July 6, 2022
Anomali Threat Research

Anomali Cyber Watch: Russian KillNet DDoSed Lithuania, Building Automation Systems Targeted to Install ShadowPad, China-Sponsored Group Jumps from Home Routers to Connected Machines, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, China, DDoS, Industrial Control Systems, Phishing, Russia, Toll fraud,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/sP0cVTlxQuGkGYMFVnvO"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/" target="_blank">Toll Fraud Malware: How an Android Application Can Drain Your Wallet</a></h3> <p>(published: June 30, 2022)</p> <p>Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities.<br/> <b>Analyst Comment:</b> Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/" target="_blank">ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks</a></h3> <p>(published: June 28, 2022)</p> <p>Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon.<br/> <b>Analyst Comment:</b> SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947214" target="_blank">[MITRE ATT&amp;CK] Component Object Model Hijacking - T1122</a><br/> <b>Tags:</b> ZuoRAT, SOHO routers, Cobalt Strike, CBeacon, GoBeacon, COM hijacking, APT, China, source-country:CN, USA, target-country:US, Canada, target-country:CA, United Kingdom, target-country:UK, Hong Kong, target-region:HK, Linux, MacOS, Windows, CVE-2020-26878, CVE-2020-26879</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.helpnetsecurity.com/2022/06/27/azure-front-door-phishing-attacks/" target="_blank">Cybercriminals Use Azure Front Door in Phishing Attacks</a></h3> <p>(published: June 27, 2022)</p> <p>Researchers from Resecurity have identified an increase of phishing attacks abusing Azure Front Door (AFD), a cloud content delivery network (CDN) service provided by Microsoft. These phishing pages on the AFD domain were targeting credentials for Adobe, Amazon, Docusign, Office365, and SendGrid. This campaign started in March 2022, with typosquatting/phishing attacks against large online-service providers and corporations in Japan, Middle East, and other countries.<br/> <b>Analyst Comment:</b> As many organizations whitelist major cloud and CDN providers, a defense-in-depth approach is needed to address abuse of these services. Organizations should educate their users to recognize phishing attacks, as well as consider implementing automated phishing recognition through stolen imagery (logo) analysis.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Azure Front Door, Cloud CDN, Phishing, Typosquatting, IT, Japan, target-country:JP, Microsoft, Office365, Adobe, Amazon, Docusign, SendGrid, target-region:Middle East</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.infosecurity-magazine.com/news/killnet-hacks-lithuania-government/" target="_blank">Pro-Russian Hacker Group Killnet Hits Critical Government Websites in Lithuania</a></h3> <p>(published: June 27, 2022)</p> <p>Killnet, a Russia-affiliated hacktivist group, attacked several Lithuanian government websites including Lithuania’s State Tax Inspectorate (STI), and one of the country’s largest accounting service providers. The tensions between the two countries increased after Lithuania limited the transport of Russian goods through its territory in response to the military conflict in Ukraine. The Killnet group uses the Killnet DDoS tool and rented several botnets for $1350 per month, which had a reported capacity of 500GB per second. Flashpoint researchers observed Killnet DDoS attacks on Lithuania prepared since June 18, 2022, starting on June 22, with the major wave coming on June 28, 2022.<br/> <b>Analyst Comment:</b> Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. In addition, the availability for threat actors to compromise vulnerable devices, and purchase DDoS-for-hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack. Furthermore, a business continuity plan should be in place in the unfortunate case that your company is the target of a significant DDoS attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> Killnet, Russia, source-country:RU, Lithuania, target-country:LT, Anonymous, Ukraine, Government, Accounting, DDoS</p> </div> <div class="trending-threat-article"> <h3><a href="https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/" target="_blank">Attacks on Industrial Control Systems Using ShadowPad</a></h3> <p>(published: June 27, 2022)</p> <p>A China-sponsored threat group (possibly, Hafnium) was targeting Industrial Control Systems (ICS) in telecom companies in Afghanistan, Malaysia, and Pakistan. Specific targeting included engineering computers in building automation systems. Kaspersky ICS researchers detected that this campaign was getting foothold through exploiting Microsoft Exchange Server remote code execution vulnerability CVE-2021-26855 since March 2021 when this vulnerability was disclosed, despite the patch release. The attackers were using DLL hijacking to install the ShadowPad backdoor and additional tools for propagation (Nextnet), access (CobaltStrike, PlugX, Web shells), and credential stealing (BAT files).<br/> <b>Analyst Comment:</b> Organizations should use licensed and regularly updated server software. If a security patch could not be installed, use additional mitigation measures utilizing firewalls and limiting the connectivity of the vulnerable system.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947257" target="_blank">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947257" target="_blank">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3297570" target="_blank">[MITRE ATT&amp;CK] File and Directory Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947252" target="_blank">[MITRE ATT&amp;CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/3905097" target="_blank">[MITRE ATT&amp;CK] Archive Collected Data - T1560</a> | <a href="https://ui.threatstream.com/ttp/3905097" target="_blank">[MITRE ATT&amp;CK] Archive Collected Data - T1560</a> | <a href="https://ui.threatstream.com/ttp/947117" target="_blank">[MITRE ATT&amp;CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947098" target="_blank">[MITRE ATT&amp;CK] Email Collection - T1114</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947193" target="_blank">[MITRE ATT&amp;CK] Automated Exfiltration - T1020</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Web Service - T1567</a><br/> <b>Tags:</b> Suspected-Hafnium, ICS, PlugX, ShadowPad, CobaltStrike, Nextnet, OleView, CVE-2021-26855, Microsoft Exchange, Windows, APT, China, source-country:CN, Telecommunications, Manufacturing, Logistics, Pakistan, target-country:PK, Malaysia, target-country:MY, Afghanistan, target-country:AF</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan" target="_blank">Revive: from Spyware to Android Banking Trojan</a></h3> <p>(published: June 27, 2022)</p> <p>Revive, a new Android banking trojan, was discovered by Cleafy researchers in phishing campaigns targeting customers of a specific large Spanish bank. The malware tricks the user to enable the Accessibility Services feature to perform keylogging activities and to intercept SMS messages. Revive source code was built on the base of the open source Teardroid spyware.<br/> <b>Analyst Comment:</b> Observed samples of Revive had originally no or very low antivirus detection ratio. It is important for users to stick to official app stores and applications with good established ratings, especially for devices that are used for banking.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Revive, Teardroid, Android, Mobile, Banking and finance, Banking trojan, Spyware, Keylogging, SMS theft, 2FA/OTP bypass, Account takeover, Accessibility Services, Spain, target-country:ES</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/pypi-python-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/" target="_blank">PyPi Python Packages Caught Sending Stolen AWS Keys to Unsecured Sites</a></h3> <p>(published: June 25, 2022)</p> <p>PyPi is an open-source repository available to a large group of developers to complement their python based projects. Packages named ‘log lib-modules' and ‘pygrata-tools' were used to steal AWS credentials and sensitive data such as network infrastructure. Sonatype analysts J. Cardona and C. Fernandez detected that the stolen data was uploaded to the pygrata[.]com domain controlled by the attackers.<br/> <b>Analyst Comment:</b> Open-source python packages could possess a potential threat to users if downloaded from unverified sources. Unexperienced developers are the potential targets. Developers should check the legitimacy of the package and download package descriptions, release-history and download numbers to determine if the package is fake.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Web Service - T1567</a><br/> <b>Tags:</b> sonatype-2022-3475, sonatype-2022-3256, Open-source, Python, PyPi, Credentials, Sensitive data, Supply chain, AWS, Malicious package</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/vulnerability/531563" target="_blank">CVE-2020-26878</a><br/> Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.</p> <p><a href="https://ui.threatstream.com/vulnerability/531564" target="_blank">CVE-2020-26879</a><br/> Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.</p> <p><a href="https://ui.threatstream.com/vulnerability/780324" target="_blank">CVE-2021-26855</a><br/> Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.