Ransomware/Malware Activity
Phishing Campaigns Identified Targeting Middle Eastern Countries Prior to World Cup
Trellix researchers have identified an increase in email-based phishing attacks targeting the Middle East during the lead up to the World Cup in Qatar. The number of malicious emails in October was 100% more than the month previous, and the phishing campaigns are utilizing FIFA and soccer-based themes. This tactic of theme-leveraging is very common in social engineering attacks when popular events are taking place and chances of human error are increased. The researchers identified various email themes with embedded hyperlinks, including fake alert notifications for deactivation of 2FA, fraudulent FIFA ticketing office notifications claiming payment is needed, and legal notifications discussing a fake ban by FIFA. The hyperlinks transferred the victims to custom and legitimate-looking phishing pages. Several malware families were identified from these campaigns, including Qakbot (information stealing and banking trojan), Emotet (advanced trojan), Formbook (infostealer malware), Remcos (Remote Access Software and backdoor), and QuadAgent (Powershell backdoor). CTIX analysts will continue to monitor cyber activity surrounding the World Cup, and indictors of compromise (IOCs) regarding the various campaigns identified thus far can be viewed in Trellix's report linked below.
Threat Actor Activity
Luna Moth Extorts Victims in New Callback Phishing Operation
Threat actors from the Luna Moth threat group have been conducting an extensive callback phishing extortion operation targeting end-users throughout retail and legal industries. Luna Moth, also tracked as the Silent Ransom Group, has been active since the end of March 2022 and has crafted a reputation for conducting data extortion attacks where the group will leak stolen data archives if ransom demands are not promptly met. This social engineering campaign relies heavily on call back phishing, often referred to as a telephone-oriented attack delivery (TOAD), with the end goal of utilizing legitimate and trusted device management applications for direct host access. Once routed into the host device, Luna Moth actors exfiltrate data from the system to be used for extortion purposes. Since the applications and associated tooling are validated applications, traditional anti-virus applications will typically not flag them as malicious. As a lure to entice victims, Luna Moth actors distribute phishing emails displaying an invoice indicating an employee's credit card has been charged for a service. The phishing email itself is not typically malicious, however if the end-user calls the attached phone number, they are routed to a threat actor-controlled call center with live agents. Agents will then convince the end-user to allow support teams to remote into their computer to fix the issue, while downloading exfiltration scripts and tooling to the compromised machine. Once the data has been stolen, victims will receive an email demanding payment for the release of files, otherwise the data will be released for public download. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Amazon AWS Patches AppSync Flaw that Allowed Researchers to Pivot to Other AWS Accounts
Amazon has just released a statement about the September 2022 patch of a severe vulnerability in an Amazon Web Services (AWS) tool called AppSync that could allow threat actors to take control of other AWS accounts. Amazon AppSync is a tool that assists developers in creating flexible APIs through a managed service utilizing GraphQL and Pub/Sub to improve the efficiency of applications. The vulnerability was found and reported to AWS by researchers from DataDog. The researchers detailed in their report that successful exploitation of the vulnerability allowed for cross-tenant movement, giving a potential attacker the ability to assume the Identity and Access Management (IAM) roles of other AWS accounts. DataDog stated that an attacker could attempt exploitation of this vulnerability, bypassing the tool’s cross-tenant Amazon Resource Name (ARN) role usage validations “to pivot into a victim organization and access resources in those accounts.” DataDog researchers stated that they refer to this type of vulnerability as a “confused deputy,” where a lower-privileged account manipulates/convinces a more privileged account (like the AppSync service) to do its bidding. The flaw has automatically been patched, so there are no actions for any customers to take at this time. It should be noted that although severe, evidence that this flaw was exploited in-the-wild does not currently exist. According to Amazon’s internal log analysis, the only instances of exploitation come from the DataDog researchers exploiting their own AppSync integrations. CTIX analysts will continue to report on the latest and most interesting Amazon vulnerabilities and their exploits.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
