Malware Activity
OilRig Group Deploys 3 New Malware Downloaders
Cybersecurity researchers have published reports showing that throughout 2022, OilRig (an Iranian state-sponsored threat actor also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten) was observed deploying three (3) new downloader malware strains named ODAgent, OilCheck, and OilBooster, along with an updated version of a known downloader called SampleCheck5000 (SC5k), to maintain persistent access to victim organizations primarily in Israel. Active since 2014, OilRig Group mainly targets entities in the Middle East. The downloaders are notable for using legitimate cloud service APIs, like Microsoft Graph OneDrive, Outlook APIs, and Microsoft Office Exchange Web Services (EWS) API, for command-and-control (C2) and data exfiltration. This strategy aims to blend malicious activities with authentic network traffic, covering up the attack infrastructure. The targets of these attacks included entities in healthcare, manufacturing, and local government, many of which had been previously targeted by OilRig. Each downloader has unique characteristics. ODAgent, first detected in February 2022, is a C#/.NET downloader using the Microsoft OneDrive API for C2 communications. SampleCheck5000 interacts with a Microsoft Exchange mail account using the Office Exchange Web Services API. OilBooster, similar to ODAgent, uses the Microsoft OneDrive API, while OilCheck, like SampleCheck5000, uses Microsoft Graph API but for network communications. OilBooster and OilCheck also use the Microsoft Graph API to connect to a Microsoft Office 365 account, but they differ in their use of OneDrive and Outlook accounts for command retrieval and payload fetching.
Threat Actor Activity
Russian-linked APT28 Using Israel-Hamas Lures to Target European Entities
The Russian nation-state threat actor APT28, also commonly known as FancyBear, TA422, Forest Blizzard, and many others, has recently been associated with a newly discovered campaign centered around Israel-Hamas lures to deliver a custom backdoor called HeadLace. The campaign is directed at thirteen (13) nations worldwide, including Hungary, Turkey, Australia Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The threat actors have been observed producing authentic documents as decoys created by academic, finance, and diplomatic centers, such as ones from the United Nations, the Bank of Israel, the U.S. Congressional Research Service, the European Parliament, a Ukrainian think tank, and an Azerbaijan-Belarus Intergovernmental Commission to target primarily European entities who have a "direct influence on the allocation of humanitarian aid." APT28's current campaign is one of a highly targeted nature where the nation-state threat actor's infrastructure is set up so that a singular instance of malware is only received by targets within a single country. A previous campaign by the threat actor in September 2023 used sensitive adult-themed lures while exploiting a Microsoft Outlook flaw to gain unauthorized account access to Exchange servers. Some of the attacks linked to the threat actor's current campaign using their custom HeadLace backdoor have employed RAR archives by exploiting a WinRAR vulnerability, tracked as CVE-2023-38831. The newer campaign shows a great deal of attention towards targeting distinctive victims, specifically individuals a part of the International Community (IC) who might have interests in emerging policy creation.
Vulnerabilities
Russian State-sponsored Threat Group APT29 Targets Critical TeamCity Server Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies have warned about a Russian hacking group APT29 targeting unpatched TeamCity servers since September 2023. APT29, linked to Russia's Foreign Intelligence Service (SVR), is known for its involvement in the SolarWinds supply-chain attack and breaches of multiple U.S. federal agencies. The threat actor has been exploiting a critical TeamCity vulnerability, tracked as CVE-2023-42793 (CVSS 9.8/10), which is an authentication bypass flaw allowing remote code execution without user interaction. Successful exploitation of this vulnerability enables attackers to compromise software developers' networks, potentially leading to further network breaches, lateral movement, and persistent access to compromised environments. The vulnerability also presents risks of software supply chain attacks via malicious code injection. Ransomware gangs and North Korean hacking groups, including Lazarus and Andariel, have also exploited this vulnerability. JetBrains, the developer of TeamCity, claims that over 98% of all TeamCity servers have been patched following the vulnerability disclosure. The vulnerability affects on-premises TeamCity instances, but the cloud version is not impacted. JetBrains has been actively contacting customers to encourage updates and has also provided a security patch for older TeamCity versions. CTIX analysts recommend that any administrators implementing TeamCity ensure that they are running the most up-to-date version to prevent exploitation.
- CISA: CVE-2023-42793 Advisory
- The Record: CVE-2023-42793 Article
- Bleeping Computer: CVE-2023-42793 Article
- The Hacker News: CVE-2023-42793 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
