Ransomware/Malware Activity
New England Medical Services Provider Shields Health Care Group Suffers Data Breach
Shields Heath Care Group (Shields), a medical services provider based in Massachusetts that provides various medical services to over fifty (50) hospitals and clinics across New England, disclosed a data breach that impacts approximately 2 million individuals. Shields announced they discovered suspicious activity on its network on March 28, 2022, and subsequently launched an investigation, which revealed sensitive data was acquired by an unknown threat actor who had access from March 7 to March 21, 2022. The current exposed data includes full name, Social Security number (SSN), date of birth, home address, provider information, medical record number, patient ID, diagnosis, billing information, insurance number and information, and other medical or treatment information. Shields emphasized that there is currently "no evidence to indicate that any information from this incident was used to commit identity theft or fraud." Shields stated they would send notification letters to those impacted once the investigation into the exposed data types concludes. CTIX analysts will continue to monitor this data breach and report on any future situations involving this data if applicable.
Threat Actor Activity
Evidence Indicates that a “Brand New” Chinese Threat Group Has Been Operating for at Least a Decade
A newly identified Chinese state-sponsored threat group known as Aoqin Dragon has been caught conducting cyber-espionage campaigns. After extensively tracking the threat actor, researchers from SentinelLabs uncovered a cluster of covert malicious activity going at least as far back as 2013. These threat actors primarily target entities throughout Southeastern Asia and Australia, including Cambodia, Vietnam, Singapore, and Hong Kong. Attack vectors that Aoqin Dragon threat actors used in their campaigns start with social engineering, launching phishing campaigns loaded with malicious Microsoft office documents. Based on historical attacks linked to Aoqin Dragon, the malicious payload would drop either a Mongall backdoor or a customized version of the open-source project Heyoka. During the first few years of this campaign, threat actors exploited vulnerabilities CVE-2012-0158 (Microsoft Office) and CVE-2010-3333 (Microsoft Office) to plant their malware on the user's system. The phishing campaigns were often themed around either the disappearance of Malaysia Airlines Flight MH370, APAC political affairs, or pornographic content to entice users to execute the malicious documents. To evade detection post-compromise, Aoqin Dragon actors utilized DLL hijacking, Themida-packed files, and DNS tunneling. CTIX analysts continue to urge users to validate the integrity of all emails prior to downloading any attachments to lessen the chance for threat actor compromise.
CISA Warns Organizations of Chinese Espionage Threats
The Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) have issued a joint security advisory warning organizations of Chinese threat actor espionage activity, especially that of entities in the telecommunication industry. Chinese threat actors have been exploiting systems through vulnerabilities within Cisco, QNAP, Pulse Secure, Citrix, D-Link, Fortinet, Netgear, MikroTek, and DrayTek devices. Actors are utilizing reconnaissance programs such as RouterSploit and RouterScan to scan for any of the vulnerable devices mentioned previously. After threat actors compromise the device, they dive deeper into the organizations’ internal systems, infrastructure, and top-level user accounts to conduct their malicious activities and establish persistence on the compromised system. Recently, Chinese threat group LuoYn utilized a man-in-the-middle attack against an organization to deliver WinDealer malicious payloads. With Chinese activity on the rise, CISA, NSA, and FBI urge corporations to validate the integrity of their cyber systems, ensure multi-factor authentication is enabled across the enterprise, and passwords are reset every 30/60/90 days for user accounts and critical devices.
Vulnerabilities
Critical Remote Code Execution Vulnerability Affects Atlassian Confluence Servers
Atlassian has published an advisory regarding an actively exploited critical remote code execution (RCE) vulnerability affecting Confluence and Data center servers. The flaw, tracked as CVE-2022-26134, is described as an Object-Graph Navigation Language (OGNL) injection vulnerability, and if exploited would allow unauthenticated remote attackers to create privileged user accounts to execute commands with administrator rights, force DNS requests, and take full control of the target server. Atlassian disclosed the vulnerability after the Memorial Day 2022 weekend, following an incident response investigation conducted by Volexity which found multiple threat actors (hundreds of unique IP addresses) exploiting this flaw. Shortly after releasing the patch, researchers from Lacework Labs also found the presence of three (3) different botnets exploiting this vulnerability, tracked as Kinsing, Hezb, and "Dark.IoT". These botnets are known for targeting Linux-based servers to deploy backdoors, Cobalt Strike beacons and XMRig miners. Confluence servers are a very popular target for threat actors to gain initial access to corporate networks, where they conduct follow-on malicious activity like pilfering sensitive data, deploying ransomware variants, cryptojacking miners, and conducting corporate cyber-espionage. This critical vulnerability has been officially patched by Atlassian, and CTIX analysts urge administrators maintaining this infrastructure to update their systems to the latest Confluence version available to them. If enterprise organizations run their Confluence Server and Data Server infrastructure in compartmentalized clusters, then their administrators won't be able to upgrade all at once and will instead have to implement the patch in a systematic "rolling update." In these cases, Atlassian has offered a manual mitigation technique so that administrators can prevent exploitation on the rest of their server clusters while they take a cluster offline to install the patch.
- Bleeping Computer: CVE-2022-26134 Article
- Bleeping Computer: CVE-2022-26134 Linux Exploitation Article
- Volexity: CVE-2022-26134 Report
Honorable Mention
New Ransomware Strain Discovered Using Roblox Currency as Payment
On June 9th, 2022, security researcher MalwareHunterTeam announced via Twitter a new ransomware named "WannaFriendMe.exe," that uses Roblox, a popular online video game, for ransomware payments. The ransomware attempts to pass itself off as the Ryuk ransomware, a well-known strain of ransomware attributed to the Wizard Spider threat actor, by labeling the encrypted files with the “.ryuk” extension, but analysis determined it was created with the Chaos ransomware builder sold on underground forums. The Chaos ransomware builder is known as "skidware," meaning its only users are "script kiddies" and the malware is not high quality. In testing, Chaos ransomware has been shown to destructively encrypt files, causing the decryptors to be unable to restore encrypted data over a certain size. What makes the WannaFriendMe ransomware strain interesting is its demand of payment in Roblox game currency "Robux," rather than traditional cryptocurrencies. In the ransom note, the ransomware links a game on the Roblox store named "Ryuk Decrypter" that costs a total of 1,499 Robux (under $20 USD). This ransom demand is small compared to most other ransomware, likely meaning the threat actor is not experienced and may not have the ability target many organizations or users. Due to the issues with the encryption method, CTIX analysts recommend victims of this ransomware not pay the ransom demand and instead rely on backups to ensure files can be restored.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
