Malware Activity
Operation Triangulation Targets iOS Devices with Zero-Click Exploit in iMessage Service
Researchers have published a new report on a campaign dubbed Operation Triangulation that began in 2019 and involves a previously unknown advanced persistent threat (APT) group. This campaign is targeting iOS devices by utilizing zero-click exploits, which is when "the receipt of the message triggers the vulnerability without requiring user interaction in order to achieve code execution." iOS devices have been observed receiving a message through iMessage that contains an exploit-embedded attachment. The exploit is configured to gain additional payloads in order to conduct the privilege escalation and drop the final-stage malware. The malware is received from a command-and-control (C2) server that researchers note is a "fully-featured APT platform." The malware has the ability to harvest sensitive data, such as microphone recordings, geolocation, photos from instance messengers, and more, as well as "run code downloaded as plugin modules." Despite the initial message received on the infected device being deleted during the final stage, traces of the attack are left behind on the device. The researchers emphasized that persistence is not supported in this campaign, so it is likely that multiple devices have been reinfected after rebooting. Operation Triangulation is an ongoing campaign, and the most recent infected devices were seen running iOS 15.7. Russia's Federal Security Service (FSB) has released an advisory detailing that the United States intelligence agencies are responsible for the hacking of "several thousand" Apple devices as part of a "reconnaissance operation." Apple has since stated that the company has "never worked with any government to insert a backdoor into any Apple product and never will." Researchers are seeking additional information on the campaign from fellow researchers, and CTIX analysts will provide updates as more information is released. Additional technical details as well as indicators of compromise (IOCs) can be found in the report linked below.
- The Hacker News: Operation Triangulation Article
- Bleeping Computer: Operation Triangulation Article
- Kaspersky SecureList: Operation Triangulation Report
Threat Actor Activity
Dark Pink Targets Government & Military in Multiple Countries
Threat actors from the Dark Pink threat organization have continued targeting institutions throughout 2023 and show no signs of easing up. Dark Pink is a relatively new threat group that began its mission in mid-2021, mostly exploiting organizations within the Asia-Pacific region. Oftentimes, Dark Pink actors will utilize the same tactics and techniques in their attacks; from the deployment of new custom exploitation tools to the distribution of numerous spear-phishing campaigns at one time. In their recent attacks, Dark Pink appears to have expanded their target list to include government, military, and non-profit organizations in Brunei, Belgium, and Thailand. Since the beginning of 2023, the group has successfully carried out two (2) attacks bringing their current total up to thirteen (13). From these newly observed attacks, security researchers have indicated changes in the group's tactics and payload delivery including the utilization of Microsoft Excel add-ins as a persistence mechanism for the “TelePowerBot,” a custom malware developed by the group. Another addition Dark Pink actors have utilized in recent attacks involves the deployment of a service named Webhook which provides threat actors with a means of exfiltrating data from the victim over the HTTP protocol. Based on this information, Dark Pink remains a very active threat organization and does not appear to be slowing its movements. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Zero-Day Vulnerability in MOVEit Transfer Under Active Exploitation by Cl0p Threat Actors
The managed file transfer (MFT) software solution MOVEit Transfer is under active attack by attackers from the Cl0p gang exploiting a critical zero-day vulnerability. MOVEit Transfer is an on-premise secure file transfer server that provides solutions for safely collecting, storing, managing, and distributing information between companies and their partners and clients. The vulnerability, tracked as CVE-2023-34362, is a SQL injection flaw that when properly exploited allows the threat actors to escalate their privileges leading to remote code execution (RCE). Researchers state that the main sign that a server has been compromised is the presence of a webshell named "human2.asp," located in the "c:\MOVEit Transfer\wwwroot\" public HTML folder, which when accessed will execute a script with various malicious commands. The execution of the script allows the threat actor to perform actions like downloading sensitive files and information, creating new privileged users, as well as conducting reconnaissance on the configured Azure Blob Storage account, allowing the threat actor to exfiltrate data directly from the victim's Azure Blob Storage containers. As of May 31, 2023, there are roughly 2,500 instances of MOVEit Transfer exposed to the public internet, with the majority of them located in the United States, including U.S. government entities. The Senior Manager of Rapid7's Vulnerability Research team stated that there is evidence that the threat actors have already automated the exploitation of this vulnerability and begun to mass download data from affected companies. MOVEit Transfer’s developer is working to release a patch as soon as possible and urges its customers to immediately apply the mitigation techniques provided in the advisory linked below. These include first shutting down any MOVEit Transfer servers to perform a thorough investigation for indicators of compromise, or evidence of large file downloads. Next, administrators should disable all HTTP and HTTPS traffic to their MOVEit Transfer environments, including backups. This is not the first file transfer solution to be exploited by Cl0p actors this year; in February, they were attributed to exploiting a vulnerability in Fortra’s GoAnywhere MFT file-transfer product. This matter is still developing, so the technical details about the vulnerability and the exploitation are being withheld by the developer until the patch is released. CTIX analysts will continue to monitor this matter and will provide further information in future FLASH Updates.
- Bleeping Computer: MOVEit Zero-day Article
- The Record: MOVEit Zero-day Article
- Huntress: MOVEit Zero-day Report
- Progress Software Corporation: MOVEit Zero-day Advisory
Honorable Mention
New Hacking Forum Leaks Data of 478,000 Members from the Shut Down RaidForums Database
On May 29, 2023, the “Exposed” forum's admin, “Impotent,” leaked the member database of RaidForums. RaidForums was the predecessor to Breached forum after RaidForums' website and infrastructure were seized back in April of 2022. 'Exposed' is a new forum that just launched in early May 2023, hoping to fill the void of Breached forum after being shut down in March of 2023. Exposed's admin, impotent, stated that they decided to release the member database in its original form, having roughly 99% originality, but with some lines removed to "cause no drama." The database table was a single SQL file used by RaidForums to store registration information, containing usernames, email addresses, hashed passwords, and registration dates for 478,870 members who registered between March 20, 2015, and September 24, 2020. RaidForums was one of the world's largest hacking forums where members were involved in hosting, leaking, buying, and selling stolen data from breached organizations, so the leaked database of registered members exposes a wealth of information to other threat actors, researchers, and law enforcement agencies.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.