Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)

(published: May 20, 2022)

Background:

In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation.

Takeaway:

Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services.

DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape

(published: May 20, 2022)

Background:

Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity for Conti, giving them an excuse for the planned exit. Conti is morphing into a horizontal network of loosely connected groups acting either independently or inside other ransomware groups. Some groups move completely into data-stealing operations without using crypters (lockers): BlackBasta, BlackByte, and Karakurt. Some groups become Conti-loyal collective affiliates within other ransomware groups (AlphV/BlackCat, AvosLocker, HelloKitty/FiveHands, and HIVE). And some groups completely assume existing small-brand ransomware operations.

Takeaway:

The threat to organizations remains high because after a period of inactivity these actors are expected to resurface again with renewed tools and infrastructure. It is a common tactic for ransomware groups to rebrand after coming into a law enforcement spotlight. If Lapsus$ and many ex-Conti ransom groups indeed rely solely on information theft, protecting sensitive information becomes even more crucial.

Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behaviour

(published: May 19, 2022)

Background:

Nisos researchers discovered that the Fronton botnet developed for the Russian government can run social media influencing campaigns. In 2020, when the project documents started leaking, it was thought that Fronton was focused on DDoS capabilities. New data shows Fronton and its web-based dashboard SANA give capabilities to managed bots to promote certain informational campaigns on social media. The system allows for creation of fake users with set time-based and social activity and then make coordinated reaction to a certain news: varied by activity type (comment, like, repost), comments could be positive or negative, and based on a chosen style/template. The leaked materials showed that the Fronton/SANA system was initially tried targeting Kazakhstan, but the scope of its current use is not known.

Takeaway:

Change the default credentials on your Internet of things (IoT) devices. Apply security updates once they become available.

Rise in XorDdos: A Deeper Look at the Stealthy DDoS Malware Targeting Linux Devices

(published: May 19, 2022)

Background:

Microsoft telemetry shows increasing targeting of Linux-based operating systems (OS), which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. First discovered in 2014, the XorDdos Linux trojan has been observed to have increased its activity 254% in the last six months. XorDdos is known for its XOR-based encryption and for primary use for distributed denial-of-service (DDoS) attacks, but it steals sensitive data and can potentially serve as a gateway for other malware. XorDdos spreads via SSH brute force attacks and employs a number of stealthiness and anti-analysis methods: daemon process, process hiding, process name spoofing, and other.

Takeaway:

Follow best password practices to make brute force attacks less dangerous, targeted devices can show an uptick in failed sign-ins. Organizations should implement endpoint detection and response (EDR) that will protect their Linux OS. Special focus can be on the use of a malicious shell script for initial access and drop-and-execution of binaries from a world-writable location.

Twisted Panda: Chinese APT Espionage Operation Against Russian’s State-Owned Defense Institutes

(published: May 19, 2022)

Background:

Checkpoint researchers discovered a novel malware named Spinner that was used in two China-sponsored, cyberespionage campaigns targeting state-owned defense institutes in Russia, and to a lesser extent, in Belarus. Observed phishing lures and decoy documents were themed around Russian government documents with topics such as government awards, Ukraine-related sanction lists, and even bioweapon allegations. The actors significantly improved their tactics between their first campaign (June 2021) and their second (March-April 2022). These improvements include splitting some functions between several components, adding complex compiler-level obfuscations to existing shellcode, and dynamic API resolving with name hashing.

Takeaway:

Defense-in-depth (fail-safe defense processes, layering of security mechanisms, redundancy) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.

Manage your threats more easily

Discover Prism

Interactive Phishing: Using Chatbot-Like Web Applications to Harvest Information 

(published: May 19, 2022)

Background:

Trustwave researchers discovered a mail-delivery themed phishing campaign that utilizes an automated chatbot. Once a user gets on the phishing typosquatted website impersonating DHL (shipping company), the automated dialog box engages with questions, guidance, alleged photo of the parcel, and explanations why the victim needs to provide credit card data to pay a small delivery fee.

Takeaway:

Users should verify the domain before entering sensitive information. Be especially suspicious regarding unwarranted emails, delivery notifications, and unexpected payment requests.

Custom PowerShell RAT Targets Germans Seeking Information About The Ukraine Crisis

(published: May 16, 2022)

Background:

Threat actors, possibly connected to Russia, re-registered collaboration-bw[.]de, an expired German domain themed around Baden-Württemberg (a German state) and impersonated the state’s government website. The visitors of the spoofed website are prompted to download a ZIP archive allegedly to inform on the Ukraine crisis. Opening the containing HTM (Microsoft’s HTML help) file results in displaying a decoy error message while a malicious PowerShell script runs in the background. It results in an additional script being downloaded from the same domain, and dropping two files: a CMD file to run a TXT file containing a remote access trojan (RAT) written in PowerShell. Persistence is achieved by creating a scheduled task and Windows Antimalware Scan Interface (AMSI) bypassing is done by using an AES-encrypted function.

Takeaway:

Organizations should teach their employees to detect spoofed government and other high-value websites. Pay attention to the domain name, certificate information, and possible typos and content miss-match.

Wizard Spider In-Depth Analysis  

(published: May 16, 2022)

Background:

Prodaft researchers were able to uncover multiple details regarding Russia-based actor group Wizard Spider, and its work with affiliates regarding the Conti ransomware. Researchers were able to analyze Conti intrusion servers and to profile Conti’s hash-cracking station operation, cold-call center they use to additionally scare victims into paying the ransom. The details regarding their tools, virtual private network (VPN), and beacon configurations were also analyzed. While being flexible on intrusion techniques, first steps of the infection chain often contain QBot infection followed by System BC proxy malware and a Cobalt Strike beacon. Observed customizable Cobalt strike beacons were generated for each team on a daily basis, mostly sharing the same data center for command-and-control (C2) communication: ReliableSite (USA).

Takeaway:

Defenders should block the observed indicators of compromise (available in ThreatStream and Match). Monitor for known Conti/Wizard Spider tools, especially when your employees do not have a legitimate reason to use those. Keep your systems patched and have resilient backup systems.

UNITED STATES OF AMERICA – against – MOISES LUIS ZAGALA GONZALEZ, Also Known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” Defendant. 

(published: May 16, 2022)

Background:

The US Department of Justice issued an arrest warrant for a citizen of France and Venezuela who resides in Venezuela and is responsible for two ransomware operations. In or around 1997, Moises Luis Zagala Gonzalez (Zagala), joined a criminal underground group called “High Cracking University” and started coding malware. More recently, in 2019-2022, he was creating ransomware and renting it to other actors. First, Zagala rewrote the Jigsaw ransomware and marketed it as “Jigsaw v .2”. Then he started the Thanos ransomware-as-a-service project.

Takeaway:

Zagala’s conversations with confidential sources revealed heavy reliance on remote desktop protocol (RDP) access and that companies lacking backup pay ransom more readily. It highlights the necessity for defenders to have an unerasable backup and to limit and monitor remote access to their system.

Guidance on the Democratic People’s Republic of Korea Information Technology Workers  

(published: May 16, 2022)

Background:

The U.S. authorities are warning that North Korea is dispatching its IT workers to get remote jobs at companies across the world. Not only can hiring a North Korean have legal consequences, the privileged access obtained by these IT workers is sometimes used to facilitate cyber intrusions. These actors go a long way to obfuscate their real identity. They are often located in China or Russia, less frequently in Africa or Southeast Asia. They often change their name, pretend to be from South Korea, the US, or another country. They use VPN services, dedicated machines, fake portfolio websites, forged documents, proxy identities, and try to avoid video communication.

Takeaway:

Organizations should implement background checks, monitor for red flags, segment their networks and restrict access on the need-to-have basis. Warning signs include your remote employer changing multiple IPs geolocated in different countries over a short period of time, using port 3389 or other remote desktop sharing configuration, and frequent transfers to China-linked banks and digital payment systems. Monitor for requests to change address, phone number and email provided during original interview.

Observed Threats

Wizard Spider

Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider – A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider – This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users

A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open-source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

CVE-2022-22954

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Manage your threats more easily

Discover Prism