New Peer-To-Peer Botnet "Panchan" Targets Linux Servers to Mine Cryptocurrency
A new peer-to-peer cryptocurrency mining botnet dubbed "Panchan" has begun spreading to Linux servers across the world. Discovered by Akamai researchers, the Golang-based botnet first appeared around March 2022. Its main attack vector is an SSH worm that uses a username and password dictionary to brute force credentials on remote servers. The username and password combinations it uses are simple, often using strings such as "root," "user," and "ubuntu." The brute-force application is run using multiple separate processes and is limited only by the OS's limit on the number of open files. Panchan also includes a novel attack once the botnet installs itself on the server. It begins by harvesting the "id_rsa" and "known_hosts" file to gather credentials from other SSH servers. The id_rsa file stores SSH private keys that allow access into other servers. These private keys can be used to authenticate using SSH without the need to enter credentials. The known_hosts file stores information on what SSH servers the device has connected to in the past. This normally gives Linux devices assurance that the server they are attempting to connect to has been visited before. Panchan exploits this feature by combining the private keys with the list of previously connected servers, granting immediate access into those servers without having to spray the private keys across the internet. The botnet communication channel is very simple, using peer-to-peer messages on TCP port 1919. Infected devices can receive two configuration commands: "sharepeer," which adds an IP address to the list of devices the malware can communicate with, and "shareconfig," which changes the cryptocurrency miner's configuration settings. Panchan generates the threat actor revenue by running versions of the xmrig Monero miner and the nbhash cryptocurrency miner. The malware runs these programs completely fileless, preventing traditional antivirus solutions from detecting the miners. CTIX analysts recommend monitoring for processes listening on TCP port 1919, Panchan's communication port, as well as many outgoing connections to SSH servers that could indicate brute forcing.
Threat Actor Activity
Two Affiliate Groups Now Deploying ALPHV Ransomware; ALPHV Observed Targeting Microsoft Exchange Servers
On June 13, 2022, Microsoft released a report detailing that ALPHV (aka BlackCat and Noberus) ransomware affiliates are targeting Microsoft Exchange servers by exploiting unpatched vulnerabilities. While Microsoft did not specify which vulnerabilities are currently being exploited, an advisory was linked in their report that mentions four (4) Microsoft Exchange Server zero-day flaws that were being exploited in 2021: CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065 (all associated to ProxyLogon). This linkage can provide some context for what should still be monitored today, as threat actors still capitalize on organizations that do not implement security patches frequently. Microsoft also detailed that “two of the most prolific” affiliate groups are distributing ALPHV at this time: DEV-0237 (aka FIN12) and DEV-0504. DEV-0237 is known for previously deploying Ryuk, Conti, and Hive, and was last seen targeting the healthcare sector in October 2021. DEV-0504 previously deployed Ryuk, REvil, LockBit 2.0, BlackMatter, and Conti, and has a history of targeting the fashion, tobacco, manufacturing, and IT industries. The most recent deployment of ALPHV ransomware by DEV-0504 was against the energy sector in January 2022. Microsoft researchers noted that in one (1) recently observed instance, an affiliate deployed the ALPHV malware payloads via PsExec two (2) weeks after gaining initial access. This payload delivery was at the conclusion of the common threat actor attack chain, which includes initial access, discovery of system and network information, credential theft, lateral movement into additional devices remotely, data exfiltration, and lastly malware deployment and double extortion. ALPHV typically targets and encrypts both Windows and Linux machines as well as Vmware instances. The impact of this ransomware continues to affect North and South America, Europe, Asia, and Africa, and as ALPHV continues to be a Ransomware-as-a-Service (RaaS) operation, the scope of target locations is predicted to grow as new affiliates join.
State-Sponsored Phishing Attack Targeted Israeli Military Officials
Iran-linked Phosphorus APT has been targeting top military officials in Israel in an aggressive series of spear phishing attacks seeking to gain personal information. Targets included senior officials in the Israeli defense industry and the former U.S. Ambassador to Israel. The attack used multiple compromised emails and specifically constructed each email for a specific target. The attackers initiated the attack by compromising the email address book belonging to a contact of their target and then used that email to message their target in time, steering the conversation towards the attempt to gain the target's personal information. Several of the emails included links to real documents or invitations. For example, Israel’s former foreign minister received a phishing email impersonating a “well known former Major General in the IDF who served highly in a sensitive position.” However, the email address was not spoofed. She received the email from the same domain she had corresponded with before. She had a delayed response to the email which caused a flurry of follow up emails that raised her suspicions. The earliest confirmed attack was in December 2021, but the possibility of earlier unreported attacks is possible. The attacks are likely a continuation of rising tensions between Iran and Israel. CTIX analysts continue to monitor the operations of threat actors worldwide and will further report on this matter if new evidence comes to light.
"Demonic" Cryptocurrency Wallet Vulnerability Allows Attackers to Import Victim Wallets to Their Own Devices
Halborn, an ethical hacking firm devoted to blockchain security, has identified a critical web browser vulnerability coined “Demonic” which, if exploited, could allow unauthenticated attackers to steal victims' secret cryptocurrency wallet recovery phrases (known as "seed" or "seed phrase"), allowing the threat actors to import the wallet to their own devices, stealing all the cryptocurrency and NFTs in the wallet. The flaw, tracked as CVE-2022-32969, is described as an insecure permissions vulnerability impacting Firefox and Chromium-based cryptocurrency wallet browser extensions. The flaw exists in the "Restore Session," feature of the browsers, which store on disk and repopulate any text entered in a non-password input field, so that if the site crashes, the user doesn't have to reinput all of the generic form text again. It should be noted that for this attack to work, the victim must have checked the “Show Secret Recovery Phrase" checkbox to view the seed during import, which is what triggers the local disk storage. The vulnerability itself stems from the fact that browser wallet extensions like Metamask, Phantom, and Brave use a non-password designated input field for users to enter their seed, so that it is stored locally on disk and cached in memory in unencrypted plaintext. This attack can be locally facilitated by physically stealing the victim computer, or remotely by establishing remote access. The flaw has officially been patched in all of the extensions, except for Brave, who has yet to release an official statement about Demonic. CTIX analysts urge any readers utilizing these types of wallet browser extensions to ensure that they are running the latest update. Besides software security patching, there are also best practices that can make this kind of attack virtually impossible. Users with crypto wallets should always use full disk encryption so the attackers won't be able to obtain the seed without first unencrypting the drive with the decryption key. As a general best practice, copying and pasting passphrases should be avoided at all costs, even if the user wallet has been patched for this flaw, due to the clipboard also being a very popular vector for pilfering seed phrases. The best defensive measure that cryptocurrency holders can employ remains using a "cold wallet," which cannot be compromised because they are designed to be inaccessible from the internet. If any of our readers believe that they may have been impacted by this vulnerability, we recommend that they create a new account, and migrate all of their assets to that account immediately.
Critical Zimbra Email Flaw Allows Attackers to Steal Emails and their Associated User Credentials
A critical vulnerability affecting the Zimbra email solution platform allows unauthenticated attackers to steal login credentials without any user interaction. Specifically, this flaw abuses the memcached internal service, which is an in-memory key-value store that uses a text-based protocol to store and retrieve the public/private keys used for email accounts, so as to limit the number of HTTP requests to improve Zimbra's performance. The vulnerability, tracked as CVE-2022-27924, is described as a memcached poisoning with an unauthenticated request flaw, and can be exploited via a Carriage Return Line Feed (CRLF) injection into the username of memcached lookups. This is done by creating a maliciously crafted HTTP packet and sending it to a vulnerable Zimbra instance to overwrite the Internet message Access Protocol (IMAP) route with their own address, funneling the plaintext email credentials and all of the IMAP traffic back to the threat actor. This all takes place without any victim interaction, and without generating any alerts for the victim. This flaw can also be exploited by something known as "response smuggling," whereby an attacker continuously injects HTTP responses into the shared response streams of the memcached service until there are more responses than work items. A spokesperson from SonarSource stated, "we can force random Memcached lookups to use injected responses instead of the correct response. This works because Zimbra did not validate the key of the Memcached response when consuming it.” This vulnerability has since been patched, and customers using Zimbra should ensure that they are running the most up-to-date patch.
ALPHV Develops Leak Website That Allows Victims to Easily Access Stolen Data on the Clear Web
The ALPHV ransomware operation has potentially expanded their extortion strategies. On June 14, 2022, ALPHV created a clear web website that "allows the customers and employees of their victim to check if their data was stolen in an attack." Threat actors typically slowly release portions of exfiltrated data on their Tor data leak site to put more pressure on the victim to pay the demanded ransom before the full data set is released. However, some victims do not succumb to this pressure and refuse to pay. ALPHV is trying out a new extortion method in which stolen data is uploaded to the new website for victims’ employees and customers to easily view. ALPHV recently posted data they allege came from a hotel and spa in Oregon, from whom they claim to have stolen 112 gigabytes (GB) of data. The data included sensitive information about employees, such as names, Social Security numbers (SSNs), dates of birth, phone numbers, and email addresses, as well as customer data, which includes names, arrival date, and stay costs. ALPHV also created "data packs," for each potentially impacted employee, in which all files related to the individual are packed together. Anyone can view the website, as it is hosted on the public internet. Given the fact the site is on the public internet, it’s possible the posted information could be indexed by search engines, allowing sensitive information to be available via search engine results, but there isn’t enough data at this time to say whether that is a reality. The goal of this shift in technique is an increase in probability that ransoms will be paid. This increase would be due to companies wanting to avoid their compromised, sensitive data being posted in this way as well as to avoid legal action from those impacted following the public posting data, which could potentially cost more. It is still too soon to tell if this new extortion strategy will be effective, and CTIX analysts will provide updates on the potential data breach involving an Oregon hotel/spa as well as any fallout from this technique and whether or not it becomes more widely used.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.