The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Iran, Ransomware, Stealers, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: September 16, 2022)
On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.
Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer
(published: September 15, 2022)
Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”
Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtube, target-industry:Games NAICS 513210
(published: September 14, 2022)
Secureworks researchers discovered multiple identities connected to Iran-sponsored group Cobalt Mirage (Dev-0270, Nemesis Kitten). The information was derived from the group’s infrastructure connections, leaked materials, and a June 2022 ransom note PDF file metadata. The group acts as a contractor for the Iranian government, so it is able to combine cyberespionage and ransomware for-profit operations.
Analyst Comment: All known Cobalt Mirage indicators are available in the Anomali platform and customers are advised to block these on their infrastructure. Keep your Microsoft Exchange Server updated to avoid exploitation including the ProxyShell exploits that Cobalt Mirage was seen using.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:COBALT MIRAGE, actor:DEV-0270, ProxyShell, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, Iran, source-country:IR, detection:TunnelFish, Cyberespionage, Ransomware
(published: September 13, 2022)
Palo Alto researchers analyzed OriginLogger (AgentTeslav3) and two of its leaked builders. OriginLogger is a commodity keylogger that is based on Agent Tesla code and is typically detected as Agent Tesla. It has been available since 2018 and became more prevalent in 2020. Out of all studied samples, 1,909 OriginLogger samples exfiltrated stolen data over email (SMTP protocol), 1,888 samples used file sharing servers (FTP), 1,866 samples used web uploads utilizing a PHP file, and 1,732 samples exfiltrated to Telegram channels.
Analyst Comment: Signatures developed for Agent Tesla still mostly work for OriginLogger. Different actors using this keylogger can use additional obfuscation and different delivery methods. Keeping macros disabled in Microsoft Office documents downloaded from the Internet can dwarf one of the observed delivery vectors.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: detection:OriginLogger, mitre-software:Agent Tesla, detection:AgentTeslav3, malware-type:Keylogger, Crypter, VBA macro, SMTP, FTP, Telegram
(published: September 13, 2022)
Several Fishpig extensions for eCommerce Magento-WordPress integrations were compromised and served the Rekoobe remote access trojan. The file backdoored by the attackers was normally used to validate a Fishpig license, so the free Fishpig extensions that are hosted on Github were not affected. Once installed, Rekoobe removes all malware files and remains in memory only. It mimics a legitimate background process on the targeted Linux server.
Analyst Comment: Fishpig users are advised to re-install all Fishpig extensions and restart the server. No attacker actions were observed past the installation of Rekoobe, but it is a good practice to audit the server for unauthorized files and accounts.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: Magento, Fishpig, Supply chain, detection:Rekoobe, malware-type:RAT, Linux, eCommerce
(published: September 13, 2022)
Symantec researchers discovered a new intelligence gathering campaign targeting government and state-owned entities in Asia. The attackers are likely associated with China-sponsored APT41 (Wicked Panda). They were observed switching from delivering the ShadowPad remote access trojan to delivering multiple payloads including previously unseen Infostealer.Logdatter. This new information stealer has additional capabilities to download files, inject processes, and query SQL databases.
Analyst Comment: Defense-in-depth is an effective way to help mitigate potential APT activity. The layering of defense mechanisms can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. All known APT41 indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Injection - T1055
Tags: mitre-group:APT41, actor:Wicked Panda, CVE-2020-1472, CVE-2021-26855, target-sector:Government NAICS 92, China, source-country:CN, Cyberespionage, mitre-software:PlugX, detection:QuasarRAT, detection:Infostealer.Logdatter, detection:Trochilus RAT, detection:ShadowPad
(published: September 12, 2022)
The Lorenz ransomware group has been active since at least February 2021. The group uses the double extortion tactic by exfiltrating data and encrypting systems using its custom Lorenz ransomware or Microsoft’s BitLocker Drive Encryption. Arctic Wolf researchers analyzed recent attacks by Lorenz that started with a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) exploitation. Almost a month after the initial access, Lorenz proceeded with post-exploitation activity that relied heavily on open source and living off the land binaries (LOLBins): it downloaded TCP tunneling tool Chisel, used CrackMapExec for a full Local Security Authority Subsystem Service (LSASS) memory dump, and installed FileZilla to exfiltrate data.
Analyst Comment: When attackers abuse legitimate tools, it is important to detect anomalies by establishing a baseline for the normal and expected activities inside your organization. Upgrade to MiVoice Connect Version R19.3 or older, if you have the vulnerable devices.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lorenz, Ransomware, CVE-2022-29499, Mitel MiVoice Connect, FileZilla, BitLocker, ESXi, LOLBins, 0day, PowerShell, Microsoft, Double extortion, Chisel, CrackMapExec, RDP, FileZilla
Topics:Anomali Cyber Watch