Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Background:
Symantec researchers detected a new cyberespionage campaign by the Lancefly China-sponsored group targeting organizations in South and Southeast Asia. From mid-2022 into 2023 the group has targeted the aviation, government, education, and telecom sectors. Indications of intrusion vectors show that Lancefly has possibly moved from phishing attacks to SSH brute force and exploiting publicly accessible devices such as load balancers. A small number of machines were infected in a highly-targeted fashion to deploy the custom Merdoor backdoor and a modification of the open-source ZXShell rootkit. Lancefly abuses a number of legitimate binaries for DLL side-loading, credential stealing, and other living-off-the-land (LOLBin) activities.
Takeaway:
Organizations are advised to monitor for suspicious SMB activity and LOLBin activities indicating a possible process injection or LSASS memory dumping.
Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG
Background:
The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory in response to active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut servers (PaperCut NG/MF) and enables an unauthenticated actor to execute malicious code remotely without credentials. The Bl00dy Ransomware Gang has been observed exploiting the vulnerability to target the education facilities sub-sector since the early May 2023. The actors use the PaperCut server process pc-app.exe to execute other processes with SYSTEM- or root-level privileges. Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.
Takeaway:
Education facilities maintained approximately 68% of exposed (but not necessarily vulnerable) US-based PaperCut servers. Users and administrators should immediately apply patches or workaround remediations. Look for child processes spawned from a PaperCut server’s pc-app.exe process.
Learn about our Penetration Testing Services
New Phishing-as-a-Service Tool “Greatness” Already Seen in the Wild
Background:
Talos researchers detected a previously unreported phishing-as-a-service (PaaS) offering called Greatness that has been used in several phishing campaigns since mid-2022. Greatness is designed to compromise Microsoft 365 users. It makes phishing pages especially convincing and effective against businesses by prefilling the target address and displaying the appropriate company logo. An analysis of the domains targeted in several ongoing and past campaigns revealed that the victims were almost exclusively companies in the US, the UK, Australia, South Africa, and Canada, in that order. The most commonly targeted sectors in the order of targeting were manufacturing, health care, technology, and education. The attack starts when the victim receives a malicious email with an HTML file as an attachment that serves as a Microsoft 365 login phishing page. Greatness allows for multi-factor authentication (MFA) bypass, and IP filtering. The PaaS consists of three components: a phishing kit, the service API, and a Telegram bot or email address.
Takeaway:
Users should be cautious when an email has an HTML attachment which first results in a blurry image display.
BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game
Background:
The BPFdoor Linux backdoor is attributed to China-sponsored threat group, Red Menshen (Red Dev 18). A new version of BPFdoor discovered by Deep Instinct researchers has compilation time October 2022, initial submission to VirusTotal in February 2023, and it was remaining fully undetected until the public reporting in May 2023. BPFdoor can bypass any firewall restrictions on incoming traffic by creating a special packet-sniffing socket, searching for “Magic” byte sequence, and guiding the kernel to set up the socket to only read UDP, TCP, and SCTP traffic coming through ports 22, 80, and 443. The new BPFdoor variant became stealthier by removing many of its hardcoded indicators, including hardcoded commands and filenames. It also uses static library encryption instead of RC4 Encryption, and reverse-shell instead of bind shell and iptabes.
Takeaway:
Defense-in-depth is an effective way to help mitigate potential APT activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. Organizations should keep their Linux system updated and properly configured to avoid the initial compromise that may lead to the BPFdoor installation.
Deconstructing a Cybersecurity Event
Background:
Industrial cybersecurity vendor Dragos self-reported being targeted by an extortion attack on May 8, 2023. A known cybercriminal group that Dragos prefers not to name, gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. The actors were able to successfully access the Dragos SharePoint and contract management systems, exfiltrate general use data and 25 Dragos intel reports normally accessible to clients. The actors were reaching out to multiple publicly known Dragos contacts using emails and phone messaging. Threat to publish the company’s data was accompanied by additional threats and hints with relation to employee family members.
Takeaway:
Role-based access control (RBAC) was instrumental in restricting the actors in Dragos networks. Organizations should harden their identity and access management infrastructure and processes, implement separation of duties across the enterprise, and apply the principle of least privilege to all systems and services.
In the Matter of the Search of Information Associated with Computers Constituting the Snake Malware Network
Background:
Active since 2004, the Snake (Uroburos) malware is used by Turla (Uroburos, Venomous Bear) that is attributed to Center 16 of the Federal Security Service of the Russian Federation (FSB). Its communication travels between the Snake-compromised computers, where data is encrypted, fragmented, and sent using customized methodologies built atop common network protocols. In early May 2023, several countries coordinated in an effort to disrupt and clean up Snake infections in their jurisdictions. The US Federal Bureau of Investigation (FBI) identified eight compromised computers across several states. FBI has applied for search and seizure warrant to remotely probe and disable Snake malware while delaying target notification for up to 30 days following May 4, 2023. They developed the PERSEUS remote search technique for probing and Snake C2 impersonation. PERSEUS sends a Snake-HTTP or a Snake-TCP transmissions and the type of response confirms if the target is compromised by Snake. Then PERSEUS can send certain Snake built-in commands that will terminate the Snake application and overwrite its vital components without affecting any legitimate computer operation, applications, or files.
Takeaway:
Turla and other advanced persistent groups may use stealthy, hard-to-detect communication methods. As one compromised machine can be used in an attack against another target, it is important to engage in global defense measures that at times include centralized, court-permitted government efforts to remotely clean up identified infections. Organizations that were infected by Snake in the past should change all the previous credentials that could have been compromised by Turla.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
