August 29, 2022
Anomali Threat Research

Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware,</b> and <b>Russia</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">LastPass Hackers Stole Source Code</a></h3> <p>(published: August 26, 2022)</p> <p>In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.<br /> <b>Analyst Comment:</b> This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.<br /> <b>Tags:</b> LastPass, Password manager, Data breach, Source code</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli </a></h3> <p>(published: August 25, 2022)</p> <p>Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).<br /> <b>Analyst Comment:</b> Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&CK] Create Account - T1136</a> | <a href="" target="_blank">[MITRE ATT&CK] Server Software Component - T1505</a> | <a href="" target="_blank">[MITRE ATT&CK] Boot or Logon Autostart Execution - T1547</a> | <a href="" target="_blank">[MITRE ATT&CK] Remote Services - T1021</a><br /> <b>Tags:</b> Static Kitten, Mercury, MuddyWater, NOBELIUM, Iranian Ministry of Intelligence, source-country:IR, Ligolo, Venom, PowerShell, RemCom, Mimikatz, ScreenConnect, eHorus, vpnui.exe, CVE-2021-45046, CVE-2021-44228, Log4j 2, Log4Shell, SysAid, Middle East, Israel, target-country:IL, Spearphishing</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Scammers Create &#39;AI Hologram&#39; of C-Suite Crypto Exec</a></h3> <p>(published: August 25, 2022)</p> <p>Cryptocurrency exchange Binance reported a first instance of video spoofing being used in real-life social engineering attacks. First, the attackers were creating accounts impersonating Binance employees and executives on social networks such as LinkedIn, Telegram, Twitter, etc. Then, they were starting a conversation with another company in the same industry and proceeding with giving a Zoom video call invitation. Finally, during the video call they used the deepfake technology to impersonate the identity of Binance chief communications officer (CCO). Based on old publicly available videos they were able to synthesize a video stream of the Binance CCO making the attackers’ talking points.<br /> <b>Analyst Comment:</b> From spoofing sender email, logo, and voice, to spoofing a person in a video, the attackers can go a long way to confuse and social engineer their target. Companies should have strict protocols regarding critical actions such as fund transfers or downloading unauthorized software. It is important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations and further protect your digital and corporate assets.<br /> <b>Tags:</b> Deepfake, Video spoofing, Social engineering, Cryptocurrency, Binance</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Kimsuky’s GoldDragon Cluster and Its C2 Operations</a></h3> <p>(published: August 25, 2022)</p> <p>Velvet Chollima (Kimsuky, Thallium) is a North Korea-sponsored cyberespionage group active since at least 2013. In 2022, Kaspersky researchers profiled GoldDragon, a new, complex Velvet Chollima cluster, one of the most frequently used by the group. The GoldDragon infection chain involves malicious Word documents leading to Visual Basic Script (VBS), HTML application (.HTA) files, and, eventually to information-stealing Windows executables. This infection chain is supported by two command-and-control (C2) clusters, as well as compromised and newly-registered, cloud staging infrastructure. Velvet Chollima uses three fingerprinting roadblocks to limit the exposure of their malicious payloads to intended targets only. It checks that victim OS is Windows, verifies that victim email alias and IP matches the targeting list, and checks for predefined, intentionally misspelled user-agent string “Chnome.”<br /> <b>Analyst Comment:</b> Excessive fingerprinting allows Velvet Chollima to deliver benign files to everyone but the intended targets. Researchers can overcome these fingerprinting challenges by utilizing telemetry data and studying server-side scripts related to the infection chain. Velvet Chollima appears to continue targeting entities with connections to the Korean Peninsula. Defenders should concentrate on anti-phishing training and hardening their systems. Network indicators connected to the GoldDragon cluster have been added to the Anomali platform.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&CK] System Owner/User Discovery - T1033</a> | <a href="" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="" target="_blank">[MITRE ATT&CK] Credentials from Password Stores - T1555</a><br /> <b>Tags:</b> Velvet Chollima, Thallium, Black Banshee, Kimsuky, GoldDragon, Government, APT, North Korea, source-country:KP, South Korea, target-country:KR, Education, Think tanks, Spearphishing, Macro, Maldoc, Word, Microsoft, Windows, VBA, HTA, Fingerprinting</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">MagicWeb: NOBELIUM’s Post-Compromise Trick to Authenticate as Anyone</a></h3> <p>(published: August 24, 2022)</p> <p>Microsoft researchers have discovered a post-compromise backdoor dubbed MagicWeb, which is used for persistence by Russia-sponsored APT29 (Cozy Bear, Nobelium). Previously, APT29 was relying on another post-exploitation capability named FoggyWeb which was capable of exfiltrating the configuration database of compromised Active Directory Federated Services (AD FS) servers, decrypting token-signing certificates and token-decryption certificates. MagicWeb goes one step further by facilitating covert access directly. It is a malicious DLL that APT29 places instead of a legitimate DLL once the attackers have admin access to the AD FS system. MagicWeb allows manipulation of the user authentication certificates used for authentication and passed in tokens generated by an AD FS server. MagicWeb will cause the authentication request to bypass the standard AD FS process including multi-factor authentication (MFA) when it encounters a non-standard Enhanced Key Usage Object Identifier (OID) value that is hardcoded in MagicWeb.<br /> <b>Analyst Comment:</b> Since MagicWeb deployment happens once the attackers have admin access to the AD FS server, organizations should concentrate on the defense-in-depth approach to deny APT29 the opportunity for this privilege access. Organizations should ensure they only have the minimum number of AD administration accounts needed for operation, these accounts should be: unique and separated from any other accounts; tied to key, named individuals; and their activities monitored and audited (including to the owner so they can flag any anomalous activity). It is also important to take steps in identifying, updating, and hardening your AD FS server and ensuring it is segmented from other hosts in the environment and not accessible from the internet, if feasible. If an organization is not resourceful enough to take proper care of their on-premise AD FS server, they might consider a cloud deployment option. Detection opportunities include checking the Global Assembly Cache (GAC) or AD FS directories portable for executables that aren’t signed by Microsoft. Ensure logging including enhanced key usage (EKU) attributes for AD FS events and certificate issuance.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Data Manipulation - T1565</a> | <a href="" target="_blank">[MITRE ATT&CK] Modify Authentication Process - T1556</a><br /> <b>Tags:</b> MagicWeb, Nobelium, APT29, mitre-group:APT29, Cozy Bear, FoggyWeb, Government, Russia, source-country:RU, USA, target-country:US, target-region:Europe, target-region:Central Asia, MFA bypass, AD FS server</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">LockBit Ransomware Blames Entrust for DDoS Attacks on Leak Sites</a></h3> <p>(published: August 22, 2022)</p> <p>On June 18, 2022, digital security giant Entrust was breached by a ransomware group leading to data loss. On August 18, 2022, the LockBit ransomware group posted about the Entrust breach on their Tor leak site and started to leak the data (accounting and legal documents and marketing spreadsheets). Soon after the first screenshots were leaked by Lockbit, their data leak site became unavailable. LockBit claims to be a target of a DDoS attack related to the Entrust breach as the user-agent string in the HTTP GET requests specifically says “DELETE_ENTRUSTCOM_[Expletive].” It is hard to independently verify and attribute the reported DDoS attack.<br /> <b>Analyst Comment:</b> In response to this interruption due to the DDoS attack, Lockbit announced mitigation plans: providing each locker build with an unique data leakage site link and creating a clearnet mirror on a “bulletproof” hosting. Additionally, Lockbit announced they decided to add DDoS threat as an addition to their current double-extortion scheme.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Network Denial of Service - T1498</a><br /> <b>Tags:</b> Entrust, LockBitSupp, Tor, LockBit, Ransomware, DDoS, Hack back</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">HavanaCrypt Ransomware Masquerading as Google Update</a></h3> <p>(published: August 22, 2022)</p> <p>HavanaCrypt is new ransomware that was first observed in June 2022. It is an advanced ransomware with extensive defense evasion and command and control capabilities. Cybereason researchers investigated a 7z archive file containing a HavanaCrypt Windows executable masquerading as a Google software update (spoofing the file name and Copyright data in the file version information). HavanaCrypt static anti-analysis techniques include the use of the .NET binary obfuscator Obfuscar, and use of a sophisticated group of internal functions that obfuscate strings. Upon execution, HavanaCrypt implements several runtime anti-analysis techniques: it uses the attribute [DebuggerStepThrough] forcing a debugger to step through the code and it tries multiple ways to detect virtual environment artifacts.<br /> <b>Analyst Comment:</b> If prompted to update their browser, users should only update through official channels. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection. Anomali Match can be used to quickly search your infrastructure for known IOCs.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="" target="_blank">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Service Stop - T1489</a> | <a href="" target="_blank">[MITRE ATT&CK] Inhibit System Recovery - T1490</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a><br /> <b>Tags:</b> detection:HavanaCrypt, Ransomware, Obfuscar, Windows, Tor, Defense evasion</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">BianLian: New Ransomware Variant On The Rise</a></h3> <p>(published: August 18, 2022)</p> <p>BianLian is a new Go-based ransomware with anti-debugging and cross-platform functionalities. Cyble researchers observe BianLian getting more popular with nine victim organizations across various sectors being featured on the BianLian data leak site. This ransomware is notable for its extensive use of multithreading. It starts encrypting files available in the connected drives, drops the ransom notes and proceeds to encrypt certain file types on local disks. It divides the data that is being encrypted into small chunks (10 bytes) as a method to evade detection by antivirus products.<br /> <b>Analyst Comment:</b> When the attackers use a new, previously-untested encryption technique, it adds to the risk that the victim’s files won’t be decrypted even if ransom is paid. Users are advised to disconnect external storage devices when not in use, implement network segmentation where possible. Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&CK] Software Discovery - T1518</a> | <a href="" target="_blank">[MITRE ATT&CK] Peripheral Device Discovery - T1120</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Replication Through Removable Media - T1091</a> | <a href="" target="_blank">[MITRE ATT&CK] Indicator Removal on Host - T1070</a><br /> <b>Tags:</b> detection:BianLian, Ransomware, Filecoder, GoLang, Go, qTox, Defense evasion, Multithreading</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week&#39;s Anomali Cyber Watch can be found below:</p> <p><a href="" target="_blank">Velvet Chollima</a><br /> Velvet Chollima, also known as “Kimsuky”, is a suspected APT group believed to be linked to the Democratic People’s Republic of Korea (DPRK). Active since at least 2013, the primary motive of the group is espionage against South Korea. An increase of activity occurred during the period of the 2018 summit between United States President Donald Trump and DPRK Leader Kim Jong-Un.</p> <p><a href="" target="_blank">APT29</a><br /> The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.</p> <p><a href="" target="_blank">Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users</a><br /> A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.</p> <p><a href="" target="_blank">CVE-2021-45046</a><br /> It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.