Ransomware/Malware Activity
StrelaStealer Malware Phishing Campaign Targets U.S. and E.U. Organizations
Cybersecurity researchers have observed Strelastealer malware targeting hundreds of U.S. and E.U. organizations in Q1 of 2024. Strelastealer malware was first observed in November 2022 as a new form of info-stealing malware built to swipe email account credentials. At the time, Strelastealer appeared to be targeting mainly Spanish-speaking individuals based on the language of phishing emails crafted to deliver the malware via .ISO files. Since 2022, the infection chain of Strelastealer has evolved. The newer version uses ZIP attachments instead of .ISO files to drop an initial JavaScript file. The JavaScript in turn drops a batch file and a malicious DLL which is executed via “rundll32.exe” to deploy the payload. In addition, the new Strelastealer packer has evolved and employs a control flow obfuscation technique to make analysis of the malware more difficult. The primary goal of the malware remains the same: to steal email login credentials which can be used for subsequent attacks. Researchers note that the high-tech industry is most commonly targeted by this campaign, accounting for roughly 900 StrelaStealer samples observed by researchers. CTIX analysts recommend blocking all Indicators of Compromise (IOCs) associated with the Strelastealer (linked in the report below). CTIX analysts will continue to report on evolving and novel strains of malware and associated campaigns.
Threat Actor Activity
Russian Linked Hacker Group Targeting German Political Parties
APT29, also known as Cozy Bear or Midnight Blizzard, is a Russian espionage hacking group linked to Russia's Foreign Intelligence Service (SVR) most notably connected to the SolarWinds supply chain attack in 2020, has recently been observed targeting German political parties. This is the first time that researchers have observed APT29 espionage attacks focused on political parties, indicating the group may be shifting their campaign away from typical operations that have previously focused on targeting diplomatic figures. The hacking group's strategic shift comes amidst Germany's increased military support for Ukraine, which has resulted in heightened espionage activities against the country, particularly from Russia. The recent campaign involves phishing attacks in the form of emails disguised as dinner invitations hosted by the Christian Democratic Union (CDU), one of Germany's major political parties, that deploy the WineLoader malware, a backdoor malware that offers remote access to compromised devices and networks which is well suited for remote espionage activities like assisting a threat actor seeking to influence or monitor political processes in Germany. These efforts align with Russia's broader objectives to understand and predict Western political dynamics, and possibly undermine European support for Ukraine. Experts warn that this targeting campaign is not confined to Germany alone, and could extend to groups across Europe and the U.S. The SVR's comprehensive approach indicates a systematic attempt to gather intelligence from a variety of organizations and gain insight that would better position Russia's geopolitical strategies. The Western political entities are advised to remain vigilant and strengthen their cybersecurity defenses to protect against such sophisticated and potentially widespread cyber threats. CTIX analysts will continue monitoring ongoing changes to the cyber threat landscape and the evolving tactics of Russian intelligence services in the context of current geopolitical tensions.
Vulnerabilities
Recently Patched FlowFixation Vulnerability for AWS
Cybersecurity researchers have identified and patched a critical security flaw in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA), which could have allowed hackers to hijack user sessions and execute code remotely on the service's infrastructure. Dubbed “FlowFixation” by Tenable, the vulnerability stemmed from a combination of session fixation and a misconfiguration in the AWS domain that facilitated cross-site scripting (XSS) attacks. This flaw could have enabled attackers to manipulate victims' accounts to access sensitive data, change configurations, and trigger workflows, potentially leading to remote code execution (RCE) and further intrusion into other services. The discovery underscores broader issues with cloud domain architecture and management, affecting other giants like Microsoft Azure and Google Cloud, though AWS and Azure have since addressed the problem by updating their domain configurations. The episode highlights the growing importance of robust cybersecurity measures in cloud environments to protect against sophisticated web attacks and unauthorized access. CTIX analysts recommend all administrators keep their infrastructure up-to-date so that they may reap the benefits of early patching as more vulnerabilities are identified and remediated in the future.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
