Microsoft Investigates Iranian Attacks Against the Albanian Government

(published: September 8, 2022)

Background:

Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.

Takeaway:

MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country’s embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity.

BRONZE PRESIDENT Targets Government Officials

(published: September 8, 2022)

Background:

Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.

Takeaway:

Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.

Ransomware Developers Turn to Intermittent Encryption to Evade Detection

(published: September 8, 2022)

Background:

SentinelOne researchers describe a new technique used by multiple ransomware operators: intermittent encryption. Starting from a certain file size, their ransomware does a partial encryption: it encrypts the start of the file and then alternates between skipping a portion of the file and encrypting a portion. Intermittent encryption allows for faster disk encryption and helps evade detection based on detecting high intensity of file I/O operations. Several ransomware groups use it including Agenda, Black Basta, BlackCat, PLAY, and Qyick ransomware.

Takeaway:

Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.

PlugX RAT Loader Evolution

(published: September 8, 2022)

Background:

Cybereason researchers analyzed the evolution of the PlugX malware family, a modular Remote Access Trojan (RAT) with backdoor, exfiltration, and keystroke grabbing functionality. Since 2008, PlugX has been used for high-profile targeting by several China-sponsored groups such as Emissary Panda (APT27). One typical PlugX infection chain includes an archived spearphishing attachment containing two malicious files and one legitimate executable used for DLL side-loading. From 2012 through 2022, PlugX was updated regularly, as its new versions were varying in defense evasion and obfuscation implementations.

Takeaway:

The DLL side-loading technique provides the malware developer with various combinations, allowing the PlugX developers to avoid major changes in the malware and its deployment methods. PlugX remains a well-maintained malware project for China-sponsored APTs. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open and execute it. It is important to teach your users basic online hygiene and phishing awareness. Organizations should implement defense-in-depth and patch management approaches.

Learn about our Penetration Testing Services

Learn More

Alert (AA22-249A) #StopRansomware: Vice Society

(published: September 6, 2022)

Background:

Following a number of ransomware attacks on US colleges and especially K-12 institutions, the Cybersecurity and Infrastructure Security Agency issued a warning regarding the Vice Society ransomware group. This double-extortion ransomware group has been active since May 2021. It relied on ransomware-as-a-service offerings: in 2021, HelloKitty ransomware for Linux, and in 2022, Zeppelin ransomware for Windows. Once inside, the group was using tools including Cobalt Strike, PowerShell Empire, and SystemBC to move laterally, and it was observed exploiting the PrintNightmare vulnerability to escalate privileges, specifically, two of the three PrintNightmare variants were abused: CVE-2021-1675 and CVE-2021-34527.

Takeaway:

Threat actors will often attempt to exploit old vulnerabilities that already have patches because there is a lot of open source information on said vulnerabilities. This makes it easier to use an exploit for the vulnerability because proof-of-concept code is likely available and ready to be weaponized. Therefore, having patch policies and business continuity plans in place are crucial in maintaining a good security posture. Additionally, organizations should schedule vulnerability scanning and pentesting services and close unused remote capabilities.

DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa

(published: September 6, 2022)

Background:

Check Point researchers described DangerousSavanna, a spearphishing campaign targeting financial institutions in Cameroon, Ivory Coast, Morocco, Senegal, and Togo. Since the end of 2020, DangerousSavanna has been employing various tools and methods, trying different file types and infection chains. Most recently, DangerousSavanna spearphishing lures written in French had ZIP or ISO attachments containing maldocs. User execution leads to PowerShell script downloading and executing beacons and payloads belonging to the PoshC2 post-exploitation C2 framework. DangerousSavanna employs various evasion techniques including waiting for a mouse click and employing AMSI bypass measures.

Takeaway:

Despite heavy reliance on open-source tools and penetration testing software, the DangerousSavanna’s persistent attempts at infiltration allowed them to breach some of the targets. It is important to keep in mind that even a single employee who can be confused by social engineering puts the whole organization at risk.

Mirai Variant MooBot Targeting D-Link Devices

(published: September 6, 2022)

Background:

Palo Alto Networks researchers analyzed a new Mirai botnet variant dubbed MooBot. It spreads by exploiting four known vulnerabilities in D-Link network and connectivity devices (CVE-2015-2051, CVE-2018-6530, CVE-2022-28958, and CVE-2022-26258). The main objective for the botnet handlers is the ability to launch distributed denial-of-service (DDoS) attacks.

Takeaway:

D-Link users should apply security upgrades and patches where possible. Otherwise, your organization should have specific DDoS protection tools deployed across its internet-facing assets and a solid business resilience and DDoS recovery plan.

Observed Threats

Vice Society

Vice Society is a double-extortion ransomware group active since May 2021. It relies on commodity crypters (ransomware). In 2021, Vice Society was using HelloKitty ransomware for Linux, and in 2022, switched to the Zeppelin Ransomware-as-a-Service targeting Windows. Vice Society has been starting its intrusions with exploiting internet-facing applications. Once inside, the group was using tools including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally, and it was observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges. “Vice Society” is a self-identification name, the group also has a preferred extension “.v-society.” for the encrypted files.

Learn about our Penetration Testing Services

Learn More