Malware Activity
Balada Injector Campaign Compromised 1 million WordPress Websites Since 2017
Researchers have published a new report detailing a large-scale campaign dubbed “Balada Injector” that has exploited approximately 1 million WordPress websites. This campaign has been tracked by researchers since 2017 and is known for leveraging "all known and recently discovered theme and plugin vulnerabilities" in WordPress websites. The attacks are conducted in waves, typically once a month, with a newly registered domain used in each wave. The domains redirect victims to various fraudulent websites, including lottery, push notification, and tech support scams. Balada Injector's main focus is exfiltrating sensitive information, such as database credentials, in order to maintain persistence in the event that the victim clears the infection and patches their vulnerabilities. The campaign also has the goal of collecting backup archives and databases, files that may contain sensitive data, access logs, and debug information. Adminer and phpMyAdmin are also searched for, as the legitimate tools are used to create new admin users and inject malware into the victims' databases. The campaign operators have also been observed deploying various backdoors to the compromised WordPress websites, with some instances involving dropping backdoors to 176 predefined paths in order to increase the difficulty of removing the malware. The backdoor names are also changed in each wave of the campaign to make detection more difficult. Researchers have emphasized that each wave of attacks in Balada Injector differs, so there are no specific instructions to mitigate the risk of attack at this time due to the wide variety of infection vectors. CTIX analysts urge administrators to use strong passwords and multi-factor authentication (MFA), ensure applications such as WordPress plugins are up to date with the latest patches, and monitor user accounts for suspicious activity. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
DEV-1084 Linked to MuddyWater Organization
Recent activity from the DEV-1084 threat group has shown some increased attribution to the Iranian nation-state threat group MuddyWater. DEV-1084 is believed to be a small threat organization working in tandem with MuddyWater, responsible for the post-breach destruction of victim networks and infrastructure. MuddyWater is a well-known threat group responsible for numerous cyberespionage attacks against government entities and critical infrastructure organizations throughout the United States, Southern Asia, and the Middle East. Threat actors from the group operate on the sole mission of gathering intelligence to benefit the Iranian state. Recent intelligence gathered by Microsoft shows that MuddyWater actors would exploit their target victim(s) and DEV-1084 would begin the invasive and crippling attacks on the victim's networks. DEV-1084 utilizes compromised administrative credentials to gain privileges within the environment, allowing for the encryption and exfiltration of company documents, storage, virtual machines/networks, cloud resources, and employee email inboxes. The connections showing relations between DEV-1084 and MuddyWater are a hosting IP address and domain name used by MuddyWater in past attacks, alongside usage of the MULLVAD VPN, Rport, and Ligolo custom scripts utilized by the group. MuddyWater continues to be a major player throughout the threat landscape and is believed to be comprised of several sub-groups, each focusing on a different aspect of the MuddyWater mission. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Urges Organizations to Patch Critical Vulnerabilities in the Veritas Backup Exec Suite
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch three (3) critical vulnerabilities impacting internet-facing Windows servers running Veritas Backup Exec Installations. Veritas is a data backup and recovery suite that has approximately 8,500 installations according to internet scans. These flaws are being exploited by new ALPHV (aka BlackCat) affiliates tracked as UNC4466 in order to drop the rust-based ransomware. The first vulnerability is tracked as CVE-2021-27876 and is a file access vulnerability that can be exploited via malicious input parameters to take control of a target system. The second flaw, tracked as CVE-2021-27877, is an improper authentication vulnerability that could be exploited by an unauthenticated attacker to authenticate within the system through an SHA authentication scheme. The third flaw tracked as CVE-2021-27878 is a command execution vulnerability that could allow an attacker to exploit a data management protocol to execute arbitrary code. The UNC4466 attacks were initiated with the Metasploit module "exploit/multi/veritas/beagent_sha_auth_rce", targeting servers running Veritas Backup Exec, and maintaining persistence within the network through Metasploit modules as well. These vulnerabilities impact any instances of Veritas Backup Exec running versions prior to 21.2. CTIX analysts recommend that any organizations running these versions patch their software, as well as conduct manual mitigation techniques like enabling multi-factor authentication (MFA), implementing secure access controls, and segmenting impacted networks. Technical details and indicators of compromise (IOCs) can be found in the report linked below.
Honorable Mention
Cyberattacks Target Israeli Water Controllers
The Israeli State was hit with a cyberattack targeting their critical infrastructure. Israel's National Cyber Organization anticipated an influx of threats coming from anti-Israeli hackers during the month of Ramadan, yet that still did not deter the cyberattack that shut down ten (10) water controllers in the Jordan Valley. The water controllers were down for an entire day as management worked all day Sunday, April 4, 2023, to bring the systems back online and into full operation. Cyberattacks with physical consequences have been a looming threat, and their instances continue to increase. Attacks on critical infrastructure systems such as water supplies, electric grids, and transportation networks, are increasingly targeted by cybercriminals because of the significant financial damages and geopolitical disruptions they can cause. This attack is another case highlighting the demand for increased cybersecurity monitoring and incident response plans centered around critical infrastructure. Nations such as Russia, Iran, North Korea, and China have threat groups with capabilities that, if executed, would have drastic consequences with potential physical damage and harm to the public.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.