn't belong like unknown files, old user accounts, or deprecated processes.
Microsoft Issues Mitigation Techniques for Actively Exploited Zero-Day Vulnerability Known as "Follina"
A critical Microsoft zero-day vulnerability was mitigated over the Memorial Day 2022 weekend. The flaw, tracked as CVE-2022-30190 (aka "Follina"), was reported by "crazyman" of Shadow Chaser Group, a sub-group of GcowSec that focuses specifically on APT hunts and analysis. The vulnerability affects the Microsoft Windows Support Diagnostic Tool (MSDT) and occurs when the MSDT is called via the URL protocol from an application such as Microsoft Word. For the successful exploitation of Follina, simply opening the malicious Word document executes PowerShell commands locally, leading to arbitrary code execution (ACE), utilizing the privileges of the calling application. Once exploited, attackers can perform malicious actions such as installing malware, viewing and changing data, creating new privileged user accounts, and creating malicious child processes. The Follina zero-day poses an unprecedented risk to Microsoft Office products due to it functioning without having to secure elevated privileges, as well as not having to have embedded macro code that executes the malicious scripts and files. This allows the exploit to bypass Windows Defender's detection because the malicious code loads remotely and the malicious Word document doesn't get flagged as a threat because there are no embedded macros or scripts, just references to them. Multiple security researchers have analyzed the vulnerability and produced working Proof-of-Concept (PoC) exploits that apply to multiple versions of Microsoft Office. If left unmitigated, attackers can leverage this vulnerability to spread laterally across the victim network, as well as collect hashes of Windows passwords allowing for follow-on malicious activity. This bug was first reported to Microsoft in April 2022; however, Microsoft closed it as "fixed" due to being unable to replicate the exploit. Now that there are working PoCs, CTIX analysts predict that Microsoft will release an emergency patch in the near future. Until then, the company has published a mitigation technique to disable the MSDT URL protocol via Command Prompt as Administrator. Additional details can be found in the guidance provided by the Microsoft Security Response Center (MSRC) advisory linked below.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.