Ransomware Activity
New PayPal Phishing Kit Discovered Hijacking Previously Compromised WordPress Websites
Akamai researchers discovered a new phishing kit targeting PayPal users with the goal of exfiltrating large amounts of personal information by employing social engineering techniques and mimicking security practices. Researchers identified this kit after the threat actor responsible planted it on their WordPress honeypot. Researchers discovered that the actor was brute forcing into legitimate WordPress websites that have previously been compromised in order to inject the phishing kit via a file management plugin. The actor then attempted to make the fraudulent website look professional by disguising it as the original PayPal site, including using the PayPal graphical interface elements and "htaccess" to rewrite the URL so it does not include the "PHP" file extension. The site also includes a CAPTCHA, which further assists in creating a false sense of security. When "unusual activity" is shown next with a prompt for the victim to "secure" their account, the page requests "a host of personal and financial details that include payment card data along with the card verification code, physical address, social security number, mother's maiden name", and more. The page takes this collection a step further by also prompting victims to submit government documentation, such as passports, national IDs, or drivers' licenses, as well as photographs of the victim. This request is conducted with specific instructions, which is typical for a legitimate service like PayPal. Researchers noted one (1) unique aspect of the kit is its attempt to directly avoid security companies by "providing multiple different checks on the connecting IP address to ensure that it doesn't match specific domains or originate from security organizations." A deeper analysis into the newly discovered PayPal phishing kit can be viewed in Akamai's report linked below.
Threat Actor Activity
TA412 Targets Journalists Days Prior To Russian Invasion and Capitol Attack
Chinese threat activity continues to be on the rise throughout the threat landscape, even prior to the recent major global events. Security researchers at Proofpoint have uncovered a threat campaign that has been in operation since prior to the Russian invasion of Ukraine and the Capitol attack in January 2021. The threat organization, tracked as TA412 and Zirconium, conducted several social engineering attacks since the early months of 2021. In one such attack, TA412 utilized invisible embedded images in their phishing campaigns to act as reconnaissance beacons, determining if the end user device was a viable point-of-compromise. Throughout the beginning of 2021, TA412 actors conducted five extensive social engineering campaigns against journalists. A few days prior to the January 6th Capitol incident on the United States, TA412 shifted its target audience to include more individuals working for the White House, disseminating phishing emails claiming to be news feeds "pulled from recent US news articles". Similar behavior occurred again days prior to the Russian invasion of Ukraine. TA412 distributed social engineering emails with subject lines "US issues Russia threat to China", "UK to arm Ukraine with anti-ship missiles against Russia - Keiv's envoy", "US says how Ukraine stand-off can be resolved", and several others all themed around the conflict. Chinese threat actors continue to compromise assets worldwide and CTIX analysts expect this activity to continue in the coming weeks and urge users to validate the integrity of all emails prior to downloading any attached documents or clicking any embedded hyperlinks.
H0lyGh0st Targets Small Businesses in Year-Long Campaign
North Korean threat actors have been consistently targeting small/midsize businesses with ransomware strains since June 2021. These threat actors, who call themselves H0lyGh0st and are tracked as DEV-0530, have targeted organizations throughout several countries and industries including manufacturing, schools, event planning companies, and banks. As their tools of choice, H0lyGh0st leveraged SiennaPurple and SiennaBlue malware variants to deliver their end game ransomware. In most cases thus far, the point-of-compromise involved H0lyGh0st actors exploiting public facing web applications and management systems. Once compromised, one or both malware variants were deployed on the end user system and the exposed files were encrypted, exfiltrated, and uploaded to the group’s ransomware leak site. With economic setbacks from the Covid-19 pandemic and global sanctions, it comes as no surprise that some North Korean threat actors have shifted to ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) recently distributed an alert about North Korean actors utilizing the Maui ransomware variant to target healthcare organizations, playing into increased financial motivation from North Korean backed threat organizations. There have been some overlaps between H0lyGh0st and other North Korean threat groups, specifically Plutonium. Some indicators of compromise tied to Plutonium were also observed with H0lyGh0st indicators, showing the same infrastructure and controllers alongside email communications to known Plutonium email accounts. On the contrary, these groups act differently as they target different industries and trades with their campaigns. CTIX analysts will continue to monitor threat actor activity worldwide and provide additional insight accordingly.
Vulnerabilities
CISA Orders FCEB Agencies to Patch an Actively Exploited Windows Zero-Day Vulnerability
CISA has ordered agencies to patch an actively exploited, zero-day local privilege escalation vulnerability for Windows by no later than August 2, 2022. The flaw, tracked as CVE-2022-22047, impacts the Windows client-server runtime subsystem (CSRSS), and if exploited would allow attackers to elevate their local privileges to SYSTEM. Although many cybersecurity researchers believe that this flaw should have been rated as critical due to it being actively exploited, it has been given a CVSS score of 7.8 and rated as "Important." This is due to the fact that it is only a local privilege escalation, and the attackers would have to pair it with a remote code execution vulnerability for it to work. At this time, the vulnerability is still being analyzed so the technical information is limited, but CISA has added it to their catalog of Known Exploited Vulnerabilities (KEV). It is now officially a part of the binding operational directive (BOD 22-01), issued in November 2021, stating that all Federal Civilian Executive Branch (FCEB) agencies are required by law to defend and secure their networks against known vulnerabilities. This flaw is one (1) of 84 patched vulnerabilities for this update, and details can be found in the below-linked July 2022 Security Update from Microsoft. To prevent exploitation, CTIX analysts recommend that Windows users ensure that they are using the most recent version of Windows.
VMware Patches Vulnerability in the Latest Version of vCenter Server
VMware has patched a high-severity vulnerability affecting their vCenter Server's IWA (Integrated Windows Authentication) mechanism, which was first reported to VMware in November of 2021. The flaw, tracked as CVE-2021-22048, is an escalation of privilege vulnerability. If exploited, threat actors with non-administrative access to vCenter Server environments could elevate their privileges to a higher group, allowing them to move laterally across the network and conduct other malicious follow-on activity. Although this vulnerability affects multiple versions of VMware vCenter Server and Cloud Foundation, the patch only fixes the flaw in the latest version of vCenter Server 7.0 (U3f). For instances where administrators are using other versions that are still awaiting their dedicated patch or cannot update immediately, VMware has provided manual mitigation techniques that also prevent exploitation. This workaround requires that administrators choose between one (1) of two (2) options, depending on the distribution that they are running. For environments running vSphere 7.0, VMware advises administrators to switch from IWA to Identity Provider Federation for Active Directory Federation Services (AD FS). For environments running versions other than 7.0, VMware recommends switching from IWA to AD over Lightweight Directory Access Protocol (LDAP) authentication, as well as configuring a unique identity source for each of their infrastructure's trusted domains. CTIX analysts strongly urge all administrators, regardless of the version they are running, to consider upgrading their environments to vCenter Server 7.0 Update 3f to prevent exploitation. Technical details for patching and mitigating this threat can be found in the VMware advisory linked below.
Honorable Mention
Experian Allows Attackers to Re-Create User's Accounts, Provides Full Account Takeover
Brian Krebs, a well-known security blogger and investigative journalist, released a story detailing how an account takeover vulnerability in Experian's account creation process is allowing hackers to take over Experian accounts. Experian is a global consumer credit reporting company and provides individual's sensitive financial and personal information to organizations for verification and credit history purposes. Krebs was contacted by John Turner, an Experian user who created an account to freeze his credit history. In June 2022, Turner received an email from Experian stating his email address had been changed by a hacker and he was unable to access his account. The account’s email address, password, secret PIN number, and security questions were all changed to prevent Turner from being able to recover his account through Experian's customer support service. Eventually, Turner discovered that he could create a new account with Experian which would allow him back into his account, though he never discovered how the attackers gained control of the account in the first place. Krebs was also contacted by another reader who had a very similar story: their account was taken over by hackers, but they were able to take back control by re-creating their account. Krebs sought to replicate the experiences of the two readers by attempting to re-create his own Experian account. He discovered after providing his "Social Security Number (SSN), date of birth, and answering several multiple-choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with [his] credit file." This is a concern because the original email address on the account never approved the change; the Experian platform simply allowed him to take over his account using a few pieces of sensitive but easy to find information. Experian did send an automated message stating that the account’s email had been changed, but at that point an attacker could have changed the PIN number and security questions required to access the account. Krebs checked the other two (2) major credit reporting agencies, Equifax, and TransUnion, which both rejected his new account creation application stating that he already had an account on file. Krebs also mentioned that this is not the first time he has reported on Experian, referencing an investigation he conducted in April 2021 regarding their "lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files," and a story released a few days later about Experian's API exposing American's credit scores. Exploiting this account takeover vulnerability could lead to attackers being able to unfreeze credit accounts of potential identity theft victims. As credit freezes are one of the main and only ways to protect yourself against identity theft after your personal information has been leaked, this vulnerability in Experian's website likely means no one is safe from identity theft. Experian provided a statement to Krebs stating the experiences of his readers were "isolated incidents of fraud using stolen consumer information," though they did not deny the vulnerability, only stating they had additional security measures beyond "knowledge-based authentication questions." CTIX analysts will continue to monitor this situation and will provide updates with any new developments.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
