Malware Activity
U.S. Aerospace Contractor Attacked with New PowerShell-based Malware "PowerDrop"
The U.S. aerospace defense industry has been targeted by a new malware known as “PowerDrop,” a PowerShell based malware script. This new malware was discovered on a U.S. defense contractor’s network in May 2023 by Adlumin. PowerDrop is executed by Windows Management Instrumentation (WMI) using WMI event filters and consumers named “SystemPowerManager,” which itself is created by the malware using the “wmic.exe” command line application. Although WMI is typically used for legitimate users to leverage PowerShell in remote or local computers, it is also commonly used to execute PowerShell commands in an unauthorized manner. Upon activation, PowerDrop sends a message back to the designated command-and-control (C2) server and once a connection is established, an additional encrypted payload that contains PowerShell commands is uploaded to the infected machine. This backdoor allows the threat actor to execute malicious PowerShell queries as an administrator on infected devices through what are usually legitimate Windows services. Additionally, the use of WMI allows PowerDrop to avoid leaving malicious files on the device’s hard drive, reducing the effectiveness of signature-based detection methods. CTIX will continue to monitor PowerDrop as it evolves and will provide updates as needed.
Threat Actor Activity
North Korean TA's Socially Engineer Organizations for Intelligence
A recent disclosure by the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and several other agencies issued a cyber threat warning about a new social engineering campaign being conducted by North Korean threat actors. The North Korean state-sponsored threat group is tracked as Kimsuky, otherwise known as APT43/Black Banshee, and has been conducting numerous social engineering campaigns over the past several years. Often targeting education, academics, media outlets, and research institutions throughout the United States, Japan, and South Korea, these threat actors commonly compromise companies for the sole purpose of intelligence gathering. In this recent campaign, Kimsuky threat actors utilized varying social engineering lures to gain the trust of the victim. Threat actors would then pass a link to a spoofed domain with a login portal which would lead to the download of a malicious executable. This sequence of events would lead to the compromise of a user's personal identifiable information (PII) in addition to their device. The downloaded macro-enabled document contains macro-malware which first establishes a connection to actor-controlled command-and-control (C2) servers, followed by remotely executed commands downloading payload droppers onto the users’ device. At that point, threat actors have the capability to gather information from their victim device and utilize it for the threat group’s mission. CTIX continues to urge users to validate the integrity of all email communications prior to visiting any embedded links or downloading any attached files.
Vulnerabilities
Cl0p Takes Responsibility for the Exploitation Campaign Impacting MOVEit Transfer
UPDATE: The Cl0p ransomware operation has officially taken responsibility for the MOVEit zero-day attack campaign, attributed to Lace Tempest, a well-known Cl0p affiliate and operator of Cl0p's extortion/leak site. MOVEit Transfer is a very popular file transfer solution that allows organizations to manage their data. The vulnerability, tracked as CVE-2023-34362, is a SQL injection flaw that allows the threat actors to escalate their privileges to conduct remote code execution (RCE). Upon successful code execution, a webshell named "human2.asp" located in a public HTML folder executes a malicious script that allows threat actors to exfiltrate large datasets from victims' MOVEit servers and Azure Blob Storage containers. As the campaign has developed further, both government and private entities have come forward stating that they have been compromised. Progress Software released the security updates fixing this vulnerability, and CTIX analysts urge any organizations utilizing MOVEit Transfer to install them immediately. The Cl0p representative who took responsibility for the group's campaign alleged that they began exploiting this flaw over the Memorial Day weekend on May 27, 2023, however, researchers from Greynoise reported that they had been observing reconnaissance activity scanning for the MOVEit Transfer login page as early as March 3. Although it can not be substantiated, Cl0p alleged that they are purposefully deleting any data belonging to governments, the military, and children's hospitals, since they do not target those entities. A senior security researcher warns that patching alone may not be enough to prevent exploitation if an organization has already been comprised, stating that organizations utilizing MOVEit Transfer should conduct internal investigations for evidence of the webshells or exfiltration. Researchers from Rapid7 have identified a method for determining what data has been exfiltrated from their environments, and the details can be found in the Rapid7 blog post linked below. This campaign is indicative of a trend where threat actors are seeing the value of exfiltrating data managed by file transfer solutions and falls in line with the Accellion FTA compromise of 2021 and the Fortra GoAnywhere compromise from earlier this year. Although the vulnerability has been patched, these campaigns are indicative of an underlying endemic flaw in the architecture of file transfer solutions in general, and that organizations should take proactive measures to harden their security posture as responsibly as possible. At this time there have been no reports of the active extortion of victims, however, CTIX analysts predict that they are right around the corner now that Cl0p has taken responsibility for the campaign. CTIX will continue to monitor this dynamic matter and may provide further updates if needed.
- Dark Reading: CVE-2023-34362 Article
- Bleeping Computer: CVE-2023-34362 Article
- The Record: CVE-2023-34362 Article
- Rapid7: CVE-2023-34362 Blog Post
Honorable Mention
$35 Million Stolen After Atomic Wallet's Platform was Hacked
Atomic Wallet confirmed on June 3, 2023, that users' cryptocurrency wallets had been compromised. Company officials have yet to speak out about the incident, as investigations are still underway. They released an initial Tweet addressing reports of compromised wallets, and another Tweet a day later on June 4th, 2023, reporting that they had entered a joint effort with leading security companies to determine possible attack vectors. Additionally, the company has "reached out to major exchanges and blockchain analytics companies to trace and block the stolen fund." Part of that effort includes collecting victims' addresses to seek out information as to what operating systems they were using, where they downloaded Atomic Wallet software, specific actions taken before the crypto was stolen, and where their backup phrase was stored. A well-known cryptocurrency security researcher and cybersecurity expert conducted their own investigation of the incident, tracking losses and estimating that more than $35 million has been stolen from the decentralized cryptocurrency wallet platform. It is still unclear exactly how the victims' wallets were compromised, but for now, Atomic Wallet has taken down its download server and advised users to transfer funds out from wallets on their platform. Outside researchers have speculated that the company's software was breached or there may have been a bug in the application that exposed users' private keys. CTIX analysts will continue to monitor the incident and provide updates.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
