Malware Activity
North Korean State Sponsored Threat Actors Target Blockchain Engineer Computers with KANDYKORN Malware
In what appears to be a continuation of the North Korean strategy to finance the nation using international organized crime rings, cybersecurity researchers established a link between a new malware targeting blockchain engineers and the North Korean state sponsored Lazarus group. Researchers noted that the new malware, which is being used to target the Apple devices of blockchain engineers, shares tactics, techniques, and procedures (TTPs) with the Lazarus group. Researchers stated that these engineers were targeted likely in order to steal cryptocurrency to finance the state’s operations and avoid sanctions. Initial access to the systems was achieved through the use of a Python application that was sent to victims through a Discord server used by blockchain engineers. The Python application was supposedly to be used as a cryptocurrency bot that makes transactions automatically based on price differentials throughout the crypto marketplace. This application targets macOS devices and attempted to drop malware the researchers call KANDYKORN. This malware can access and exfiltrate data from the infected device while connecting back to a command-and-control (C2) server to continually upload, execute, and exfiltrate data and programs while avoiding detection. According to researchers, the campaign began in April 2023 and continues into November. Ankura will continue to monitor this ongoing malware campaign.
Threat Actor Activity
Iranian State Sponsored Threat Actor MuddyWater Conducts Cyber Espionage Campaign Against Israel
MuddyWater, an Iranian state-sponsored threat actor, has initiated a spear-phishing campaign against Israeli targets utilizing a tool from N-able, the legitimate administration tool for remote access known as Advanced Monitoring Agent. This marks a shift in the tactics, techniques, and procedures (TTPs) used by MuddyWater (Mango Sandstorm, Static Kitten), but reflects a consistent strategy in their operations. Researchers from multiple cybersecurity firms reported on the campaign, describing a new file-sharing service used for executing multi-stage attacks. These attacks involve sending emails with malicious attachments to deploy remote administration tools, enabling the attackers to perform network reconnaissance. MuddyWater has also developed a new command-and-control (C2) framework known as MuddyC2Go. MuddyWater, active since 2017 and a vital part of Iran's Ministry of Intelligence and Security, continues to evolve its methods while using similar modes of operation with a history of success. The latest incidents feature the use of legitimate remote administration software and sophisticated infection techniques, underlining the growing risk posed by the threat actors and the broader advancements in Iran's cyber threat capabilities.
Vulnerabilities
Critical Vulnerability Identified in On-Premise Instances of Atlassian Confluence
Atlassian has issued an urgent advisory for a critical vulnerability, tracked as CVE-2023-22518, that affects its Confluence Data Center and Server products. In its advisory, Atlassian urged administrators to implement a patch as soon as possible. This vulnerability, which carries a high severity rating (CVSS 9.1/10), allows unauthenticated attackers to potentially sabotage Confluence instances causing significant data loss, however, it does not allow for the extraction of data. The vulnerability does not affect cloud-based or Software-as-a-Service (SaaS) versions of Confluence. No attempts at active exploitation have been reported yet, but the possibility has led to a call for immediate action by Atlassian's CISO, Bala Sathiamurthy. Cybersecurity firms underscore the importance of patching the servers immediately, noting that the risk lies in data deletion rather than data theft. This has been the second critical vulnerability in Confluence in a month, and users are expressing concern over the frequency of such vulnerabilities in Atlassian products. CTIX analysts recommend applying the patch immediately to prevent future exploitation. Additionally, administrators should implement network hardening and defense-in-depth techniques to better protect against other unknown vulnerabilities in the future.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.