Ransomware/Malware Activity
"EvilProxy" Provides Low-Skill Threat Actors Access to Advanced Phishing Techniques
A new Phishing-as-a-Service (PaaS) platform dubbed "EvilProxy" has been discovered by Resecurity researchers. PaaS platforms allow low-skill threat actors to easily steal online account information. EvilProxy is a reverse-proxy PaaS platform that sits between the victim and a legitimate authentication endpoint. If a victim lands on an EvilProxy site, the site asks for the user's credentials and multi-factor authentication token which are forwarded to the legitimate server. The threat actor then stores the session cookie that is returned by the website and relays it back to the user, allowing the threat actor to log in as the user without any indication to the victim that something malicious has occurred. While sophisticated threat actors have been using this technique for years, the sale of this tool on underground forums allows any threat actor, skilled or not, to phish user credentials from popular websites. EvilProxy advertises close to fifteen (15) different websites available to phish, including Google, Microsoft, iCloud, Dropbox, GitHub, Facebook, WordPress, PyPi, and other popular websites. Once a threat actor chooses a website to replicate, they are given access to a configuration panel hosted on Tor with detailed instructions on how to set up the phishing site. The researchers noted that the developers of EvilProxy "did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection." EvilProxy also attempts to guard against scanning from services like VirusTotal, blocks VPN services and TOR exit nodes, and fingerprints browsers to determine if the potential victim is a bot. The emergence of EvilProxy as a well-made and effective phishing toolkit gives unsophisticated threat actors an easy path to starting phishing campaigns. CTIX analysts will continue to monitor the usage of this service and will provide updates on new developments.
120,000 Individuals' Data Exposed from IRS' Accidental Posting
The United States Internal Revenue Service (IRS) has exposed confidential information of approximately 120,000 individuals by accidentally posting the information to its website. The IRS confirmed in a post on Friday that machine-readable (XML) Form 990-T data was made available for bulk download on the Tax Exempt Organization Search (TEOS) page that should not have been publicly available. Form 990-T is the "business tax return used by tax-exempt entities, including tax-exempt organizations, government entities and retirement accounts, to report and pay income tax" on unrelated business income, which is commonly derived from "sales unrelated to the nonprofit's core purpose or real estate investments that pay income to an individual retirement account." For 501(c)(3) organizations (otherwise known as non-profit entities such as charities, etc.), a Form 990-T must be available for three (3) years for public inspection. Notably, some of the information posted was for a subset of non-503(c)(3) organizations which is "not subject to public disclosure." The exposed data in this breach includes names, contact information, and financial information about income within the exposed 990-T forms. The IRS confirmed that the exposed data does not contain Social Security numbers (SSNs), detailed account-holder information, or individual income tax returns (Forms 1040). The Wall Street Journal reported that this incident was due to a human coding error that occurred last year when Form 990-T began to be filed electronically. Notification letters are being sent to impacted individuals within the next coming weeks, and the IRS confirmed that the data has been removed from its website. CTIX analysts will continue to monitor this incident and provide updates as needed.
- The Wall Street Journal: IRS Posting Article
- Bleeping Computer: IRS Posting Article
- IRS: Statement on Forms 990-T
Threat Actor Activity
Worok Threat Group Emerges After Hiatus, Targets High Profile Companies Throughout Asia
An emerging cyber-espionage threat group is making waves by targeting high profile organizations and local governments throughout Asia. Tracked as Worok, this threat group has been traced back to exploiting several organizations when ProxyShell (CVE-2021-34523) was first disclosed. Some attack tactics, techniques, and procedures (TTPs) aligned closely with another threat group TA428; this included the time of attack, targeted verticals, and the use of the ShadowPad Chinese malware. Back in 2020, Worok was attributed to compromising a telecommunications company, a local bank, and a maritime company throughout Asia alongside a government entity in the Middle East and a private company out of southern Africa. After a brief hiatus, Worok has begun to compromise assets once again. So far this year, Worok has reportedly targeted an energy company in Central Asia and a public sector organization in Southeast Asia. Malware utilized by the group in these recent attacks includes the PowHeartBeat PowerShell backdoor, PNGLoad steganographic loader, and the CLRLoad assembly loader. These tools working in tandem allow for threat actors to send arbitrary commands via command-and-control (C2) and continue espionage operations on the compromised company. CTIX continues to track threat actor activity worldwide and will continue to provide updates accordingly.
Threat Profile: NoName057(16)
Since the invasion in February, the conflict between Russia and Ukraine has drawn in threat actors worldwide and sparked continuous cyber-attacks targeting both sides. While major threat organizations such as IT Army of Ukraine, Killnet, and Legion Spetsnaz have made their mark, a lesser-known threat actor has been unleashing numerous DDoS attacks against Ukraine and known allies. Tracked as NoName057(16), this threat actor has DDoS'ed major government websites alongside news agencies, telecommunications companies, financial institutions, military, suppliers, and transportation authorities across Ukraine, Lithuania, Estonia, Poland, and Norway. NoName057(16) has stated "we will never harm the innocent, and our actions are a response to the rash actions of all those who have taken an openly hostile position. We [NoName057(16)] have the knowledge, strength, and experience to restore justice where it has been violated". Malware utilized by NoName057(16) includes the botnet-as-a-service Bobik Remote Access Trojan (RAT), which is often seen in conjunction with the Redline Stealer malware. Network communications attributed to the Bobik botnet trace back to malicious hosting servers in Romania and Russia. The use of the Bobik botnet has grown significantly since the start of the Russia-Ukraine conflict, with eight (8) known DDoS attacks in August and already four (4) in September. With the cyber-war between Russia and Ukraine continuing, CTIX expects smaller threat groups such as NoName057(16) to emerge in the coming months and will continue to provide additional contexts on such groups.
Vulnerabilities
Zero-day Vulnerability Exploited to Deploy DeadBolt Ransomware on Vulnerable QNAP NAS Devices
Taiwanese network hardware and software provider QNAP has directed their customers to upgrade to the latest version of Photo Station to patch a critical zero-day vulnerability affecting their network-attached storage (NAS) devices. The flaw is being actively exploited to download DeadBolt ransomware on vulnerable NAS devices that are accessible from the public internet. Not much is known at this time about the specifics of the vulnerability, likely to allow as many customers as possible to patch their devices before making the exploit public. The surge was observed by QNAP's Product Security Incident Response Team (QNAP PSIRT) on September 3 and 4, 2022, and they were impressively able to release a working patch within twelve (12) hours. Along with patching their NAS firmware, QNAP advises their customers to disable automatic port forwarding and block device access to the public internet. QNAP also recommends enabling their VPN service or utilizing the myQNAPcloud Link feature for remote access services, which allows the devices to be accessible via the internet exclusively through the myQNAPcloud website. Alternatively, QNAP has suggested switching from Photo Station to a more secure photo management tool called QuMagie. Although this flaw has been patched, DeadBolt ransomware campaigns have been targeting NAS devices since January 2022. As a best practice, CTIX analysts recommend that administrators do not allow their NAS devices to be public facing, create strong passwords for all user accounts, and create regular backups. This vulnerability will be monitored, and an update to this matter may be published in the near future.
- Bleeping Computer: QNAP DeadBolt Article
- The Hacker News: QNAP DeadBolt Article
- QNAP: DeadBolt Security Advisory
Google Patches Critical Zero-Day Vulnerability in Chrome Browser
Google has released a new version of their Chrome browser to patch a critical zero-day vulnerability that has been actively exploited in-the-wild. The flaw, tracked as CVE-2022-3075, is an insufficient data validation in Mojo for Chromium, a collection of runtime libraries providing an Inter-Process Communication (IPC) framework. An IPC framework is a mechanism allowing different processes in different languages to communicate with each other and synchronize their actions through shared memory and message passing. As of this publication, the new version of Chrome has rolled out in the Stable Desktop Channel for Windows, Mac, and Linux users. This vulnerability was anonymously reported. At this time, Google is not releasing the technical details in order to allow the patch to reach their entire Chrome user base in the coming weeks. This flaw marks the sixth (6) Chrome zero-day patched in 2022, and they have been exploited by state-sponsored and financially motivated threat actors alike. CTIX analysts urge all Chrome users to ensure they are already running version 105.0.5195.102 through the Help > About Chrome option within Google Chrome. This vulnerability will be closely monitored, and an update may be published in the coming weeks as technical details and/or proof-of-concept (PoC) exploits become public.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
