Malware Activity
Malicious Telegram Apps Identified on the Google Play Store
Kaspersky has published information showing that several Telegram applications on the Google Play app store are malicious and still available to download. These trojan Telegram applications have been downloaded over 60,000 times by a targeted Chinese and Uyghur audience, as it appears the apps were tailored for these groups specifically. Although the fraudulent applications appear visually identical to the official Telegram application, they include additional packages that the original does not contain. Specifically, there are multiple calls to the “com.wsys” library that are attempting to gain access to a user’s contact’s information. This library also runs when connecting to a command-and-control (C2) server to facilitate the transfer of user information such as name and phone number. In addition, the trojan code contains a section called “uploadTextMessageToService” that reads incoming messages and uploads the content to a C2 server. Finally, the app collects files that are sent or received on the user’s account. These trojan Telegram applications are designed to monitor and download the user’s information, including the information of their contacts and conversations. Linked below is a list of IOCs associated with these fraudulent applications.
Threat Actor Activity
United States & United Kingdom Sanctions Eleven TrickBot Members
The United States Department of Treasury Office of Foreign Assets Control (OFAC), in conjunction with the United Kingdom, have sanctioned several members of the notorious TrickBot Group. The TrickBot Group, tracked additionally as FIN6 or ITG08, is a cybercriminal organization that has targeted entities throughout the globe with popular malware variants including TrickBot itself, Emotet, and QakBot. Due to their destructive and malicious attacks, the group has been faced with the active sanctioning of some key members. Recently, eleven (11) new TrickBot-affiliated members were sanctioned by the United States and United Kingdom for their operations and support related to the TrickBot organization. The sanctioned members included multiple administrators, managers, developers, and programmers that have assisted in the deployment of TrickBot campaigns. Combined, these individuals assisted in extorting over $180 million from victims globally, in addition to £27 million from victims in the United Kingdom. A full listing of these individuals is disclosed in the attached article. CTIX continues to monitor threat actor activity and will provide additional updates accordingly.
Vulnerabilities
U.S. Aviation Company Compromised by Iranian Threat Actors
In a joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command (USCYBERCOM), multiple unnamed Iranian state-sponsored threat actors have been confirmed to have compromised a U.S. aeronautical organization by exploiting critical vulnerabilities in Zoho ManageEngine and Fortinet firewalls. The flaws were patched in December 2022, so researchers speculate that the threat actors have likely been present in the victim network since January 2023. The first vulnerability, tracked as CVE-2022-47966, is a remote code execution (RCE) flaw affecting multiple Zoho ManageEngine on-premise products and was used to hack an internet-exposed server running Zoho ManageEngine ServiceDesk Plus. Once exploited, the threat actors were able to establish persistence and move laterally across the victim network. The second vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN appliances that allows remote unauthenticated attackers to execute arbitrary code or commands via maliciously crafted requests. The threat actors exploited this vulnerability to establish persistence on the victim's Fortinet firewall device. To prevent exploitation, organizations should ensure that they always keep their software up-to-date by patching all systems for Known Exploited Vulnerabilities (KEVs), including firewall security appliances. They should also ensure their security teams are monitoring the network for unauthorized use of remote access software using endpoint detection tools and remove inactive accounts and groups from the enterprise network that are no longer needed, especially privileged accounts. Unfortunately, stale infrastructure is a leading culprit for enterprise network compromises. This compromise may have been avoided if the victim followed a routine patching cycle and prioritized the remediation of vulnerabilities on internet-facing systems.
- Bleeping Computer: CVE-2022-47966 & CVE-2022-42475 Article
- U.S. Cyber Command: CVE-2022-47966 & CVE-2022-42475 Joint Advisory
- CISA: CVE-2022-47966 & CVE-2022-42475 Advisory
Honorable Mention
Hackers Leaking Data of Israeli Hospital's Patients
The Mayanei Hayeshua Medical Center in Tel Aviv experienced a ransomware attack last month, requiring them to shut down their administrative computer systems and redirect new patients and emergency care to other medical centers. The Ragnar Locker ransomware gang recently claimed responsibility for the attack, stating that they were soon going to start releasing batches of the hospital's internal files because it has yet to receive a ransom payment. Local news outlets have suggested that top government officials, lawmakers and senior rabbis were potentially patients and may be included in the leaked files. Israel's privacy protection authority is currently investigating the incident and has confirmed that there has indeed been limited exposure to some sensitive personal information but hasn't specified exactly what that includes. The threat actor group has claimed that the stolen data includes personal information, internal emails, finances, medical cards, and other highly sensitive data. The group also claimed to have avoided encrypting files on the hospital's network so they wouldn’t damage medical equipment. The Ragnar Locker group is not associated with any country, but it is reported by the FBI that the group's ransomware has been used between 2020 and 2022 to attack the networks of at least fifty-two (52) organizations across a handful of critical infrastructure sectors in the United States alone. International targets have included Portugal's national airline, the Japanese gaming company Capcom, computer chip manufacturer Adata, and aviation giant Dassault Falcon.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
