New "GoBruteforcer" Malware Targets Web Servers in Brute-Force Attacks
"GoBruteforcer", a newly discovered Golang malware, has been observed being hosted on a legitimate website and targeting web servers specifically running Postgres, phpMyAdmin, MySQL, and FTP. Researchers detailed that the malware operators utilize a Classless Inter-Domain Routing (CIDR) block during their attack to scan the network and target all IP addresses found within the CIDR range. This method is used to target a wide array of hosts on various IP addresses as opposed to a single IP address. GoBruteforcer singles out Unix-like devices running specific architectures and attempts to obtain access through brute-force attacks using hard-coded credentials contained in the binary. The goal of this malware is to gather the devices into a botnet, which uses an internet relay chat (IRC) bot on the victim device for command-and-control (C2) communications. Researchers emphasized that GoBruteforcer is currently in active development and it is likely that its tactics, techniques, and procedures (TTPs) will advance in the future. It is recommended that administrators ensure that their infrastructure, especially web servers in this instance, have strong passwords to combat against brute-force attacks. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
UNC2970 Target Security Researchers of Western Tech Companies
North Korean threat actors operating on behalf of the UNC2970 threat group have been conducting malicious espionage activity against western media and technology corporations since June 2022. The group shows strong attribution back to the UNC577 threat group, which has conducted numerous malicious campaigns since their emergence in 2013. In this new campaign, UNC2970 actors utilize social platforms such as LinkedIn to pose as job recruiters and begin conversing with individuals, primarily security researchers. As the conversation persists, threat actors insist on shifting communications to WhatsApp where the malicious activities would begin. After some time, the threat actor will send the user a job description via a Microsoft Word document, which is laced with macro-malware and performs a remote-template injection. Once injected, the macro-code will begin downloading malicious payloads from actor-controlled command-and-control (C2) nodes, including the trojanized variant of TightVNC dubbed “LIDSHIFT”. This trojan will gather information from the user's system, such as the device name, product name, IP address, current process list, and will relay that information back to threat actor C2 servers. In addition to LIDSHIFT, UNC2970 actors have also been known to deploy additional malware such as “PLANKWALK”, “LIDSHOT”, “CLOUDBURST”, “TOUCHSHIFT”, “SIDESHOW”, “TOUCHKEY”, “TOUCHSHOT”, and “HOOKSHOT”. Detailed indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and malicious code are available for review in the below linked report.
CISA Adds Exploited Plex RCE Vulnerability Linked to LastPass Breach to the KEV
The Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited critical remote code execution (RCE) vulnerability, potentially connected to the August 2022 LastPass breach, to its catalog of Known Exploited Vulnerabilities (KEV). The flaw, tracked as CVE-2020-5741, affects Plex Media Server, a central media hub where customers can access personal media on their own servers as well as stream free and on-demand movies and music. A threat actor that has previously gained access to a Plex Media Server administrator account could exploit Plex's Camera Upload feature to upload a maliciously crafted file to the Plex server, which then executes with no user interaction. The flaw has been patched by Plex, and the company urges their customers to upgrade to version 1.19.3 or newer to prevent exploitation. Although this vulnerability has not been definitively attributed to the LastPass breach, researchers believe that it is likely. LastPass was compromised after threat actors targeted a DevOps engineer’s home computer, and LastPass officials stated that the attacker exploited "a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware”. Although LastPass has yet to confirm what vulnerability was exploited, they did admit that the exploited media software package was a Plex Media Server. The flaw's presence on the KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies must patch this flaw no later than March 31, 2023, or face regulatory accountability. The LastPass compromise has been a novel and very dynamic situation, with new updates frequently being published. CTIX analysts will continue to monitor this matter as well as report on the latest critical vulnerabilities.
- Bleeping Computer: CVE-2020-5741 Article
- Plex: CVE-2020-5741 Advisory
- ARS Technica: LastPass Employess Compromise Article
Euler Finance Falls Victim to a $197 Million Flash Loan Attack
An unidentified group of cybercriminals defrauded Euler Finance, a company specializing in cryptocurrency lending, of nearly $200 million. PeckShield, who specializes in detecting irregularities in blockchain asset transfers, was the first to flag the unusually massive transfer of crypto assets on Euler's crypto exchange platform, which utilizes a capital-efficient permissionless spending protocol. Lenders can make transactions without the presence of a trusted third-party, which the company noted allows users to earn greater interest on their assets while having a better ability to hedge the volatile crypto market. However, this may have assisted the hijackers who used what's known as a "flash loan attack" to pull off their heist. The attackers were able to manipulate Euler's smart contracts by targeting a vulnerability in their lending protocol, enabling them to borrow large sums of crypto assets without having to return them. Euler's specific logic flaw was in their donation and liquidation system where attackers manipulated the conversion rates to earn exaggerated profits when liquidizing their assets. The threat actor’s ETH wallet is being used to track the stolen assets; however, the criminals have reportedly begun washing their stolen funds via Tornado Cash, a sanctioned cryptocurrency mixer. CTIX analysts will continue to monitor this situation and provide additional updates as appropriate.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.