Malware Activity
Threat Actors Observed Using Legitimate Platform to Geo-Target Phishing Campaigns
Detailed in a new report by Avanan, threat actors were recently observed geo-targeting websites through the platform Geo Targetly. This tactic is used to improve their phishing campaigns by sending customized, geo-specific content (typically by language and region) to different users in one phishing email. Geo Targetly is a legitimate platform that allows "advertisers to redirect users to pages and ads in their local markets" by determining the users' geolocation. These threat actors are utilizing a variant of the "spray-and-pray" technique, which is when an actor sends out a large volume of phishing emails and few are successful. The unique aspect in this campaign is that the content is always relevant and localized across the large volume of targeted users, which is being referred to as "spraying without the praying." The customization increases the likelihood of a user falling victim to the attack. In this campaign, a user will access a phishing link that will redirect them (using the legitimate platform) to a fraudulent login page that looks identical to the one it is impersonating and is based in the same region as the user. Avanan researchers detailed that this is the first instance they have identified Geo Targetly being used and the campaign's method allows for a "fairly widespread attack." Geo Targetly has confirmed that they are aware threat actors are capitalizing on their platform but argued that this method is not unusual. A Geo Targetly spokesperson claimed that the platform is a URL shortener similar to Bitly and smartURL, and that it is "common for hackers to hide the final destination URL behind a public URL-shortening domain." The spokesperson did confirm, however, that the platform "manually check[s] through URLs created in [their] system to identify such bad actors." CTIX will continue to monitor for different methodologies capitalizing on geo-targeting and provide details of new tactics as they become available.
Threat Actor Activity
Threat Profile: TA866
A new threat organization that has been targeting entities throughout the United States has surfaced in the past few months. The group is tracked as TA866 by security researchers and is financially-motivated based on observed tactics, techniques, and procedures (TTPs). TA866's first campaigns have been operating since October 2022 and are continuing to prosper well into 2023. This financially-motivated operation is dubbed "Screentime" and has been commonly targeting United States companies, alongside newly observed international targeting of German organizations. TA866 distributes phishing emails to its targets containing a variety of malicious tools including embedded URLs to Publisher and JavaScript files, Publisher attachments with macro-malware, and PDFs embedded with URLs to malicious JavaScript files. These phishing emails were distributed to over ten thousand individuals across over a thousand companies in the United States and Germany. Initially these phishing emails were observed targeting individuals two (2) to four (4) times per week but have slightly reduced in the new year with an overall higher volume of phishing emails. The malicious URLs, attachments, and tooling are not unique to TA866 and are available throughout underground forums and marketplaces. CTIX continues to monitor new activity originating from TA866 and will provide additional updates accordingly.
Vulnerabilities
Internet Analysis Finds Nearly 19,000 Vmware ESXi Servers Vulnerable to the ESXiArgs Ransomware Campaign
Several of the most respected cybersecurity research agencies around the world are continuing to warn organizations using VMware ESXi servers to patch an almost two (2) year old vulnerability to prevent being compromised by threat actors facilitating the "ESXiArgs" ransomware campaign. Researchers conducted internet-wide telemetry across more than seventy (70) services and protocols and identified 18,581 vulnerable internet-facing VMware ESXi servers. More than 3,800 organizations across the United States and Europe have already been compromised since the campaign started. VMware ESXi is a Virtual Machine Monitor (VMM) that installs directly onto a physical server, allowing access and control of the underlying resources. The years-old vulnerability is tracked as CVE-2021-21974 and is a heap-overflow flaw in the ESXi OpenSLP service. Threat actors who gain access to the network segment of a vulnerable ESXi server facilitate their ransomware attack by exploiting this flaw to conduct remote-code execution (RCE). The campaign has been dubbed ESXiArgs due to the ransomware creating an additional file with the extension ".args" after encrypting a document, which contains the instructions for how to decrypt the encrypted document. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) leveraged an implementation flaw in ESXIArgs’ earlier encryption scheme to create a ransomware decryptor script that enables victims to bring compromised servers back to a functional state while data restore from backup occurred in the background. Unfortunately, this led the actors behind the ESXiArgs campaign to modify the encryption scheme, rendering the CISA decryptor useless for newly infected machines. To prevent exploitation, CTIX analysts recommend that all VMware ESXi administrators update their infrastructure immediately. In addition to patching, administrators should also remove the servers from the public-facing internet unless the service absolutely needs to be accessible and ensure that there is a backup solution in place in the event of an ESXiArgs compromise. This campaign has yet to be attributed to a specific threat group, and CTIX analysts will continue to monitor the situation for new intelligence.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
