New RisePro Stealer Distributed by the Prominent PrivateLoader
(published: December 22, 2022)
Background:
RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that uses dropped DLL dependencies.
Takeaway:
Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud-based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. Network defenders are advised to block known PrivateLoader and RisePro indicators.
Microsoft Research Uncovers New Zerobot Capabilities
(published: December 21, 2022)
Background:
Zerobot (ZeroStresser) is a Go-based botnet that spreads primarily through Internet of Things (IoT) and web-application vulnerabilities. Microsoft researchers analyzed its newest version, Zerobot 1.1 which added new exploits and new distributed denial of service (DDoS) attack methods. For proliferation, ZeroBot targets Linux-based IoT such as firewall devices, routers, and cameras, but a version that can run on Windows was also discovered. ZeroBot uses at least two dozen of various exploits including recently added exploits for vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE-2022-33891), MiniDVBLinux (ZSL-2022-5717), and Roxy-WI (CVE-2022-31137).
Takeaway:
Botnet malware takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Learn about our Penetration Testing Services
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
(published: December 20, 2022)
Background:
Since February 2022, Palo Alto researchers have detected over 500 new domains associated with Gamaredon (Primitive Bear, Trident Ursa), a threat group attributed to Russia’s Federal Security Service. The group primarily targets Ukraine, but a few English-speaking lures were detected, and an unsuccessful attempt to compromise a petroleum refining company within a NATO country. The group constantly refines its malicious fishing attachment and infrastructure. It uses fast flux DNS to limit the effectiveness of IP blocking. It queries cryptic Telegram posts and legitimate IP-API service to discover C2 IP information while bypassing DNS. Gamaredon also hides true IP assignment by using operational IP for a given subdomain while assigning a fake, benign IP for the root domain.
Takeaway:
Conduct anti-phishing training and implement best security practices for attached Microsoft documents. For sensitive networks, consider blocking Telegram Messaging and domain lookup tools unless there is a specific ongoing use of them in the organization.
CVE-2022-41040 and CVE-2022-41082 – Zero-Days in MS Exchange
(published: December 19, 2022)
Background:
An attack on critical infrastructure in August 2022 leveraged two 0-day vulnerabilities in Microsoft Exchange Server. The pair of vulnerabilities was dubbed ProxyNotShell. First, a server-side request forgery (CVE-2022-41040) allows access to the privileged endpoint of the Exchange Server API for PowerShell. The attacker initiates the shell and enables the keep alive option for it, and proceeds to trigger a second vulnerability, a remote code execution (CVE-2022-41082) which uses PowerShell Remoting to open a new process on the target system. The attackers implemented DLL side-loading attacks and other post-exploitation steps similar to the steps previously reported by TrendMicro for an attack delivering LockBit ransomware.
Takeaway:
For Microsoft Exchange administrators it is critical to implement October 2022 Microsoft released patches since a working proof-of-concept was made public in November 2022. When planning for future 0-day vulnerabilities, focus on detecting lateral movement, malicious outgoing traffic, and data exfiltration.
Observed Threats
Gamaredon Group
The Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military.
The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon.
The Gamaredon group has shown an increase in technical capabilities since the 2013 report discussing Operation Armageddon with the creation and distribution of their own custom malware, dubbed Gamaredon Pteranodon. Prior to this, the group was known for using malicious tools, and legitimate tools for malicious purposes that could be purchased in legitimate locations and underground markets. This custom malware was used in targeted attacks against Ukrainian entities and individuals. The Security Service of Ukraine (SBU) attributes this malicious activity conducted against their country to the 16th (for Federal Agency of Government Communications and Information) and 18th Centers of the Russian Federal Security Service (FSB).
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
