APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
Background:
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Takeaway:
All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
Background:
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Takeaway:
Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
Learn about our Penetration Testing Services
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
(published: December 12, 2022)
Background:
Azov data wiper (self-named Azov Ransomware) was first detected in October 2022. Checkpoint researchers detected over 17,000 malicious binaries related to Azov, as multiple binaries can be associated with one infection since the wiper is backdooring some executable files with shellcodes encoded in a polymorphic way. Despite fake ransom notes that may look unsophisticated, researchers find several advanced techniques implemented in Azov — manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis techniques. Those include junk code, opaque constants, opaque predicates, preventing usage of software breakpoints, syntactic confusion and bloat, and volatile allocation of WIN API routines.
Takeaway:
Smokeloader infection often delivers credential stealing malware that would be an additional concern for those already suffering from unrecoverable destruction caused by Azov. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company. Provide your employees with legitimate software that is not backdoored and is maintained and receives security patches. Researchers should be aware of false-flag operations such as Azov that had Ukrainian and Polish references planted in its original fake ransom note.
Cloud Atlas Targets Entities in Russia and Belarus Amid the Ongoing War in Ukraine
(published: December 9, 2022)
Background:
The Inception (Cloud Atlas) cyberespionage group has been active in its current form since at least 2014, and likely was preceded by the RedOctober activity in 2007-2013. In December 2022, Check Point and Positive Technologies researchers independently profiled a new Inception campaign targeting Russia, Belarus, and Russia-occupied areas in Ukraine and Moldova. The group has continued using spearphishing to deliver its custom PowerShell-based backdoor called PowerShower. PowerShower delivers the newly-documented RtcpProxy tool: a Windows DLL that enables relaying for The Inception’s world-wide proxy network.
Takeaway:
With the escalation of the military actions between Russia and Ukraine, all involved sides remain heavily targeted by various cyberespionage groups. Spearphishing remains the preferable intrusion technique for Inception and a number of other involved cyberespionage groups.
A Custom Python Backdoor for VMWare ESXi Servers
(published: December 9, 2022)
Background:
Juniper researchers detected a new Python backdoor that appears to be made for tailored targeting of VMware ESXi servers. The attack probably (medium confidence) starts with the exploitation of a vulnerability in the ESXi’s OpenSLP service (CVE-2019-5544 and CVE-2020-3992). The Python-based backdoor file is saved to the persistent disk stores, three ESXi system files are modified in the RAM (they are being restored or reapplied after a reboot). The malware is launching a reverse shell and a reverse proxy, and allows password-protected remote access.
Takeaway:
Network defenders should check their ESXi instances. local.sh should not have unauthorized commands added. /store/packages/vmtools.py is likely a malicious addition that is masquerading with its name and a VMware-mimicking copyright statement in the code. Keep your VMWare systems up-to-date on security patches and updates.
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
Background:
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Takeaway:
Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
Learn about our Penetration Testing Services
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
Background:
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Takeaway:
The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
DEV-0139 Launches Targeted Attacks Against the Cryptocurrency Industry
(published: December 6, 2022)
Background:
DEV-0139, a suspected state-sponsored group, has been involved in sophisticated targeting of the cryptocurrency investment industry. The social engineering phase of the attack started in October 2022. The attackers showed a deep knowledge of the targeted industry; they communicated with targets both in existing and in newly-created, attacker-controlled Telegram groups. After gaining initial trust, DEV-0139 delivers malicious macros in an XLS spearphishing attachment (alternative infection chain starts with a malicious MSI file). The attackers rely on DLL side-loading to execute the final payload, the Wolfic implant.
Takeaway:
Attackers go to a great length in their social engineering attacks and are creating fake professional profiles and groups. It’s important to combine anti-phishing awareness with system hardening. Do not disable runtime macro scanning by Antimalware Scan Interface. Implement rules to block Office applications from creating executable content, block Office communication application from creating child processes, and block Win32 API calls from Office macros.
Vice Society: Profiling a Persistent Threat to the Education Sector
(published: December 6, 2022)
Background:
Among ransomware groups targeting the education sector in 2022, Vice Society was the most impactful with at least 33 educational institutions having been listed on the group’s data leak site. Other Vice Society’s common victims include healthcare and regional governments, followed by 15 other targeted industries. The group targeted 29 countries with approximately half of the cases being in the US and the UK. In their attacks, Vice Society uses commodity ransomware families such as the Linux-targeting variant of HelloKitty (FiveHands) and Zeppelin ransomware targeting Windows.
Takeaway:
Ransomware is an evolving threat that requires a defense-in-depth approach. For backups, follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable through segmentation, off-line storage, encrypting data at rest, and limiting the storage of personal and sensitive data.
Infected WordPress Plugins Redirect to Push Notification Scam
(published: December 6, 2022)
Background:
A new malicious campaign targeting WordPress websites adds a listener to the whole page’s onclick event causing fraudulent redirects whenever a site visitor clicks on any link. Sucuri researchers discovered that the malicious script avoids detection by using obfuscation followed by unusual hexadecimal encoding of the binary string. Additionally this script detects open Developer Tools using multiple alternative methods, including checks for the following functions: checkByImageMethod, checkDevByScreenResize, detectDevByKeyboard, checkByFirebugMethod, and checkByProfileMethod.
Takeaway:
Website owners should pay attention to the feedback from website visitors as some malicious activity can be seen only by those who match certain profiling (such as the absence of dev tools). Update and patch your content management system, plugins, themes, and other extensible components.
Defcon Skimming: A New Batch of Web Skimming Attacks
(published: December 5, 2022)
Background:
Jscrambler researchers analyzed three new web-skimming clusters (categorized under Magecart umbrella term) dubbed Group X, Group Y, and Group Z. All three were disguising their malicious Javascript as Google code (Google Tag Manager or Google Analytics). Common tactics included code obfuscation, and referrer fingerprinting. Group X was able to mass-inject their code by exploiting a free, third-party JavaScript library that was discontinued in December 2014. They re-registered the abandoned domain name and used it to serve their skimming scripts via the URL that the old library was hosted at.
Takeaway:
Site administrators should be aware of supply-chain dependencies and remove ones that are unsupported and/or abandoned. Keep their systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
