Recent Phishing Campaign Abuses LinkedIn's Smart Link Feature to Bypass Email Security
LinkedIn's Smart Link feature is beginning to be abused by threat actors to bypass email security products in phishing campaigns and gain insight into how effective their lures are. Smart Link is a premium feature of LinkedIn (for Enterprise and LinkedIn Sales Navigator users) where users can bundle up to fifteen (15) documents of links into one "packaged link" that is trackable for marketing purposes. Researchers at Cofense observed this technique in a recent phishing campaign impersonating Slovakian Postal Service (Slovenská Posta). The email contained a lure about a shipment being held, and confirmation for payment being needed through the click of an embedded link. Threat actors can abuse the legitimate Smart Link feature with "added alphanumeric variables at the end of the URL to redirect users to malicious websites." The campaign then redirects to a page for victims to input their payment details and their telephone number for a fake SMS code to approve the transaction, and lastly, once confirmed, the victims are brought to a fraudulent confirmation page. The phishing page was still active as of September 21, 2022. Brad Haas, senior intelligence analysts at Cofense, disclosed to DarkReading that this is not the first campaign to abuse this LinkedIn feature. However, this instance is notable because emails containing doctored LinkedIn Smart Links have ended up in users’ inboxes. Additional details as well as indicators of compromise can be viewed in Cofense's report linked below.
- Bleeping Computer: Smart Link Abuse Article
- Dark Reading: Smart Link Abuse Article
- Cofense: Smart Link Abuse Report
Threat Actor Activity
Updates Made to Noberus Ransomware-as-a-Service Operation
The threat actors responsible for the devastating 2021 Colonial Pipeline ransomware attack have been evolving their capabilities with the introduction of new tactics, techniques, and procedures (TTPs) used alongside Noberus (aka BlackCat, ALPHV) ransomware, a successor to the Darkside and BlackMatter ransomware strains. In a report published by Symantec's Threat Hunter Team, researchers break down the TTPs of the group which they have named Coreid (aka FIN7, Carbon Spider). First seen in November 2021, Noberus is thought to be a successor payload to the Darkside and BlackMatter ransomware strains, this time based on the Rust programming language. Coreid has capitalized on the cross-platform nature of Rust and claims that "Noberus is capable of encrypting files on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.” Noberus offers threat actors two (2) different encryption algorithms (ChaCha20 and AES) and four (4) different ways to encrypt data (Full, Fast, DotPattern, and SmartPattern). This type of functionality is described as "intermittent encryption," and depends on the target infrastructure and needs of the threat actor. Coreid emphasizes that Noberus is superior to the strains used in other Ransomware-as-a-Service (RaaS) operations due to privileged access through its own dark web onion domain, giving affiliates access to fully encrypted negotiation chats which could only be accessed by the intended victim. In the summer of 2022, Coreid made significant updates to Noberus including the introduction of a build that gives Coreid affiliates more options for encrypting non-standard architectures. Additionally, Coreid introduced an encryption functionality for the Windows build of Noberus called "SAFEMODE", which can reboot the system into safe mode and safe mode with networking. Alongside the evolution of the ransomware strain itself, Noberus has recently been observed in-conjunction with updated data exfiltration, and info/credential-stealing tools, known as "Exmatter," and "Eamfo," respectively. The Exmatter exfiltration tool (“Trojan.Exmatter”) was designed to scan and steal specific file types from a number of selected directories, funneling them to an attacker-controlled command-and-control (C2) server. Researchers have also observed the credential-stealer Eamfo being leveraged alongside Noberus by at least one (1) affiliate. Eamfo is specifically designed to steal credentials stored in Veeam backups, a software developed to backup, restore, and replicate data on virtual machines (VMs). Once connected, Eamfo will steal the encrypted credential sets and decrypt them, allowing the threat actors to escalate their privileges and move laterally across the network. The updates to Coreid's suite of services and tools, as well as their robust affiliate program, threatens both government and private enterprises. CTIX analysts will continue to monitor the evolution of Noberus ransomware and may publish updates in the future.
Tarfile Python Package Vulnerable to Path Traversal Exploit
A vulnerability in the Python programming language that was discovered fifteen (15) years ago has made a resurgence in a report published by Trellix researchers. Originally disclosed in 2007, the vulnerability, tracked as CVE-2007-4559, exists in the tarfile package in Python's standard library. This package allows Python developers to read and write tar files, a compressed file similar to zip files that is most known for its use with the Linux operating system. The bug is classified as a path traversal bug in the function “tarfile.extract()” and, if the input to this function is not sanitized, the vulnerability allows attackers to escape the current directory and extract the compressed files to a location of the attacker's choosing. This can be utilized in an exploit chain that leads to remote code execution (RCE), as seen in the Spyder IDE exploit example given by the researcher. To identify the scope of the vulnerability, the researcher built a script to search through open-source applications on GitHub and identify potentially vulnerable applications. Manually checking repositories led to the discovery that 61% of the 257 identified projects contained vulnerable code that could be exploited. In total, over 588,000 repositories include the tarfile package leading to an estimate that 350,000 projects are potentially vulnerable and exploitable. In addition, machine learning tools that assist developers in coding projects suggest that the code is vulnerable to this exploit when instructed to extract tar files, potentially leading to new projects being vulnerable as well. The researcher warns of a massive supply chain issue presented by this vulnerability and has begun submitting patches to open-source repositories as well as open-sourcing the tool used to scan repositories for this issue. It is not clear if this vulnerability is currently being exploited in the wild. CTIX analysts recommend developers using the tarfile package ensure their projects are not vulnerable and to implement sanitization in projects that are.
Domain Shadowing Allows Attackers to Hide Infrastructure Behind Legitimate Domains
A new technique known as domain shadowing is becoming increasingly popular amongst threat actors. Domain shadowing relies on DNS hijacking, an attack where the threat actor compromises the registrar or DNS service provider, the DNS server itself, or by utilizing dangling domains, which are domains that were abandoned by their previous owner and can be reregistered by the threat actor. Once a threat actor obtains a domain name through one of these methods, they can use domain shadowing to hide their command and control (C2) infrastructure. Leaving the second-level domain (ex. "example" in the domain example.com) unaffected, the threat actor registers a new subdomain pointing to their C2 infrastructure's IP address. To a victim accessing the domain, most checks on the domain name would return a benign result, as the second-level domain is a legitimate website. Research from Palo Alto's Unit 42 discovered a phishing campaign involving Russian IP addresses that utilizes domain shadowing. The threat actors hijacked domains hosted in Australia and the US and covertly added randomly generated subdomains to their DNS entries. The threat actors then hosted phishing login pages to steal Microsoft account credentials. The researchers also theorized botnets could utilize this technique to proxy C2 traffic to a dedicated server. To attempt to detect the use of domain shadowing, the researchers built a machine learning algorithm classified to detect hijacked domains using multiple identifiers. CTIX analysts are monitoring the use of this technique and will provide updates for new developments.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (email@example.com) if additional context is needed and the CTIX team (firstname.lastname@example.org) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.