Ransomware/Malware Activity
APT37 Targets Users in Various European Countries in Latest Phishing Campaign
Several high-value organizations throughout Poland, the Czech Republic, and other European countries have been targets of a recent social engineering campaign that utilizes the "Konni" remote access trojan (RAT). These attributed threat actors, tracked as APT37 and InkySquid, are a North Korean-backed cyber espionage organization who have targeted entities throughout South Korea, Japan, Russia, China, Vietnam, and several countries throughout the Middle East. Major operations conducted by APT37 in recent years include Operation Daybreak, Operation Erebus, and a more recent campaign involving the targeting of journalists with the "GOLDBACKDOOR" malware. In this new phishing campaign, threat actors are distributing emails to users containing malware-infected Word documents and Windows shortcut files. Once downloaded and opened by the user, the attached .LNK file communicates out to an actor-controlled command-and-control (C2) server which initiates the infection chain. The C2 server downloads two (2) additional files, one (1) of which is a decoy document that is allegedly authored by "a Russian war correspondence." At this point in the infection chain, the actor has the ability to capture screenshots, extract state keys stored in the Local State file for cookie database decryption, extract saved credentials from the victim's web browsers, and launch a remote interactive shell to execute commands every ten (10) seconds. Next, additional files are downloaded to support the Konni malware sample, which allows the payloads to establish persistence on the user's device and escalate privileges. Security researchers from Securonix highlighted several indicators from this campaign with correlation to known APT28 (aka FancyBear), such as IP addresses, hosting provider, and hostnames, indicating the possibility of a Russian false-flag operation masked as APT37. As social engineering campaigns continue to be a persistent threat, CTIX continues to urge users to validate the integrity of email communications prior to downloading any attachments or visiting any embedded links to lessen the risk of threat actor compromise.
Threat Actor Activity
Russian Command-and-Control Network Uncovered in the US Prior To Ransomware Attack
A security researcher at Censys recently uncovered a Russian command-and-control (C2) network containing at least one (1) network host tied to the United States. Researcher Matt Lembright conducted scans of known Russian hosts and found two (2) nodes containing malicious tools Rapid7, Metasploit, Deimos C2, and PoshC2 on only one (1) host. Digging further into indicators and suspicious hosts, Lembright noted connections to MedusaLocker and Karma ransomware variants from previously attributed email address, IP address, and TOR hosts. Furthermore, there were additional vectors highlighting connections to Russian Bitcoin indicators, presumed to be used as the form of payment post-exploitation. While these are all indications of a prepped ransomware attack on a target, the hosts are only being utilized as a front since malicious attacks from out-of-country endpoints will most often be blocked by security systems. By utilizing a United States attributed host, there is greater chance of a successful cyberattack. Deeper analysis by the Federal Bureau of Investigation showed historical malicious activity on the questioned host, attributing to attacks on a hospital and library within the last year. With threat actor attack plans being compromised, this will likely deter actors from exploiting their target for a short time but will likely utilize new methodologies in their next attack attempt. CTIX will continue to monitor any additional updates from this situation and provide additional updates accordingly.
Vulnerabilities
SonicWall Urges Customers to Immediately Patch a Critical SQL Injection Vulnerability
The cybersecurity firm SonicWall has released an advisory warning customers to patch a critical unauthenticated SQL injection vulnerability affecting Global Management System (GMS) version 9.3.1-SP2-Hotfix1 and earlier, as well as On-Prem Analytics version 2.5.0.3-2520 and earlier. GMS and Analytics are widely deployed across many industries, and act as central management hubs allowing network administrators and security personnel to control and configure thousands of SonicWall appliances across their entire network security posture. The flaw, tracked as CVE-2022-22280, is described as an improper neutralization of special elements used in an SQL query, and its exploitation allows attackers to perform unauthenticated SQL Injection. This vulnerability has been given a severity score of 9.4/10 due to the fact that it can be exploited by unauthenticated attackers from within the target network without any interaction from the victim. This, coupled with the very low attack complexity earns this flaw a critical severity rating. At this time there is no proof-of-concept (PoC) exploit, or evidence that this vulnerability has been actively exploited in-the-wild. However, now that the patch has been published, threat actors will be reverse engineering the patch to attack GMS and Analytics instances that are slow to apply the update. There are currently no manual configurations or techniques that mitigate exploitation, so CTIX analysts urge any administrators deploying the affected versions of GMS and Analytics to update to the latest version immediately to prevent being compromised. As a best practice, SQL injection attacks are significantly reduced via deploying a Web Application Firewall (WAF), and analysts recommend incorporating this to add defense-in-depth to their network appliances.
Popular E-commerce Platform Vulnerable to SQL Injection and Arbitrary Code Execution
Hackers have been observed actively exploiting a critical zero-day vulnerability chain affecting the PrestaShop open-source e-commerce platform in order to steal transaction and payment data from online stores and marketplaces. The flaw, tracked as CVE-2022-36408, is an SQL injection vulnerability in the "blockwishlist" module. If successfully exploited, the attackers can perform remote arbitrary code execution (ACE) against servers running PrestaShop websites. The threat actors execute the attack by sending a maliciously crafted POST request to a vulnerable endpoint, immediately followed by a parameter-less GET request to the target homepage. This creates a file called "blm.php" at the root of the online shop's directory, and a follow-on GET request to the newly created file allows for the ACE. After gaining full control of the online shop, the threat actors can inject skimmer code via a spoofed payment form engineered to steal sensitive transaction data entered by victims during checkout, funneling the data back to a command-and-control (C2) node. PrestaShop is described as the leading open-source e-commerce solution in Europe and Latin America, and their maintainer team issued a warning on July 22, 2022, urging the administrators of the 300,000 e-commerce shops deploying PrestaShop to update to the latest version of the software. Although it isn't 100% confirmed, research findings indicate that the threat actors may be using MySQL Smarty cache storage as part of their initial attack vector. Although disabled by-default, CTIX analysts recommend that site administrators manually confirm that the MySQL Smarty cache storage feature is disabled, since it can be enabled remotely by the threat actor.
Honorable Mention
US DOJ Seizes Half a Million Dollars in Bitcoin from "Maui" Operators Following Healthcare Organization Attacks
The US Department of Justice (DOJ) has reportedly seized $500,000 worth of Bitcoin from North Korean hackers. The threat actors are operators of the "Maui" ransomware, a new ransomware strain discovered in May 2021. The malware is solely used by North Korean state-sponsored attackers, unlike other ransomware strains that are used in ransomware-as-a-service operations. Maui is used in hands-on-keyboard attacks, meaning it is run manually by an operator post-breach. The healthcare sector has been the primary target for the North Korean operators deploying Maui since the malware was first discovered. The seized cryptocurrency comes from two (2) health care providers in Kansas and Colorado who paid Maui after successful ransomware attacks against their networks. The District of Kansas medical center cooperated with law enforcement and notified the FBI of a $100,000 cryptocurrency payment following an attack in May 2021. During the investigation, the FBI was able to seize the contents of two cryptocurrency accounts identified in the Kansas attack. In April 2022, the FBI traced an additional $120,000 Bitcoin payment into an already seized Bitcoin wallet which they traced to an attack against a Colorado healthcare provider. It is unknown how exactly the FBI seized the accounts used in the attacks, though there is some speculation. The North Korean threat actors used a network of China-based money launderer's that could have transferred the Bitcoin through a cryptocurrency exchange. Exchanges are required to "know your customer" (KYC) and may be compelled by law enforcement to seize illegitimate cryptocurrency. While the DOJ has seized these assets, the Maui operators are still attacking healthcare organizations to this day. CTIX analysts recommend businesses in the healthcare sector harden their networks against ransomware attacks and report to law enforcement if they have been victimized by Maui.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
