LastPass Hackers Stole Source Code

(published: August 26, 2022)

Background:

In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.

Takeaway:

This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors.

Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.

Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli

(published: August 25, 2022)

Background:

Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools).

For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).

Takeaway:

Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.

Deepfake Video Call: Scammers Create ‘AI Hologram’ of C-Suite Crypto Exec

(published: August 25, 2022)

Background:

Cryptocurrency exchange Binance reported a first instance of video spoofing being used in real-life social engineering attacks. First, the attackers were creating accounts impersonating Binance employees and executives on social networks such as LinkedIn, Telegram, Twitter, etc. Then, they were starting a conversation with another company in the same industry and proceeding with giving a Zoom video call invitation.

Finally, during the video call they used the deepfake technology to impersonate the identity of Binance chief communications officer (CCO). Based on old publicly available videos they were able to synthesize a video stream of the Binance CCO making the attackers’ talking points.

Takeaway:

From spoofing sender email, logo, and voice, to spoofing a person in a video, the attackers can go a long way to confuse and social engineer their target. Companies should have strict protocols regarding critical actions such as fund transfers or downloading unauthorized software. It is important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain.

Kimsuky’s GoldDragon Cluster and Its C2 Operations

(published: August 25, 2022)

Background:

Velvet Chollima (Kimsuky, Thallium) is a North Korea-sponsored cyberespionage group active since at least 2013. In 2022, Kaspersky researchers profiled GoldDragon, a new, complex Velvet Chollima cluster, one of the most frequently used by the group. The GoldDragon infection chain involves malicious Word documents leading to Visual Basic Script (VBS), HTML application (.HTA) files, and, eventually to information-stealing Windows executables.

This infection chain is supported by two command-and-control (C2) clusters, as well as compromised and newly-registered, cloud staging infrastructure. Velvet Chollima uses three fingerprinting roadblocks to limit the exposure of their malicious payloads to intended targets only. It checks that victim OS is Windows, verifies that victim email alias and IP matches the targeting list, and checks for predefined, intentionally misspelled user-agent string “Chnome.”

Takeaway:

Excessive fingerprinting allows Velvet Chollima to deliver benign files to everyone but the intended targets. Researchers can overcome these fingerprinting challenges by utilizing telemetry data and studying server-side scripts related to the infection chain. Velvet Chollima appears to continue targeting entities with connections to the Korean Peninsula. Defenders should concentrate on anti-phishing training and hardening their systems.

Learn about our Penetration Testing Services

Learn More

MagicWeb: NOBELIUM’s Post-Compromise Trick to Authenticate as Anyone

(published: August 24, 2022)

Background:

Microsoft researchers have discovered a post-compromise backdoor dubbed MagicWeb, which is used for persistence by Russia-sponsored APT29 (Cozy Bear, Nobelium). Previously, APT29 was relying on another post-exploitation capability named FoggyWeb which was capable of exfiltrating the configuration database of compromised Active Directory Federated Services (AD FS) servers, decrypting token-signing certificates and token-decryption certificates. MagicWeb goes one step further by facilitating covert access directly.

It is a malicious DLL that APT29 places instead of a legitimate DLL once the attackers have admin access to the AD FS system. MagicWeb allows manipulation of the user authentication certificates used for authentication and passed in tokens generated by an AD FS server. MagicWeb will cause the authentication request to bypass the standard AD FS process including multi-factor authentication (MFA) when it encounters a non-standard Enhanced Key Usage Object Identifier (OID) value that is hardcoded in MagicWeb.

Takeaway:

Since MagicWeb deployment happens once the attackers have admin access to the AD FS server, organizations should concentrate on the defense-in-depth approach to deny APT29 the opportunity for this privilege access.

Organizations should ensure they only have the minimum number of AD administration accounts needed for operation, these accounts should be: unique and separated from any other accounts; tied to key, named individuals; and their activities monitored and audited (including to the owner so they can flag any anomalous activity).

It is also important to take steps in identifying, updating, and hardening your AD FS server and ensuring it is segmented from other hosts in the environment and not accessible from the internet, if feasible. If an organization is not resourceful enough to take proper care of their on-premise AD FS server, they might consider a cloud deployment option.

Detection opportunities include checking the Global Assembly Cache (GAC) or AD FS directories portable for executables that aren’t signed by Microsoft. Ensure logging including enhanced key usage (EKU) attributes for AD FS events and certificate issuance.

LockBit Ransomware Blames Entrust for DDoS Attacks on Leak Sites

(published: August 22, 2022)

Background:

On June 18, 2022, digital security giant Entrust was breached by a ransomware group leading to data loss. On August 18, 2022, the LockBit ransomware group posted about the Entrust breach on their Tor leak site and started to leak the data (accounting and legal documents and marketing spreadsheets). Soon after the first screenshots were leaked by Lockbit, their data leak site became unavailable. LockBit claims to be a target of a DDoS attack related to the Entrust breach as the user-agent string in the HTTP GET requests specifically says “DELETE_ENTRUSTCOM_[Expletive].” It is hard to independently verify and attribute the reported DDoS attack.

Takeaway:

In response to this interruption due to the DDoS attack, Lockbit announced mitigation plans: providing each locker build with an unique data leakage site link and creating a clearnet mirror on a “bulletproof” hosting. Additionally, Lockbit announced they decided to add DDoS threat as an addition to their current double-extortion scheme.

HavanaCrypt Ransomware Masquerading as Google Update

(published: August 22, 2022)

Background:

HavanaCrypt is new ransomware that was first observed in June 2022. It is an advanced ransomware with extensive defense evasion and command and control capabilities. Cybereason researchers investigated a 7z archive file containing a HavanaCrypt Windows executable masquerading as a Google software update (spoofing the file name and Copyright data in the file version information).

HavanaCrypt static anti-analysis techniques include the use of the .NET binary obfuscator Obfuscar, and use of a sophisticated group of internal functions that obfuscate strings. Upon execution, HavanaCrypt implements several runtime anti-analysis techniques: it uses the attribute [DebuggerStepThrough] forcing a debugger to step through the code and it tries multiple ways to detect virtual environment artifacts.

Takeaway:

If prompted to update their browser, users should only update through official channels. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.

BianLian: New Ransomware Variant On The Rise

(published: August 18, 2022)

Background:

BianLian is a new Go-based ransomware with anti-debugging and cross-platform functionalities. Cyble researchers observe BianLian getting more popular with nine victim organizations across various sectors being featured on the BianLian data leak site. This ransomware is notable for its extensive use of multithreading. It starts encrypting files available in the connected drives, drops the ransom notes and proceeds to encrypt certain file types on local disks. It divides the data that is being encrypted into small chunks (10 bytes) as a method to evade detection by antivirus products.

Takeaway:

When the attackers use a new, previously-untested encryption technique, it adds to the risk that the victim’s files won’t be decrypted even if ransom is paid. Users are advised to disconnect external storage devices when not in use, implement network segmentation where possible. Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed.

Observed Threats

Velvet Chollima

Velvet Chollima, also known as “Kimsuky”, is a suspected APT group believed to be linked to the Democratic People’s Republic of Korea (DPRK). Active since at least 2013, the primary motive of the group is espionage against South Korea. An increase of activity occurred during the period of the 2018 summit between United States President Donald Trump and DPRK Leader Kim Jong-Un.

APT29

The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users

A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Learn about our Penetration Testing Services

Learn More