Ransomware/Malware Activity
Banking Trojan BRATA Observed with Upgraded Capabilities
Cleafly researchers have observed the threat actor behind the "BRATA" banking trojan advancing the malware's capabilities and noted that the group's recent activity is now categorized as Advanced Persistent Threat (APT) activity. This categorization is due to the group’s latest campaigns that included establishing "a long-term presence on a targeted network to steal sensitive information." Researchers detailed that the threat group behind BRATA is very targeted, as it focuses on only one (1) financial institution at a time and pivots only when the victim establishes effective countermeasures that are consistent. The latest BRATA variant has been updated with new phishing techniques, information-stealing capabilities, new classes to obtain GPS data, overlay abilities (which allows the malicious application to display over other apps on a device), SMS sending and receiving capabilities, and device management permissions on the targeted device as well as sideloading a second stage payload from its command-and-control (C2) server in order to perform Event Logging. The BRATA variant has been observed targeting specific banking institutions across Europe and mimicking a login webpage of the targeted bank in an analyzed phishing campaign. Many of the malware's updated features are still under development and Cleafly researchers concluded that the threat actor is updating BRATA in order to abuse the Accessibility Service on devices and gain additional data from other applications. A further in-depth analysis of the latest upgrades as well as indicators of compromise (IOCs) can be viewed in Cleafly's report linked below.
Emerging NTLM Relay Attack Discovered Using Microsoft's Distributed File System
A new NTLM (New Technology LAN Manager) relay attack has been uncovered using Microsoft’s distributed file system. The attack allows a threat actor to fully compromise a Windows domain. Many organizations use Microsoft Active Directory Certificate Services to authorize users, however, this service is vulnerable to NTLM relay attacks. In these attacks, threat actors force or coerce a domain controller to authenticate a NTLM account under the attackers’ control. The authentication process forwards the request to the Active Directory Certificate Services via HTTP to gain a ticket-granting ticket (TGT). With this TGT, they can assume the identity of any device on the network, including a domain controller. To coerce a remote server to authenticate the malicious NTLM relay, threat actors could use multiple potentially vulnerable protocols such as MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP. While Microsoft has patched some of these protocols to prevent unauthenticated coercion, bypasses are frequently found that allow the protocols to be abused. This week, Filip Dragovic released a proof-of-concept (PoC) script for a new NTLM relay attack called "DFSCoerce". The DFSCoerce attack uses the MS-DFSNM protocol, which allows the Windows Distributed File System (DFS) to be managed over an RPC interface. Security researchers who have tested this new NTLM relay attack have reported that it allows a user with limited access to a Windows domain to become a domain administrator. At this time, researchers state that the best way to protect against the DFSCoerce attack is to follow Microsoft's advisory on mitigating the PetitPotam NTLM relay attacks. These mitigation methods include disabling NTLM on domain controllers, enabling Extended Protection for Authentication and signing features, and using the Windows built-in RPC Filters or RPC Firewall to prevent servers from being coerced. However, it is not known yet whether blocking the DFS RPC connection would cause issues on a network.
Threat Actor Activity
Emerging ToddyCat Threat Group Continues Targeting High-Value Targets
An evolving threat organization codenamed ToddyCat is actively targeting Microsoft Exchange mail servers throughout the Europe and Asia regions. ToddyCat first surfaced in December 2020 when threat actors compromised high-value Microsoft Exchange servers of three organizations in Taiwan and Vietnam. Once compromised, ToddyCat actors deployed a well-known China Copper web shell, ultimately leading to installation of the Samurai backdoor. The group has also deployed the Ninja Trojan, which allows multiple threat actors to control one machine at the same time. Additionally, these backdoors give threat actors the ability to avoid detection, execute arbitrary commands/code, and mask communications to command-and-control (C2) nodes via HTTP header manipulation. ToddyCat threat actors continue to compromise assets in this campaign in similar fashions with slightly varying versions of their backdoor programs. Another attack vector that ToddyCat actors are utilizing is through Telegram, infecting a desktop device through malicious loaders sent to the user in zip archives. Network administrators should continue to patch vulnerable servers to lessen the risk of threat actor compromise. CTIX will continue to monitor this campaign and provide additional updates accordingly.
Vulnerabilities
SIEMENS SINEC Industrial Control Management System Vulnerable to Remote Code Execution
Siemens has publicly acknowledged fifteen (15) vulnerabilities within their very popular SINEC network management system (NMS), with two (2) of the flaws being especially troubling. If successfully exploited, these vulnerabilities could allow attackers to steal sensitive data, perform denial-of-service (DoS) attacks, and conduct remote code execution (RCE). SINEC is an industrial control management system used to centrally manage and automate industrial networks with tens of thousands of different nodes. The two (2) vulnerabilities of note were identified by researchers from Claroty's Team82 and are exploited in sequence as part of an attack chain. The first vulnerability in the chain, tracked as CVE-2021-33723, is described as an account takeover through improper authorization flaw, and allows unauthenticated users to gain access to the SINEC administrator's account by exploiting a flaw in the way that users are allowed to edit their own account details on the server. The problem is that the server does not validate that the user sending the edit profile request for an administrator account is actually an administrator. This allows an attacker to change the password via a malicious JSON payload, giving themselves unrestricted administrator permissions. The second vulnerability in the chain, tracked as CVE-2021-33722, is a RCE through a path traversal flaw, which allows the attackers to access restricted directories. As part of the platform's business logic, SINEC allows users with administrator access to create bundles of files in a container and then send that container to any device on the network. With the attackers having already gained administrative access, they can create a container containing a malicious file or webshell and drop it on the hosting server's filesystem. The attackers can then export the container to any directory that they name by supplying path traversal characters, allowing them to copy those files to arbitrary locations on the filesystem, and then execute them remotely. The fifteen (15) vulnerabilities have all been successfully patched by Siemens, and CTIX analysts urge all administrators to ensure their infrastructure is up to date. The proof-of-concept (PoC) exploit by Team82 can be found in the report linked below, as well as the specifics on the other thirteen (13) less severe vulnerabilities.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.