Malware Activity
New "3AM" Ransomware Deployed by LockBit Affiliates
Researchers have observed a new ransomware family deployment in conjunction with LockBit ransomware. The deployment of the new ransomware strain “3AM” was proceeded by a command to dump the target system’s policy settings for a specific user, which then allowed the threat actors to install certain Cobalt Strike components and continue to escalate privileges using PsExec. If the threat actor failed to install LockBit on a targeted network after escalating privileges, 3AM was pushed for installation instead. 3AM first attempts to halt security and backup tools, before deleting volume shadow copies in an attempt to stop file recovery from occurring post compromise. 3AM then follows the typical pattern of encrypting files, leaving them with the “.threeamtime” extension while also leaving a text file ransom note named “RECOVER-FILES.txt”. Additionally, each encrypted file is exfiltrated to an FTP server. Although 3AM was only deployed after LockBit’s installation was unsuccessful, it does not appear to have been very effective and was actively blocked on more than 60% of the observed systems. Despite its current effectiveness, the use of 3AM represents a change in tactics by LockBit affiliates that is worth monitoring. CTIX analysts will continue to track the use of ransomware strains and affiliate use and will report back with available updates.
Threat Actor Activity
Corporate Networks Attacked by Storm-0324 in Microsoft Teams Phishing Attacks
Storm-0324, a financially motivated threat group, has recently switched to Microsoft Teams phishing attacks to breach corporate networks. Storm-0324 has deployed Sage and GandCrab ransomware in the past and is also known to have provided the FIN7 cybercrime gang with access to corporate networks in the past. The threat actor's current campaign involves phishing lures delivered via links to malicious SharePoint-hosted files sent via Microsoft Teams. Storm-0324's end goal is unknown, but their attacks thus far have been aimed at stealing users' credentials after targeting them with false multifactor authentication (MFA) prompts. Researchers suspect the threat actors are using a publicly available, open-source tool called TeamsPhisher that allows attackers to bypass restrictions for files sent from external tenants, effectively enabling phishing attachments to be sent to Teams users. The security issue went unnoticed back in July when APT29 was observed exploiting the flaw, but Microsoft has since taken measures to suspend all suspected tenants and accounts used in Storm-0324's campaign while also making the externality of a user more apparent for Teams users. CTIX analysts advise users of Microsoft Teams to exercise caution when interacting with unknown or potentially malicious senders.
Vulnerabilities
Actively Exploited Microsoft Zero-day Vulnerabilities Added to the CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) actively exploited zero-day vulnerabilities to the Known Exploited Vulnerability (KEV) catalog. The flaws impact both the Microsoft Word and Microsoft Streaming Service Proxy products. The first vulnerability, tracked as CVE-2023-36761 (CVSS score: 6.2) is a Microsoft Word information disclosure flaw that allows the exposure of Windows New Technology LAN Manager (NTLM) hashes. The vulnerability is exploited by threat actors who embed Word documents with malicious macros and code. The malicious Word document files execute in the victim environment if the victims open the document, or simply preview it within the Preview Pane feature of Windows File Explorer. Successful exploitation could allow the unauthorized threat actors to access sensitive information such as account credentials. The second vulnerability, tracked as CVE-2023-36802, is a Microsoft Streaming Service Proxy elevation of privileges (EOP) flaw which could be exploited by threat actors to gain SYSTEM privileges in the victim environment. The vulnerabilities have both been patched, and technical details about the exploitation or suspected threat actors have not been made public at this time to allow as many users as possible to patch their vulnerable systems. The addition of the vulnerabilities to the KEV mandates that all Federal Civilian Executive Branch (FCEB) agencies must patch the flaw by no later than October 3, 2023.
- The Hacker News: CVE-2023-36761 & CVE-2023-36802 Article
- The Record: CVE-2023-36761 & CVE-2023-36802 Article
- CISA: KEV Catalog
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
