Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report

(published: October 7, 2021)

Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran

Ransomware in the CIS

(published: October 7, 2021)

Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Desktop Protocol (RDP) passwords. The majority of the actors behind the ransomware are likely based outside of the CIS, for example, ransomware Fonix won’t run if IP geolocation is Iranian.
Analyst Comment: Create strong passwords for domain accounts and change them regularly. Block RDP access from the internet and use a VPN to connect to the corporate network instead.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: BigBobRoss, TheDMR, Crysis, Dharma, CryLock, Limbozar, Odveta, Ouroboros, Fonix, XINOF, CryptConsole, Cryakl, Phobos, Crysis, Dharma, Phobos, Eking, Thanos, Hakbit, XMRLocker, VoidCrypt, Russia, CIS, Iran, Ransomware, Encryption, Cryptomalware, Ransomware-as-a-Service, Dictionary attack, Brute-force, Telegram

Infosec Experts: Twitch Breach “As Bad as it Gets”

(published: October 7, 2021)

The Amazon-owned gaming and content streaming platform Twitch has confirmed that a breach has taken place, after a hacktivist on the 4chan imageboard started to leak its entire source code, creator info and internal data. Twitch has confirmed that some data was exposed to the internet due to an error in a server configuration change that was subsequently accessed by a malicious third party. The leaked data was allegedly stolen from roughly 6,000 Github repositories and includes all of the firm's source code; mobile, desktop and console clients; proprietary software development kits (SDKs) and internal AWS services; and "every other property" it owns, including gaming database IGDB, repository of mods for video games CurseForge, and an unreleased Steam competitor, dubbed "Vapor." Also leaked were red teaming tools used by the firm’s security operations, and sensitive information on how much it paid its most popular streamers back in 2019.
Analyst Comment: The Twitch breach shows risks to companies that may be exposed to extra hacktivist pressure. It is important to keep your servers secure, access limited and protected with multi-factor authentication (MFA). Post-breach discussions are still going on, some are concerned about the penetration testing tools leaked, others - that code exposure will allow for new attacks on Twitch. For example, potentially dangerous logic implementation was found in the way Twitch code was handling passwords for users after it migrated from SHA1 to Bcrypt hashing.
Tags: Twitch, Amazon, Breach, Data leak, Source code, Red team, Pentesting, Hashing, Bcrypt, SHA1, 4Chan

Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

(published: October 6, 2021)

Cybereason researchers describe Operation GhostShell, a highly-targeted cyberespionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia, and Europe. During the investigation, the team discovered a previously undocumented remote access trojan (RAT) dubbed ShellClient which was employed as the primary espionage tool. The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown. Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak. In addition, the investigation draws possible connections to other Iran-sponsored APT threat actors such as Remix Kitten (APT39) and Agrius APT.
Analyst Comment: MalKamak APT group enjoys low levels of detection, and recently enhanced stealthiness by moving from traditional C2s to those hidden in legitimate cloud services such as DropBox. Defence-in-depth approach requires defenders to have detection and identification capabilities in place (such as Anomali Match) to quickly search your infrastructure for known IOCs, in combination with a TIP (such as Anomali ThreatStream) to ingest and add context to IOCs and threat actors.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: ShellClient, MalKamak, Operation GhostShell, Iran, Remix Kitten, APT39, Agrius, ITG07, Chafer, Rana Intelligence Computing, PAExec, PsExec, SafetyKatz, Europe, USA, Russia, Middle East, Aerospace, Telecommunication

Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server

(published: October 6, 2021)

Anomali Threat Research has discovered an open server belonging to the German-speaking threat group, TeamTNT. The group targets cloud environments to deploy cryptojacking malware since at least April 2020. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The server contains source code, scripts, binaries, cryptominers targeting Cloud environments, and Amazon Web Services (AWS) Credentials stolen by TeamTNT AWS Stealer.
Analyst Comment: This insight into TeamTNT arsenal can help security operations teams to improve detection capabilities for related attacks. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: TeamTNT, Cryptojacking, Diamorphine Rootkit, Mountsploit, TeamTNT Bot, Peirates, Masscan, Chimaera, TNT_GPU, XMRig, AWS, TeamTNT AWS Stealer

Drawing a Dragon: Connecting the Dots to Find APT41

(published: October 5, 2021)

The Chinese Advanced Persistent Threat (APT) group, Wicked Panda (APT41), has been identified to be using Cobalt Strike to target victims in India. The campaign was using COVID-19 phishing lures, masquerading as being from Indian government entities. This campaign was similar to a previously documented APT41 campaign as it was utilizing domains and subdomains typosquatting Microsoft with almost identical naming convention. The group has been using bespoke Malleable command-and-control (C2) profile for their Cobalt Strike beacons. BlackBerry researchers were able to connect several APT41 campaigns by extracting and correlating the HTTP headers used in the GET and POST requests defined in the Cobalt Strike Beacon configurations.
Analyst Comment: Both APT groups and commercially-motivated threat actors are increasingly using customizable Cobalt Strike tools, as it went from Red Team penetration testing tool to being widely available via paid, leaked, and cracked versions. Proactive research of Cobalt Strike traffic and Cobalt Strike Beacon profiles can help defenders with detection and potential attribution.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: APT41, China, India, Cobalt Strike beacon, Cobalt Strike, Malleable C2 profile, Government, Healthcare, COVID-19, Wicked Panda, Phishing

Python Ransomware Script Targets ESXi Server for Encryption

(published: October 5, 2021)

Sophos investigated one of the quickest ransomware attacks on a VMware ESXi server; just over three hours from the initial compromise on the victim’s network to encrypting the virtual disks. While administrator’s configuration errors made the quick attack possible, they also discovered that a custom 6kb Python script was used to encrypt a victim's virtual machines. The Python programming language is not common in ransomware, but ESXi Linux-based servers have Python installed by default. The attackers were able to login into a TeamViewer account that didn’t have multi-factor authentication (MFA) but was running on a Domain Administrator machine. They ran Advanced IP Scanner to find a VMWare ESXi with SSH service turned on, and used SSH client Bitvise to log into it. They copied the Python script: file named to the ESXi datastore. The script was run separately for each datastore disk volume, it shuts down the virtual machines, encrypts, overwrites the original files, deletes them leaving only the encrypted versions behind.
Analyst Comment: VMWare ESXi is one of the most popular enterprise virtual machine platforms and is heavily targeted by several ransomware groups. Administrators should follow best practices published by WMware, secure their remote access with multi-factor authentication (MFA), and disable ESXi Shell after use.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Remote Services - T1021
Tags: Python, ESXi, WMWare, Ransomware, Virtual machine, TeamViewer, ESXi Shell, Bitvise, Advanced IP Scanner

Misconfigured Airflows Leak Thousands of Credentials from Popular Services

(published: October 4, 2021)

Apache Airflow, an extremely popular open source workflow management platform, has been found to be vulnerable to a misconfiguration that allows for internet-wide access, according to Intezer researchers. The misconfigured instances expose sensitive information of companies across the biotech, cybersecurity, energy, finance, health, information technology (IT), manufacturing, media, and transportation industries. The exposed credentials of popular services including cloud hosting providers, payment processing, and social media platforms and includes companies such as Amazon Web Services (AWS), PayPal, Slack, and more. The main risk comes with a combination of an outdated Airflow instance exposed in a cloud and insecure coding practices. Additionally, Airflow plugins or Airflow Variables feature could allow external editing resulting in malicious code execution and malware to be launched on the exposed production environments and even on Apache Airflows itself. The company has notified affected entities to fix their misconfigurations.
Analyst Comment: Many of the discovered security issues could be mitigated by updating Apache Airflows, currently, to Version 2. Limit access to your cloud instances to authorized users only. Implement secure coding practices. Passwords should not be hardcoded, put in “Extra” AirFlow Connection fields, or added via command line interface (CLI) for versions prior 1.10.13 (CVE-2020-17511). The long names of images and dependencies should be utilized to avoid possible Dependency Confusion attacks.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Unsecured Credentials - T1552
Tags: Apache Airflow, Cloud, Misconfiguration, Data leak, Insecure coding practices, AWS, PayPal, CVE-2020-17511, Media, Finance, Manufacturing, Information technology, Biotech, Health, Energy, Cybersecurity, Transportation


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.