Malware Activity
New Details of the "Decoy Dog" Toolkit Emerge
Researchers have revealed new details about "Decoy Dog", a sophisticated toolkit discovered in April 2023 that has observed activity largely in Russia and Eastern Europe. Decoy Dog is a remote access trojan (RAT) toolkit based on the "Pupy" open-source post-exploitation RAT and utilizes DNS to establish command-and-control (C2). The toolkit has a wide array of capabilities, such as "the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time." Researchers suspect that approximately four (4) actors are operating the malware and noted that, despite many aspects of the toolkit being unknown, nation-state threat actors are likely utilizing it. It is currently believed that there are roughly twenty-four (24) Decoy Dog nameservers, controllers, and domains as well as fewer than one hundred (100) devices compromised by the malware as of July 25, 2023. Researchers emphasized that Decoy Dog and Pupy "take advantage of the lack of DNS oversight that often occurs in networks" and that Decoy Dog was discovered solely because of DNS threat detection algorithms. CTIX analysts will continue to monitor the evolution of Decoy Dog and provide updates as necessary.
Threat Actor Activity
Threat Profile: APT31
Actors from the Chinese-backed APT31 threat group have shown increased activity in the past weeks with a new cyberespionage campaign exploiting industrial fronts in Eastern Europe. The group is notoriously known for their continued targeting on behalf of China's Ministry of State Security (MSS), often targeting government, insurance, aerospace, and defense industries among others. In addition, APT31 often targets these industries primarily throughout North America and Europe with successful attacks against the Finnish Parliament, Belgian government, and American journalists focused on Chinese-related international affairs. Recently, APT31 actors launched a cyberespionage campaign with the modus operandi of compromising entities with valuable intellectual property and exfiltrating this data back to actor-controlled endpoints. Specific to the attacks, most victims were compromised through DLL hijacking vulnerabilities within their respective cloud infrastructure, leading to deployment of second-stage malware. Several malicious programs were utilized in these attacks, including the “FourteenHi” and “MeatBall” malware variants, alongside APT31-customized malware applications. Overall, these malwares are capable of granting threat actors' remote access, data exfiltration, command-and-control (C2) communications, reverse shell deployment, and data gathering modules which would transmit computer names, IP addresses, operating system versions, and more data back to the threat actors. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Citrix Netscaler Vulnerability Under Active Exploitation by Suspected China-Affiliated Threat Actors
Citrix, the virtualization solution manufacturer, released a security bulletin on July 18, 2023, disclosing the existence of three (3) critical vulnerabilities in their Citrix Netscaler Application Delivery Controller (ADC) and Gateway products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that threat actors have successfully compromised the network of a U.S. entity in the critical infrastructure sector after exploiting the most severe of the flaws, a zero-day unauthenticated remote code execution (RCE) vulnerability. The flaw, tracked as CVE-2023-3519, was exploited by threat actors to drop a web shell on a NetScaler ADC appliance in the victim’s non-production environment. The web shell enabled the attackers to conduct reconnaissance on the victim’s active directory (AD) and exfiltrate AD data. According to investigators, the threat actor attempted to pivot and move laterally across the network to a domain controller but failed due to the organization's network-segmentation controls for the ADC appliance. Investigators stated that the threat actor was able to modify the NetScaler configuration with the web shell in an attempt to deactivate the NetScaler High Availability File Sync (nsfsyncd). At this time, there is not enough evidence for the investigators to attribute the attack to a specific threat actor with high confidence. The tactics, techniques, and procedures (TTPs), however, indicate that it is likely an unidentified cyberespionage group believed to be aligned with the Chinese government. This is based on TTPs used to exploit a similar Citrix ADC and Gateway appliance vulnerability in December 2022 and attributed to APT5, a Chinese state-sponsored threat group known for stealing telecommunications and military application data in the U.S. and Asia. Citrix has stated that unpatched Netscaler appliances must be configured as a gateway or a virtual authentication server in order to be vulnerable to exploitation. The Shadowserver Foundation tweeted that according to scans, at least 15,000 NetScaler servers were exposed to the internet and could be vulnerable to exploitation. The vulnerabilities have been patched, and CTIX analysts recommend that all administrators responsible for maintaining Citrix ADC and Gateway appliances update their infrastructure to the latest patched version. This matter is evolving in real-time, and a follow-on summary may be published in the near future.
- Mandiant: CVE-2023-3519 Report
- Bleeping Computer: CVE-2023-3519 Article 1
- Bleeping Computer: CVE-2023-3519 Article 2
- SC Media: CVE-2023-3519 Article
Honorable Mention
Large Proportion of Corporate Credentials Found in Info-Stealer Logs
A recent study observed an overwhelming presence of corporate credentials found within nearly 20 million information-stealing malware logs that were for sale on dark web forums and Telegram channels. Researchers found that threat actors' initial footholds into corporate environments primarily leveraged stealer logs as their principal source of access. Information stealers are malware that steals data stored in users' applications and is then packaged into archives called 'logs.' Information stealers primarily target careless internet users downloading fake software, game cheats, or cracks from suspicious sources, but those carless users frequently include corporate employees using personal devices for work or using work devices to access personal data, therefore leading to compromised business credentials and authentication cookies. VIP Telegram channels sold logs with the highest concentration of corporate credentials followed by logs found on a dark web marketplace. Logs containing corporate credentials are considered "tier-1" logs and are seen as particularly high-value because of the potential access that can be obtained by cybercriminals using them. Furthermore, the value of a log is derived from the potential for cybercriminals to use those compromised credentials to access CRMs, RDP, VPNs, and SaaS applications that can then be used to launch stealthy backdoors, ransomware, and other payloads. Additional research found info-stealer logs containing large quantities of credentials for Salesforce applications, Hubspot, AWS Console, Google Cloud, DocuSign, and Okta. Another study found 200,000 OpenAI credentials in stealer logs which has a huge exposure potential for users integrating ChatGPT into business and have proprietary information, internal business strategies, source code, and more linked to their accounts. CTIX offers and recommends dark web monitoring services for organizations striving to proactively identify risks such as info-stealer logs for sale on the dark web.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
