Ransomware/Malware Activity
New Phishing Campaign Capitalizing on the Death of Queen Elizabeth II
Threat actors have begun taking advantage of the recent death of Queen Elizabeth II in a phishing campaign discovered by Proofpoint Threat Insight researchers. The campaign's goal is to exfiltrate the victims' multi-factor authentication (MFA) codes and compromise their Microsoft account credentials. On September 14, 2022, researchers posted on Twitter that the phishing campaign is impersonating "the Microsoft team" and attempting to lure victims to a fraudulent online memory board that includes "millions of memorable words and thousands of letters and photos." The email's subject contains "Join our AI space in memory of Queen Elizabeth II" and the email body includes links to a URL redirecting credential harvesting page. The researchers also noted that this campaign appears to be using the EvilProxy reverse-proxy Phishing-as-a-Service (PaaS) kit, which was reported in the September 6, 2022 FLASH Update. The United Kingdom's National Cyber Security Center (NCSC) previously published an article on September 13, 2022, regarding potential scams rising during national mourning. Microsoft users must remain vigilant of threat actors attempting to take advantage of recent tragedies or big news stories, as these types of events will remain a common lure theme amongst phishing campaigns.
- Bleeping Computer: Queen Elizabeth II Phishing Campaign Article
- Proofpoint: Queen Elizabeth II Phishing Campaign Tweets
- NCSC: Queen Elizabeth II Scam Notice
Teenager Hacks Uber Internal Network, Compromises AWS, GCP, and HackerOne Accounts
Uber, one of the largest rideshare companies, confirmed via Twitter that they are investigating a security incident involving their internal network. The threat actor claiming responsibility for the attack reached out to The New York Times and shared screenshots of internal emails, cloud storage, and code repositories to validate their claims. The attacker stated they were an eighteen (18) year old male who has been practicing cybersecurity skills for years. At 3 PM on September 15, 2022, the threat actor posted a message in Uber's internal Slack channel stating, "I announce I am a hacker and uber has suffered a data breach." Initially, the Uber employees assumed the message was a joke, until employees started noticing any web requests made were redirected to a page with explicit content. The threat actor was able to gain administrative access to the organization's Amazon Web Service (AWS) and Google Cloud Platform (GCP), the platforms that host the company's internal services. They were also able to access Uber's HackerOne account, a bug bounty service for hackers to report vulnerabilities to the organization. This account could include sensitive vulnerabilities that have not been patched yet; if the reported vulnerabilities are leaked, it could lead to a serious threat to Uber and its user's security. The threat actor gained access to Uber's systems by phishing a user and gaining access to their credentials. The attacker then attempted to sign in using the compromised credentials, spamming the user with multifactor authentication requests. Eventually, the threat actor resorted to messaging the user on WhatsApp claiming to be Uber IT and asking the user to accept the authentication request. This attack vector is very similar to the attacks conducted by the teenagers who ran the LAPSUS$ group. Once the threat actor gained access to the account, they discovered a PowerShell script with hardcoded administrator credentials, granting them access to the rest of the infrastructure. While Uber has stated they are responding to this incident and have contacted law enforcement, no other updates have been posted at the time of writing. CTIX analysts will continue to monitor this situation and will provide updates for any new developments.
Threat Actor Activity
US Treasury Department Announces Sanctions Against Ten Iranian Individuals Connected with Malicious State-Sponsored Cyber Campaigns
The US Department of Treasury's Office of Foreign Assets Control (OFAC) has just leveled sanctions against ten (10) Iranian individuals in connection with state-sponsored ransomware and cyber espionage campaigns targeting entities in the US and across the globe. After extensive campaign investigations as part of a joint action with the Department of Justice (DoJ), Department of State (DoS), Federal Bureau of Investigation (FBI), U.S. Cyber Command (USCYBERCOM), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA), the ten (10) individuals were identified as employees/associates of the Iranian-based Najee Technology and Afkar System companies, both of which have been sanctioned. The organizations and individuals have been connected with high confidence to Iran's notorious Islamic Revolutionary Guard Corps (IRGC). The sanctioned threat actors have been attributed to malicious cyber campaigns going back at least two (2) years after investigators and researchers identified overlaps in the tactics techniques and procedures (TTPs) of Iranian state-sponsored hacking groups like Charming Kitten (APT35) and Phosphorus (DEV-0270, Nemesis Kitten, Cobalt Mirage). The threat actors have been charged with compromising the networks of businesses and critical infrastructure of US and Middle Eastern defense industries, government personnel, and private industries such as media, energy, business services, and telecommunications. The sanctioned threat actors have been observed exploiting software vulnerabilities in order to deploy ransomware as well as conducting cyber espionage activity such as gaining persistent access, moving laterally across target networks, and exfiltrating sensitive data. All ten (10) of the individuals are banned from doing business in the US, and three (3) of the men were indicted by the U.S. Attorney’s Office for the District of New Jersey for their participation in a devastating New Jersey ransomware attack, as well as hundreds of other attacks across the US. If brought to the US, all three (3) could face twenty (20) years in prison, and the US DoS has placed a $10 million bounty on each individual. These sanctions are the response to a sharp uptick in Iranian threat actor activity over the course of 2022, and CTIX analysts will continue to monitor the movements of known threat groups to provide readers with timely and actionable threat-intelligence.
- Bleeping Computer: Iranian Sanctions Article
- The Record: Iranian Sanctions Article
- The Hacker News: Iranian Sanctions Article
- US Department of Treasury: Iranian Sanctions Press Release
Gamaredon Launches New Phishing Campaign Against Ukraine
Threat actors from the Russian cyber-espionage threat group Gamaredon have been targeting Ukrainian citizens in a new social engineering campaign. Gamaredon, also tracked as Primitive Bear, is known for its consistent targeting of Ukrainian law enforcement, military, judiciary, and non-profit organizations alongside a broader targeting of organizations throughout Europe in similar industries. Tactics demonstrated by Gamaredon threat actors include custom malware scripts, data exfiltration, spear-phishing, social engineering techniques, long term access, and compromised dynamic DNS. In this campaign, threat actors are targeting Ukrainian citizens with phishing emails themed around the Russia/Ukraine conflict. These phishing emails deliver malicious Microsoft Office document templates laced with VBScript macros, which download and execute LNK files from RAR archives to deliver second-stage malware payloads and information stealing scripts. However, in an effort to minimize digital traces and footprints Gamaredon has configured a geofence to restrict malicious hits to only users within the allotted region. Some of the indicators of compromise from this campaign overlap with an attack series on Ukraine's Computer Emergency Response Team (CERT-UA). While Gamaredon have launched attacks outside of Ukraine, this campaign appears to be solely targeting individuals within Ukraine in an effort to gain headway in the ever-growing cyber war between the two countries. CTIX continues to monitor threat actors worldwide and will provide additional updates accordingly.
Vulnerabilities
Microsoft Patches Zero-Day Vulnerability Allowing Threat Actors to Escalate Local Privileges to SYSTEM
Microsoft released its monthly Patch Tuesday security update which disclosed sixty-four (64) vulnerabilities across the company’s hardware and software products. This includes five (5) critical remote code execution (RCE) flaws, and two (2) zero-day vulnerabilities, one which has been actively exploited in-the-wild. The most troubling vulnerability patched this month is an actively exploited Windows zero-day Common Log File System (CLFS) driver escalation of privilege (EOP) vulnerability. This flaw, tracked as CVE-2022-37969, was discovered by multiple research firms during a proactive Offensive Task Force exploit hunting mission, and if exploited could allow malicious attackers to escalate their local privileges to SYSTEM. Once SYSTEM privileges are successfully attained, threat actors could make unauthorized configuration changes, disable security applications, create new privileged users, steal sensitive data, and much more malicious cyber activity. On September 14, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-37969 to its Known Exploited Vulnerabilities (KEV) catalog, requiring all federal civilian executive branch (FCEB) agencies to patch the flaw by no later than October 5, 2022. Although it’s considered to be the most severe due to its low-complexity and active exploitation, this vulnerability has been given a relatively low CVSS score of 7.8/10 due to the fact that an attacker would first need to gain access to the vulnerable host. EOP flaws are highly sought after by threat actors, often being one of the first actions taken after gaining initial access to a vulnerable system. There are working proof-of-concept (PoC) exploits for this vulnerability, meaning that less sophisticated attackers will be attempting to exploit it. It should be noted that compared to last month’s record number of 120 vulnerabilities, this patch represents a significant decline. For details about all of the patched vulnerabilities, please reference the Microsoft Security Update Guide linked below. To prevent exploitation of any of the reported vulnerabilities, CTIX analysts recommend Windows administrators ensure that all systems are running the September 2022 patch.
- Microsoft: September 2022 Patch Tuesday Security Update Guide
- Bleeping Computer: September 2022 Patch Tuesday Article
- CISA: KEV
Flaw in Azure Active Directory Allows Persistent Access into Victim Devices
Researchers from SecureWorks Counter Threat Unit Research Team discovered a flaw in Microsoft’s Azure Active Directory (Azure AD) that could give threat actors persistence and virtually undetectable access to a target’s Azure AD instance. The issue exists in the authentication method pass-through authentication (PTA), a method that allows organizations that cannot or do not want to sync password hashes to a cloud server. Using PTA requires administrators to deploy PTA agents to on-premises servers, typically a minimum of three (3) agents across an organization. During installation of these agents, a certificate signing request is sent to the Azure Active Directory instance, receiving a signed certificate as a response. This certificate is stored on the machine and can be extracted by attackers if they compromise the agent’s device. Once a threat actor obtains a certificate, they can create and deploy a custom PTA agent. Malicious agents can be used to harvest credentials, create backdoors, or conduct DoS attacks. While the PTA certificates expire after six (6) months, the certificates can be renewed indefinitely once the malicious agent is installed. While this flaw was reported to Microsoft in May 2022, Microsoft has stated this vulnerability does not pose any additional risk due to requiring access to the victim device. CTIX analysts recommend administrators consider other Azure AD authentication methods until Microsoft addresses this issue. It is also recommended to treat PTA agents as tier 0 servers, monitor for suspicious activity on PTA agent servers, and use multifactor authentication to prevent threat actors from using a malicious agent as a backdoor.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
