Ransomware/Malware Activity
New LockBit Ransomware Activity: LockBit 3.0, New Bug Bounty Program, and Zcash Payment Acceptance
The LockBit ransomware group, credited with nearly half of all ransomware attacks in 2022, has introduced various new entities over this past weekend. The threat group released their newest ransomware-as-a-service (RaaS) operation called "LockBit 3.0". The first bug bounty program established by a ransomware group was also introduced. The program offers rewards ranging from $1,000 to $1 million for "all security researchers, ethical [hackers], and unethical hackers on the planet," to submit bug reports for LockBit 3.0. The bug bounty program is unique as it is offering bounties for rewards in the following categories:
- Web Site Bugs ("XSS vulnerabilities, mysql injections, getting a shell to the site and more")
- Locker Bugs ("Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor")
- Brilliant Ideas (Ideas on how to improve LockBit 3.0's site or software)
- Doxing ("Doxing the affiliate program boss [LockBitSupp]…get $1 million in bitcoin or monero for it")
- TOX Messenger ("Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutor and other interesting vulnerabilities")
- Tor Network ("Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains")
LockBit also announced the acceptance of Zcash cryptocurrency on LockBit 3.0's negotiation and data leak sites. CTIX analysts will continue to track LockBit's activity and recommend that all security professionals monitor as well.
Threat Actor Activity
Russian State Hackers Target Lithuania in Retaliation for Sanctions
Russian threat actors associated with the Killnet organization have taken credit for an extensive cyberattack against Lithuania on Monday. Lithuanian defense officials stated that a distributed denial-of-service (DDoS) attack occurred against a secured data network, the State Tax Inspectorate, the Migration Department, and several other entities. This attack is in a retaliation from Killnet in response to Lithuania suspending all transportation of steel, coal, and other metal materials through the country due to European Union sanctions against Russia. After the first wave of DDoS attacks, Killnet proceeded to target networks of Lithuanian airports, specifically of Vilnus Airport, Kaunas Airport, and Palanga Airport, reportedly effectively rendering taking down their systems inaccessible for a brief period. Following the Lithuanian airport attacks, threat actors targeted telecommunications companies, including the Central State Archive, and Supreme Administrative Court. Killnet threat actors gloated about the attacks on their Telegram channel, stating the explicit targeting of an online accounting system used by Lithuania and Lativa, as well as the future targeting of additional network infrastructure in Lithuania. With tensions continuing to grow from the Russia/Ukraine conflict, CTIX analysts expect these attack trends to continue for the months to come.
Siamesekitten Launches Phishing Campaign with New Modular Malware
Iran-backed threat actors from the Siamesekitten organization have unleashed a phishing campaign with a new piece of modular malware. Siamesekitten, commonly code-named Hexane or Lyceum, is known for its attacks against the oil, natural gas, and telecommunications sectors throughout the Middle East and often delivering malicious documents to unsuspecting users. In this new campaign, threat actors target users with socially engineered phishing emails that come loaded with a malicious Adobe updater used to exploit Windows operating systems. Once the user executes the fake Abode update, a reverse shell is dropped on the system alongside a lure PDF document and executable to establish persistence on the compromised system. Once the payloads have been successfully deployed on the system, threat actors can communicate with the device via command-and-control (C2) and push additional payloads or collectors to gather intelligence from the device. With phishing campaigns continuing to be on the rise, CTIX urges readers to validate the integrity of emails prior to downloading any attachments or visiting any embedded links to lessen the risk of threat actor compromise.
Vulnerabilities
Critical Vulnerability in OpenSSL Allows for Remote Memory Corruption
A critical vulnerability identified in the most recent version of OpenSSL library for x64 systems with AVX512 support could be trivially exploited by threat actors to perform remote memory corruption. OpenSSL is an open-source command line cryptography library used to generate private keys and handle TLS certificates. AVX512 are 512-bit extensions for the x86 instruction set architecture for Intel and AMD CPUs. The exploitation is facilitated by a heap buffer overflow vulnerability that is triggerable in remote contexts like SSL/TLS and was found in four (4) different code paths: RSAZ 1024, RSAZ 512, Dual 1024 RSAZ, and Default constant-time Montgomery modular exponentiation. If successfully exploited, a threat actor could modify a program's memory, allowing them to access and leak sensitive information and potentially execute arbitrary code remotely. David Benjamin, a Google researcher, published an analysis on Google Git where he found that this vulnerability does not constitute an internal security risk. Rather, it's a fundamental flaw in the code path which renders version 3.0.4 virtually unusable unless a manual fix or patch is applied. OpenSSL has published a manual fix for this on its GitHub repository, but at this time there is no patch that fixes the bug and developers expect it to be implemented in version 3.0.5. This flaw is being compared to the infamous 2014 Heartbleed vulnerability in OpenSSL which allowed anyone with internet access to read the memory of vulnerable OpenSSL instances to spy on communications, steal sensitive user and services data, and impersonate services and users. The reason that Heartbleed was so catastrophic wasn't due to the bug itself, but instead stemmed from system administrators being slow to patch their vulnerable systems. CTIX analysts urge all operating system vendors and appliance vendors to notify their users of the vulnerability and manual fix (linked below). Service providers and users should also apply the manual fix and monitor OpenSSL for the 3.0.5 patch as it becomes available for the operating systems, networked appliances, and software that they use.
Honorable Mention
“SiegedSec” Group Announces New Pro-Choice Hacktivism Campaign
Following the recent overturning of Roe v. Wade, hacktivists have begun targeting pro-life government entities in the United States. The first hackers to have publicly announced their intentions is a new threat group named SiegedSec. SiegedSec targets organizations around the world to leak databases that contain sensitive information such as documents, user credentials, and personal identifiable information (PII). The threat actor primarily operates on Telegram, where their channel was created on April 3rd, 2022. In the few short months they have been operating, SiegedSec has leaked data from around twenty-five (25) organizations. The group states they are only motivated by their own personal enjoyment of hacking organizations, though in private chats to reporters they have asked for money to take down their leaks. The attack vectors used by SiegedSec are often easy to exploit vulnerabilities (such as SQL injection, cross-site scripting, or remote code execution) found through scanning, indicating that the group may not be able to conduct sophisticated attacks. On June 24th, 2022, SiegedSec released a Telegram post announcing they will be starting a hacktivism campaign targeting pro-life organizations. In the post, the group states “Like many, we are also pro-choice, one shouldn't be denied access to abortion. As added pressure to the U.S government, we have leaked many internal documents and files retrieved from Kentucky's and Arkansas' government server… THE ATTACKS WILL CONTINUE! Our main targets are any pro-life entities, including government servers of the states with anti-abortion laws.” Leaked files claiming to be sensitive information from Kentucky’s and Arkansas’ private servers were included in the announcement. Spokespersons for both government entities disagree, claiming the data was already publicly available and denied PII was included in the data. While hacktivists are praised by those who agree with their politics, detractors often label them as terrorists. SiegedSec’s attacks on government entities has already split the threat group, causing one former member to announce their separation from the group on Twitter. As attacks against pro-life entities are likely just beginning, government entities as well as pro-life organizations should be prepared for increased attention from hacktivist groups.
- TechMonitor: SiegedSec Hactivism Article
- The Record: SiegedSec Government Leak Article
- DarkOwl: SiegedSec Report
Threat Actor Steals $100 Million in Cryptocurrency Following Horizon Bridge Attack
Blockchain company Harmony has reached out to the FBI following a heist of close to $100 million in cryptocurrency that was stolen on the evening of June 23rd. Harmony is an organization that assists its users in “sending cryptocurrencies, stablecoins, and NFTs between different blockchains.” The company also runs multiple cryptocurrency bridges, the platform used to transfer assets and smart contract instructions across blockchains. One of its bridges, Horizon, allows transfers between Ethereum and Binance Smart Chain through the Harmony blockchain. On the evening of June 23rd, an attacker was able to compromise the private keys held by the administrators of the bridge. Harmony’s bridge is secured by a “2-out-of-4 multisig,” meaning at least two (2) of the four (4) private keys generated for the wallet must sign a transaction together. Through an unknown method, the threat actor gained access to two of the private keys, allowing complete control over the transactions made through the bridge. The blockchain security company CertiK has criticized Harmony for using this security method for its Horizon bridge, stating “Horizon’s system of only requiring two (2) out of four (4) signatures has raised concerns in the past. Having only two signatures required to access such privileged controls is a glaring security vulnerability.” Attacks against cryptocurrency bridges are on the rise. With millions of dollars being transferred through the bridges every day, it is an extremely profitable attack vector for threat actors. The FBI and several cybersecurity firms have begun an investigation into this attack, though no attribution has been made. CTIX analysts are continuing to monitor the situation and will provide updates for any new developments.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
