Malware Activity
New Phishing Tool "W3LL Panel" Observed Compromising Thousands of Microsoft 365 Accounts
Researchers have uncovered a covert business email compromise (BEC) "phishing empire" targeting Microsoft 365 accounts throughout the United States, Europe, and Australia with a new phishing kit. W3LL, the threat actor behind the phishing empire, has been noted as playing a major role in Microsoft 365 BECs over the last six (6) years. Researchers explained that W3LL has a hidden, English-speaking underground market called "W3LL Store" that "served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks." The phishing tools have been reported to have collectively targeted approximately 56,000 corporate M365 accounts between October 2022 and July 2023, with an estimated turnover of roughly $500,000, with the W3LL Panel specifically compromising approximately 8,000 accounts. Researchers emphasized that the W3LL Panel may be considered "one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities." Researchers published an overview of W3LL's activity as well as an in-depth technical report containing indicators of compromise (IOCs), which can be viewed below.
- The Record: W3LL Phishing Empire Article
- The Hacker News: W3LL Phishing Empire Article
- Group-IB: W3LL Phishing Empire Overview & Report
Threat Actor Activity
GhostSec Leaks Source Code for Iranian Privacy-Invading Software
Hacktivist organization GhostSec recently distributed critical information and source code for FANAP Group's surveillance software, which targets the citizens of Iran. GhostSec is a self-proclaimed vigilante group known for their exploitation of ISIS and other terrorist organizations. Over the past few years, GhostSec shifted its focus to activities surrounding the Russia/Ukraine conflict. GhostSec actors disclosed around 26GB of data from FANAP Group thus far, revealing information about their core components such as code snippets, configuration files, and API data. The surveillance tool that the threat actors targeted has facial recognition capabilities among "various other privacy invading features and tools". Overall, the FANAP software, which was deployed throughout the region and in several financial institutions, has the ability for video surveillance with facial recognition, vehicle tracking, license plate recognition, and additional facial recognition systems for ID card distribution. GhostSec's claimed their reasoning for compromising and disclosing the information was in the name of human rights, one of the core motivations of the group. CTIX continues to monitor threat activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Requires Entities to Patch Actively Exploited Apache RocketMQ RCE Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited Apache RocketMQ critical zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. RocketMQ is a high-performance distributed messaging and streaming platform. The flaw, tracked as CVE-2023-33246, is a permission verification vulnerability that allows unauthenticated threat actors to conduct remote code execution (RCE) to deliver various malware payloads to vulnerable instances of RocketMQ. This flaw was exploited in early June 2023 by operators of the DreamBus botnet, deploying a cryptocurrency miner for the anonymous Monero (XMR) coin. The DreamBus module is highly sophisticated, passing all VirusTotal antivirus (AV) scans undetected by downloading a Tor-based proxy service bash script named "reketed" and deleting itself after execution. Once installed, DreamBus sets up a system service and an automated cron job which executes hourly to maintain persistence. DreamBus scans the network and moves laterally to search for other vulnerabilities that could allow the threat actors to conduct additional malicious activity. This vulnerability is exploitable due to a design flaw causing multiple RocketMQ components to be exposed and accessible on the public internet. The flaw has been patched by Apache maintainers, and CTIX analysts urge any impacted users to ensure they are running the most secure version of the platform to prevent exploitation. The presence of this flaw on CISA's KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by no later than September 27, 2023, or face being held accountable by regulatory agencies.
- Bleeping Computer: CVE-2023-33246 Article
- Bleeping Computer: DreamBus Campaign Article
- VulnCheck: CVE-2023-33246 Report
Honorable Mention
SEC's New Incident Disclosure Rules Receive Congressional Pushback
The Securities and Exchange commission (SEC) recently unveiled new cyber incident disclosure rules, requiring companies to give the SEC any information pertaining to a cybersecurity incident's nature, scope, and timing along with details about the potential impact. Under the new rules, companies must also determine if an incident is "material" and disclose it to the agency within four (4) days if it's determined to be material. However, members of the House are concerned that the SEC rules are duplicative, a nuisance for public companies, and pose a risk to confidentiality and for heightened vulnerability exposure. Members of the House sent a letter to SEC Chair Gary Gensler informing him that the new incident disclosure rules directly conflict with the congressionally mandated, bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as well as the Biden administration's vision for the National Cybersecurity Strategy. The overarching sentiment is that the SEC's new expansive disclosure requirements for public companies, which were likely initiated in an effort to standardize incident disclosure governance and bring greater transparency, are instead further duplicating and confusing already existing cyber incident reporting requirements and taking a step backwards in achieving cyber regulatory harmonization. Members behind the letter encourage the SEC to turn to the Department of Homeland Security Cyber Incident Reporting Council, who can provide the SEC an analysis on how the new rules can better mesh with CIRCIA and other federal cyber incident reporting rules.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
