Ransomware/Malware Activity
Anti-Cheat, Code-Signed Driver Abused to Bypass Privileges and Deploy Ransomware
Trend Micro researchers observed a ransomware infection in late July 2022 that involved a code-signed driver called "mhyprot2.sys", which is used for anti-cheat functions in the video game Genshin Impact. The currently undisclosed ransomware abused this driver to bypass privileges and disable anti-virus software. A notable observation by researchers is that Genshin Impact does not need to be installed on a victim's machine for this ransomware to be deployed, as the use of the driver is independent from the video game and can be integrated into any malware. Since the driver is code-signed, it can be installed on Windows machines without creating alerts often seen with unsigned drivers or applications. There have been two (2) proof-of-concept (POC) exploits publicly available on GitHub since 2020. These POC exploits contain "full details on how to read/write kernel memory with kernel mode privileges from user mode, enumerate threads, and terminate processes." In the recent ransomware incident, researchers observed that the ransomware operators first transferred the driver to the victim's desktop as well as a malicious executable "kill_svc.exe", which installs the driver. Next, "avg.msi" is downloaded, which drops and executes four (4) files: "logon.bat" (which disables antivirus and other services), "HelpPane.exe" (which disguises as Microsoft Help and Support and also disables antivirus services), "mhyprot2.sys" (which is the vulnerable Genshin Impact anti-cheat driver), and "svchost.exe" (which is the ransomware payload). The researchers then observed the operators attempting and failing three (3) times to encrypt files on the victim machine but successfully disabling the antivirus services. Lastly, the actors loaded the driver, the ransomware, and the executable "kill_svc.exe" onto a network share for mass deployment. As of August 24, 2022, the code signing for "mhyprot2.sys" is still valid, and CTIX analysts will continue to monitor for advancements with this observed methodology as well as provide updates were applicable.
SolarWinds Operator Nobelium Linked to New "MagicWeb" Post-Compromise Malware
Nobelium, the threat actor behind the SolarWinds supply chain attack in December 2020, has recently been linked by Microsoft to a "highly targeted" post-compromise malware dubbed "MagicWeb". Nobelium overlaps with the Russian nation-state group APT29 (aka CozyBear or The Dukes) and is "highly active, executing multiple campaigns in parallel targeting government organizations, non-government organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia." MagicWeb has been observed by Microsoft researchers having similarities with "FoggyWeb", another malware previously used by Nobelium, and has the main focus of maintaining access and preventing eviction during remediation efforts by the victim. The group must first, however, obtain "highly privileged access to an environment and [move] laterally to an AD FS server." This advancement must be completed due to MagicWeb being a rogue dynamic linked library (DLL), "a backdoored version of "Microsoft.IdentityServer.Diagnostics.dll", that leads to stealthy access of an AD FS system through an authentication bypass process. Researchers noted that by Nobelium having highly privileged access, it allows the group to "perform whatever malicious activities they wanted to on the systems they had access to", such as conduct further system compromises, activity obfuscation, or establish persistence. A further in-depth analysis of MagicWeb can be viewed in Microsoft's report linked below.
Threat Actor Activity
RedAlpha Continuing Three Year Credential Theft Operation
Over the past three (3) years, a Chinese cyber-espionage organization has been consistently launching credential theft operations against humanitarian agencies, think tanks, and government organizations. Tracked as RedAlpha, this threat group often targets religious minority communities against the Chinese State. Throughout these campaigns, threat actors registered hundreds of domains in an effort to spoof legitimate domain names and compromise unsuspecting victims. In 2021 alone, over 350 typosquatted domains were registered to the RedAlpha organization. Several techniques were observed from the domain structuring such as consistent naming conventions, use of virtual private server (VPS) hosting from VirMach, and consistent use of “*resellerclub[.]com” nameservers. When RedAlpha phishing operations are launched, victims are redirected to a fake login portal mimicking specific organizations where user credential pairs were exfiltrated to RedAlpha actors after submission. Recent phishing campaigns launched by RedAlpha have been observed using the same tactics, techniques, and infrastructure as their previous attacks; security teams should note applicable indicators of compromise and update security controls to lessen the risk of threat actor compromise. CTIX continues to track threat actors globally and will provide additional updates accordingly.
0ktapus Operation Compromises Over 130 Organizations
Threat actors attributed to the recent Okta compromise have launched a massive phishing campaign which has affected several organizations over the past few weeks. This campaign, tracked as 0ktapus, explicitly targeted multiple organizations with malicious SMS phishing messages aiming to lure victims to visit a website which would harvest their credentials and two-factor authentication (2FA) codes. As of August 26, 2022, there were a total of 9,931 corporate accounts harvested from this phishing operation across the 136 organizations. 0ktapus has targeted multiple countries, including the United States (114 organizations), India (4 organizations), Canada (3 organizations), and Sweden (2 organizations). Data harvested by this campaign is exfiltrated to the threat actors’ Telegram where attackers have the capabilities to access the employee's organization and exfiltrate data to command-and-control (C2) servers. All the embedded domains utilized by these actors had some sort of multi-factor language (i.e., sso, vpn, okta, mfa, etc.) built into the naming structure of the domain alongside a very simple yet convincing login portal. With phishing campaigns continue to become more prevalent within the threat landscape, CTIX continues to urge the importance of validating the integrity of any correspondence before downloading any documents or visiting URLs to lessen the risk of threat actor compromise.
Vulnerabilities
Palo Alto Networks Firewall Vulnerability Added to CISA's Known Exploitable Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical unauthenticated Palo Alto Networks' PAN-OS firewall bug to its catalog of Known Exploitable Vulnerabilities. This flaw was identified by a service provider and was exploited in an attempt to conduct a reflected amplification distributed denial-of-service (DDoS) attack. Reflected amplification is one of the more popular DDoS attack types utilized by threat actors today and combines two (2) attack methods (reflection and amplification) which enable the threat actors to obscure their hijacked attack sources while exponentially magnifying the amount of malicious data packets they can generate and leverage against their targets. The vulnerability, tracked as CVE-2022-0028, stems from a PAN-OS URL filtering policy misconfiguration, and the DDoS traffic appeared to be originating from Palo Alto Networks' PA-Series, VM-Series, and CN-Series firewalls. For the threat actors to be able to exploit this vulnerability, the firewalls must be configured to have a URL filter profile with blocked categories that are assigned to sources with a public-facing network interface. Although this attack is limited to DoS, it is dangerous because the attackers obfuscate their identities and the affected devices may have no clear sign of being compromised, making the attack difficult to prevent. That, coupled with the low complexity of the attack, means that the threat actors don't have to use massive botnets or hijack multiple servers and gives this vulnerability a CVSS score of 8.6/10. This flaw has been patched by Palo Alto Networks and CTIX analysts urge any customers to update their PAN-OS firewalls to the latest secure versions. If the patch cannot immediately be implemented, Palo Alto Networks has provided users with manual mitigation techniques which are detailed in the advisory linked below. Although effective against DoS attacks, mitigations like rate limiting, port blocking, and filtering traffic signatures may have negative effects on overall bandwidth and performance. As a best practice, the CTIX team recommends that threat intelligence services be leveraged to better enable security professionals in identifying vulnerable endpoints and proactively blocking malicious IP addresses.
Chinese State-Owned Wireless Cameras Reportedly Being Actively Exploited In-The-Wild
Wireless video surveillance cameras produced by the Chinese state-owned camera manufacturer Hikvision are reportedly being actively exploited by financially motivated and state sponsored threat actors alike, utilizing a critical vulnerability first identified in 2021. A recently published report by the cybersecurity firm CYFIRMA shows that researchers have observed a major uptick on multiple Russian-speaking dark web forums where threat actors are collaborating to exploit the vulnerability, as well as selling network entrance points and the leaked credentials of vulnerable Hikvision cameras. The flaw, tracked as CVE-2021-36260, is caused by insufficient input validation and could be exploited by attackers to launch a command injection attack by sending messages with malicious commands. Hikvision patched the vulnerability in September 2021, however, two (2) unpatched working proof-of-concept (PoC) exploits have since been published. Hikvision devices are very popular and are utilized by at least 2,300 organizations spanning across one hundred (100) countries, totaling more than 80,000 vulnerable devices. This flaw was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploitable Vulnerabilities Catalog in January 2022. The massive scale of potential targets, coupled with the low complexity to exploit due to multiple PoC's, earns this flaw a CVSS score of 9.8. According to multiple researchers, Hikvision cameras have a poor security posture by-default, and their products are known to utilize default credentials and be easy to exploit. Researchers are unsure as to why the organization has not patched their products against the new exploits, but it should be noted that in 2021 Hikvision resigned from the largest international trade organization for surveillance vendors, known as the Security Industry Association (SIA), after being accused by the international community of collaborating research with the Chinese Army to improve military missiles. The growing popularity of network cameras, and IoT devices have made cameras like these very attractive to threat actors as a vector to drop downloaders and execute botnets to conduct denial-of-service (DoS) attacks. CTIX analysts recommend that any organizations utilizing Hikvision wireless cameras update to the latest patch, as well as change the default credentials to reflect a strong password and isolate the wireless camera network behind a firewall.
- Bleeping Computer: CVE-2021-36260 Article
- The Record: CVE-2021-36260 Article
- CYFIRMA: CVE-2021-36260 Report
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
