New Campaign Targets Telecom and Business Process Outsourcing Corporations
An increase in the targeting of telecommunications and business process outsourcing (BPO) companies has been identified and tied to a new campaign. Researchers detailed that the objective of the campaign is to gain access to mobile carrier networks and perform SIM swapping activity. In most of the analyzed incidents, the adversary gained initial access by impersonating IT personnel through social engineering (via phone calls, SMS, or Telegram). Then, victims were directed to visit credential harvesting websites or to download and run commercial remote monitoring and management (RMM) tools. If multi-factor authentication is enabled, the adversary would either leverage MFA push-notification fatigue, where MFA prompts are continuously sent to the victim until they accept the push challenge or persuade the victim to share their one-time password (OTP). Once the adversary gained access to the victim environment, it established persistence through a variety of non-malicious RMM tools and performed constant (often daily) activity. Researchers emphasized that the adversary operates in "Windows, Linux, Google Workspace, AzureAD, M365 and AWS environments" and has previously accessed SharePoint and OneDrive environments. At this time, the campaign has been attributed with low confidence to the eCrime adversary SCATTERED SPIDER. CTIX will continue to monitor campaigns targeting telecommunications and BPO organizations.
Threat Actor Activity
Lazarus Threat Actors Target Cryptocurrency Users with “AppleJeus”
Well-known North Korean attackers have launched a new social engineering campaign against cryptocurrency users with the end goal of deploying the “AppleJeus” malware. The Lazarus Group, tracked alternatively as APT38, is one of the more notorious threat groups aligned with North Korea. Lazarus focuses on financial cybercrime in an effort to relieve financial strain from strict sanctions imposed on North Korea by opposing countries. In this new campaign, Lazarus actors are conducting spear-phishing attacks against cryptocurrency users and affiliate organizations. The first instance of this campaign included Lazarus actors cloning a popular crypto-scripting application site that cryptocurrency users leverage to automate trading algorithms. When downloaded from the cloned site, a malicious MSI installer is trojanized with the AppleJeus malware. Furthermore, Lazarus actors incorporated the QTBitcoinTransfer application (previously used by the threat group) within the malicious code. The following wave included threat actors distributing phishing emails containing malicious Microsoft Office documents to victims. Once opened and permissions are enabled, embedded macro code deploys malware onto the victim's system, resulting in the successful infection of victim’s system with the AppleJeus malware. CTIX continues to urge users to validate the integrity of all email communications prior to downloading any attachments or visiting any embedded links to lessen the risk of threat actor compromise.
Critical Oracle Access Manager Vulnerability Added to CISA's KEV Catalog
A security researcher named Wolfgang Ettlinger from SEC Consult Vulnerability Lab has identified a critical vulnerability in Oracle Fusion Middleware Access Manager which has been actively exploited in-the-wild according to the Cybersecurity and Infrastructure Security Agency (CISA). Its active exploitation landed the vulnerability on CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation could allow a remote attacker to bypass authentication and perform remote code execution (RCE), taking complete control over any user account. Oracle Access Manager (OAM) is the authorization component of Oracle Fusion Middleware, providing authentication like "Web SSO with MFA, coarse-grained authorization and session management, and standard SAML Federation and OAuth capabilities to enable secure access to mobile applications and external cloud." An attacker could trick the OAM into disclosing user account information, performing a padding oracle attack to capture the target account's authorization cookie. From there, the attacker could develop a script that generates login keys for any users including admin accounts. In his report, Ettlinger includes a video proof-of-concept (PoC), taking the exploit from start to finish. The vulnerability, tracked as CVE-2021-35587, was originally patched in January 2022 and has been exploited at least ten (10) times according to CISA. Its presence on the KEV dictates that all Federal Civilian Executive Branch (FCEB) agencies must patch their vulnerable systems by no later than December 19, 2022. At this time, there is no specific information about the threat actors themselves, however the attacks seem to originate from the United States, China, Germany, Singapore, and Canada. CTIX recommends all Oracle Fusion Middleware Access Manager administrators ensure that they have installed the latest patch to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.