Malware Activity
Russian Espionage Group Uses Go-Based Malware "Graphiron" to Target Ukrainian Organizations
"Graphiron", a new information-stealing malware, has recently been observed in attacks targeting an array of Ukrainian organizations. The attacks are being launched by the Russian espionage group Nodaria (aka UAC-0056), who has been active since at least March of 2021. Graphiron is written in the Golang programming language and is designed to "harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files." The earliest evidence of this malware is cited to be from October 2022 and is comprised of two stages: a downloader and a payload. The downloader checks for various malware analysis tools once executed, and if no tools are found, it connects to a hardcoded command-and-control (C2) server in order to download and decrypt the payload. Then, the payload is added to an autorun location for persistence. Researchers noted that the downloader makes just one (1) attempt to download and install the payload, meaning it won't make additional attempts if it fails or sends a heartbeat. Graphiron uses hardcoded file names designed to disguise themselves as Microsoft Office, such as "OfficeTemplate.exe" and "MicrosoftOfficeDashboard.exe". Graphiron is noted to have similarities to other malware used by the Nodaria group, including "GraphSteel" and "GrimPlant", and is constantly evolving its capabilities in order to evade defensive measures. Additional information on the Nodaria threat group as well as indicators of compromise (IOCs) can be viewed in Symantic's report linked below.
Threat Actor Activity
Threat Profile: NewsPenguin
A new threat organization has surfaced in the threat landscape and is actively targeting military and defense companies throughout Pakistan. Under the codename NewsPenguin, this group has launched an espionage campaign against Pakistan's Navy, using the upcoming Pakistan International Maritime Expo & Conference as a ploy in their phishing attacks. The name NewsPenguin originates from encryption keys within headers which were titled 'getlatestnews' and 'penguin'. Phishing emails from this campaign included a malicious Microsoft Office attachment with embedded macro-malware which, when enabled, would begin the infection chain, and compromise the user’s device. Analysis of the malware code shows that it was written to gather and transmit confidential data from the user’s system back to the threat actors. Indicators harvested from the malware showed geofencing capabilities (only executing certain code if the user’s device originates from a Pakistani IP address), exfiltration endpoints, and domains registered around mid-2022; this suggests that the campaign was in planning for over six (6) months. While NewsPenguin has not been attributed to any one country, Pakistan has often been a target of Chinese state-actors over the past few years. CTIX is continuing to monitor this emerging threat group alongside other organizations throughout the world and will provide additional updates accordingly.
Vulnerabilities
Toyota Patches Critical Vulnerability in Web-based Logistics Application
A vulnerability researcher named Eaton Zveare has published a report on his EatonWorks blog detailing how in October 2022 he was able to exploit a vulnerability in a Toyota employee logistics web application that allowed him to conduct a full takeover of the software anywhere it is used in the world. The software is known as the Global Supplier Preparation Information Management System (GSPIMS), and it allows Toyota employees and suppliers to coordinate logistics for parts, purchases, and projects. The vulnerability that Zveare exploited was in the GSPIMS application programming interface (API), and it allowed him to log in to GSPIMS as any corporate Toyota employee or supplier with only the knowledge of their company email address. Zveare alleges he was able to gain access to a directory of more than 14,000 users' "Toyota projects, documents, and user accounts, including user accounts of Toyota’s external partners/suppliers.” The access gave him full visibility into employee and supplier account details, as well as "confidential documents, projects, supplier rankings/comments, and more." In November 2022 Zveare reported the vulnerability to Toyota through its coordinated disclosure program, and the flaw was quickly patched. A Toyota spokesperson made a statement that there is no evidence that this vulnerability was ever exploited in-the-wild, and on his blog, Zveare applauded the company for having the “fastest and most effective” response to a security issue that he has ever reported. If exploited by threat actors, a flaw like this could cripple Toyota's operations and allow for creating rogue administrative user accounts, as well as stealing intellectual property and dropping devastating malware in the GSPIMS networks. The flaw was remediated, and there is no further action that needs to be taken by Toyota employees and suppliers. CTIX analysts will continue to report on interesting zero-day vulnerabilities, and technical details of Zveare's methods can be found in his blog post linked below.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
