Ransomware/Malware Activity
“SessionManager” Backdoor Observed Targeting Microsoft Exchange Servers of NGOs and Government Entities
"SessionManager", an emerging malware first discovered in early 2022, has been observed by Kaspersky researchers targeting Microsoft Exchange servers. The SessionManager backdoor enables the operators to have "rather stealth access" to the IT infrastructure of its victims. Researchers emphasized that one of SessionManager's distinctive features is its poor detection rate, as "some of the backdoor samples were still not flagged as malicious in most popular online file scanning services" in early 2022. As of June 30, 2022, researchers confirmed that "SessionManager is still deployed in more than 90% of targeted organizations." Additional capabilities of the malware include gaining access to company emails, harvesting credentials from system memory, collecting information from the victim's network and devices, updating access via additional malware installations, dropping and managing arbitrary files, remote command execution, and manipulating network traffic. The malware operators have targeted organizations located in Europe, the Middle East, South Asia, and Africa with a special interest in NGOs and government entities. Additional organization types such as medical, transportation, and oil, have also been targeted. Kaspersky researchers suspect that SessionManager is leveraged by the Gelsemium threat actor due to its similar victimology in addition to the actor's use of the HTTP server-type backdoor variant "OwlProxy". CTIX analysts will continue to monitor SessionManager's activity as it evolves.
Threat Actor Activity
Chip Manufacturer AMD Latest RansomHouse Victim
Popular computer hardware company Advanced Micro Devices (AMD) has acknowledged a significant ransomware attack against its systems earlier this year. Back in January 2022, threat actors from the RansomHouse Extortion Group compromised AMD's internal networks and exfiltrated roughly 450 gigabytes (GB) of data including networking files, system information, and system credentials. RansomHouse actors uploaded sample evidence as “proof-of-life” to their leak site alongside announcing the breach on their Telegram. RansomHouse continues to climb the ranks in the threat actor landscape, beginning with their supposed first compromise of the Saskatchewan Liquor and Gaming Authority in December 2021 to global food chain company ShopRite earlier this month, and finally AMD. AMD's Communications Director commented on the current situation, stating "AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway." RansomHouse acts slightly different than its counterparts, often times claiming they do not encrypt or manufacture ransomware against their targets. RansomHouse’s leak site headline lists some of the group’s claimed victims, describing the victims as having "considered their financial gain to be above the interests of their partners/individuals … or have chosen to conceal the fact they have been compromised.” CTIX will continue to monitor the fallout of this compromise and will provide additional updates accordingly.
Evilnum Threat Actors Target Immigration Services in New Campaign
Evilnum threat actors have resurfaced in a new attack campaign against immigration entities throughout the United Kingdom and Europe. Previously, Evilnum has been known for targeting organizations within the financial services industry with extensive social engineering campaigns and custom malware payloads. In their recent campaign, Evilnum actors distributed phishing emails containing malicious Microsoft Word documents to targeted corporations. The Word documents urge the user to “Enable Editing” on the document by stating that enabling the feature allows for "Compliance," "Complaint," and "Proof of Ownership." Once the user enables editing, malicious JavaScript code is executed and downloads a custom loader to the system. After being successfully loaded and establishing persistence on the system, several scheduled tasks are set to run and communicate back to actor-controlled command-and-control (C2) servers. The customized malware utilizes the Heaven's Gate technique, allowing for 32-bit malware to hide API calls on 64-bit environment and remain undetected by anti-virus software. This technique has been patched in recent versions of Windows 10, which entices Evilnum actors to target out-of-date Windows instances to successfully deploy their attacks. CTIX continues to urge users to validate the integrity of all emails prior to downloading any attachments or visiting any embedded links.
Vulnerabilities
"FabricScape" Vulnerability Allows Complete Takeover of Azure Service Fabric Clusters
Researchers from Palo Alto's Unit 42 have discovered a vulnerability dubbed "FabricScape" that impacts Microsoft Azure's "Service Fabric." The vulnerability, identified as CVE-2022-30137, allows Linux containers to escape and escalate privileges, gaining root privileges on the node and providing an opportunity to compromise all other nodes in the cluster. Service Fabric is a "distributed systems platform" that allows developers to easily "package, deploy, and manage scalable and reliable microservices and containers." Service Fabric runs using Docker containers, a technology which normally does not allow containers to affect its host system. The vulnerability exists in the Data Collection Agent (DCA) component. The DCA is responsible for collecting logs on each container and storing them on the host machine. This means the DCA must run with root privileges to access the containers. As the logs can be modified from the container, certain vulnerabilities in the DCA could give root access to the host machine. The vulnerability allows arbitrary writes to files on the host machine using the function "GetIndex." This function reads a file, verifies the format, modifies some data, then overwrites the file with the new data. If the file is swapped with a symlink, a Linux file that points to another file, the program follows the symlink and overwrites the destination file. While this would allow attackers to overwrite executable binaries, add SSH keys, or even create a new user, the initial file must be in a certain format to be written and is not granted execution permissions following the write. To gain code execution on the node, the researchers instead used a technique known as dynamic linker hijacking, an exploit that loads a shared library in a targeted process by changing an environment variable. Once the researchers took control of a node, they discovered sensitive certificate files that gave access to the entire cluster. Using this vulnerability, an attacker with access to a targeted organizations application can pivot to other applications owned by the organization. Microsoft has released a fix for the issue on June 14, 2022, and CTIX analysts recommend Azure administrators update to the latest version of Service Fabric or disable runtime access if updating is not possible.
Amazon Patches High-Severity Amazon Photos Android App Vulnerability
Amazon has recently patched a high-severity vulnerability in their Amazon Photos app on Android. The flaw in the app was originally brought to Amazon’s attention in November 2021 by researchers at Checkmarx, a cybersecurity firm headquartered in Israel. The researchers explained that this flaw could allow an attacker to steal a user’s Amazon access token, which is used to authenticate a user across multiple APIs. These APIs commonly contain personal data, such as a user’s name, email address, physical address, and more. Researchers compared this bug to sending a password to another application as plain text. Attackers could exploit this vulnerability to modify files while erasing a user’s history, preventing the files from being restored by the user and rendering them unrecoverable. Although the app was downloaded by more than 50 million people before the patch was released on December 18, 2021, the company has stated “no evidence that sensitive customer information was exposed as a result of this issue.” Checkmarx researchers state they found a number of ways a theoretical attacker could delete files in Amazon Drive, emphasizing that there were multiple ways that ransomware actors could take advantage of the flaw. The Vice President of Checkmarx stated, "seeing that kind of vulnerability in the software of Amazon, one of the leading companies in the world when it comes to security practices, means that it can happen to every software company." This major flaw should serve as a staunch reminder that when it comes to security practices, no company is ever completely safe and must always stay vigilant.
Honorable Mention
Horizon Bridge Heist Attributed to the Lazarus Group
UPDATE to 6/28/2022 FLASH UPDATE: Researchers from Elliptic have discovered ties between the hack of Harmony’s cryptocurrency bridge “Horizon” and the Lazarus Group. The Lazarus Group is an infamous threat group that is associated with the North Korean government. Their attacks often target organizations that would allow the group to extract the most profit to fund North Korean government projects. The group has been known to target cryptocurrency organizations and platforms, such as the Ronin Bridge hack in March 2022. Elliptic researchers tracked the stolen cryptocurrency following the Horizon Bridge heist. They discovered that 41% of the $100 million in stolen cryptocurrency was sent to the "Tornado Cash" mixer. A mixer is a service that allows users to trade stolen or tainted cryptocurrency for legitimate assets, effectively laundering them. While it is normally extremely difficult to trace cryptocurrency after it has been mixed, Elliptic claims to have "demixing techniques" that have allowed them to trace the stolen cryptocurrency to multiple Ethereum wallets. This allows cryptocurrency organizations to use a screening service to detect if the cryptocurrency they are receiving has originated from the Horizon Bridge hack. There are multiple pieces of evidence that link the Horizon Bridge heist to the Lazarus Group. First, the multi-signature wallet keys were likely stolen through social engineering, a common technique used by the Lazarus Group. Second, the Lazarus Group focuses of the APAC region, where many of Harmony’s core team reside. Finally, the timing of the deposits into the Tornado Cash network suggest it was an "automated process." The Lazarus Group has needed to launder many forms of cryptocurrency in the past and has created and used programs to clean their stolen cryptocurrency assets. These reasons lead Elliptic to attribute the Horizon Bridge heist to the Lazarus Group. CTIX analysts will continue to monitor the situation and will update if there is more activity with the stolen funds.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.