The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, Bypassing DNS, DDoS, Infostealers, Layoffs, Spearphishing, Supply chain, and Zero-day vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: December 22, 2022)
RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies.
Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform).
MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1033 - System Owner/User Discovery | [MITRE ATT&CK] T1129 - Shared Modules | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Tags: detection:RisePro, malware-type:Stealer, detection:PrivateLoader, malware-type:Loader, actor:RiseProSUPPORT, file-type:EXE, file-type:BMP, Telegram, WordPress, Windows
(published: December 21, 2022)
Zerobot (ZeroStresser) is a Go-based botnet that spreads primarily through Internet of Things (IoT) and web-application vulnerabilities. Microsoft researchers analyzed its newest version, Zerobot 1.1 which added new exploits and new distributed denial of service (DDoS) attack methods. For proliferation, ZeroBot targets Linux-based IoT such as firewall devices, routers, and cameras, but a version that can run on Windows was also discovered. ZeroBot uses at least two dozen of various exploits including recently-added exploits for vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE-2022-33891), MiniDVBLinux (ZSL-2022-5717), and Roxy-WI (CVE-2022-31137).
Analyst Comment: Botnet malware takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring. Companies are invited to schedule a demo for Anomali’s Attack Surface Management.
MITRE ATT&CK: [MITRE ATT&CK] T1205.001 - Traffic Signaling: Port Knocking | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1078 - Valid Accounts | [MITRE ATT&CK] T1498 - Network Denial Of Service | [MITRE ATT&CK] T1547 - Boot Or Logon Autostart Execution | [MITRE ATT&CK] T1543.004 - Create or Modify System Process: Launch Daemon
Tags: detection:Zerobot, detection:ZeroStresser, actor: DEV-1061, detection:SparkRat, Internet of Things, IoT, Botnet, Web application, Golang, Malware-as-a-service, DDoS, DDoS-for-hire, Christmas tree attack, SSH, Telnet, Port-knocking, port:23, port:2323, CVE-2016-20017, CVE-2021-46422, CVE-2018-10561, CVE-2022-26186, CVE-2020-7209, CVE-2022-31137, CVE-2014-8361, CVE-2022-26210, CVE-2017-17215, CVE-2022-22965, CVE-2022-25075, CVE-2018-12613, CVE-2018-20057, CVE-2021-42013, CVE-2022-42013, CVE-2021-35395, CVE-2022-33891, CVE-2020-25223, CVE-2020-10987, CVE-2022-30525, CVE-2022-37061, CVE-2021-36260, CVE-2019-10655, CVE-2017-17106, CVE-2017-17105, CVE-2020-25506, CVE-2022-34538, CVE-2022-30023, ARM64, MIPS, x86_64, file-type:SH, file-type:EXE, Windows, Linux
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
(published: December 20, 2022)
Since February 2022, Palo Alto researchers have detected over 500 new domains associated with Gamaredon (Primitive Bear, Trident Ursa), a threat group attributed to Russia’s Federal Security Service. The group primarily targets Ukraine, but a few English-speaking lures were detected, and an unsuccessful attempt to compromise a petroleum refining company within a NATO country. The group constantly refines its malicious fishing attachment and infrastructure. It uses fast flux DNS to limit the effectiveness of IP blocking. It queries cryptic Telegram posts and legitimate IP-API service to discover C2 IP information while bypassing DNS. Gamaredon also hides true IP assignment by using operational IP for a given subdomain while assigning a fake, benign IP for the root domain.
Analyst Comment: All known network indicators associated with this Gamaredon campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Conduct anti-phishing trainings and implement best security practices for attached Microsoft documents. For sensitive networks, consider blocking Telegram Messaging and domain lookup tools unless there is a specific ongoing use of them in the organization.
MITRE ATT&CK: [MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1568 - Dynamic Resolution | [MITRE ATT&CK] T1218.005 - Signed Binary Proxy Execution: Mshta | [MITRE ATT&CK] T1221 - Template Injection | [MITRE ATT&CK] T1047 - Windows Management Instrumentation
Tags: mitre-group:Gamaredon Group, actor:UAC-0010, actor:Primitive Bear, actor:Shuckworm, Federal Security Service, FSB, actor:Gamaredon, actor:Trident Ursa, Fast flux DNS, Bypassing DNS, Twitter, Government, Military, Russia, source-country:RU, Ukraine, target-country:UA, NATO, file-type:RTF, file-type:DOC, file-type:LNK, file-type:EXE, HTA, VBS, Windows
(published: December 20, 2022)
In 2023, companies reducing their headcount can potentially face additional cybersecurity risks: growing insider threat, fewer technical experts providing visibility into the security status, and mistakes with account deactivation and access allocation. At the same time, threat groups share increasingly complex malware and tools, and seek to exploit supply-chain relationships to attack high-value, well-protected organizations.
Analyst Comment: Network defenders should have fuller awareness of their assets and supply chain vectors. Maintain oversight over the security and access to shared development environments. Assure development practices and establish adequate segregation of code bases, data, and documentation.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
Tags: Insider threat, Layoff, Disgruntled employee, Off-boarding, Super user, Commodity malware, Malware-as-a-service, Supply chain, 3-d party risk
(published: December 19, 2022)
An attack on critical infrastructure in August 2022 leveraged two 0-day vulnerabilities in Microsoft Exchange Server. The pair of vulnerabilities was dubbed ProxyNotShell. First, a server-side request forgery (CVE-2022-41040) allows access to the privileged endpoint of the Exchange Server API for PowerShell. The attacker initiates the shell and enables the keep alive option for it, and proceeds to trigger a second vulnerability, a remote code execution (CVE-2022-41082) which uses PowerShell Remoting to open a new process on the target system. The attackers implemented DLL side-loading attacks and other post-exploitation steps similar to the steps previously reported by TrendMicro for an attack delivering LockBit ransomware.
Analyst Comment: For Microsoft Exchange administrators it is critical to implement October 2022 Microsoft released patches since a working proof-of-concept was made public in November 2022. When planning for future 0-day vulnerabilities, focus on detecting lateral movement, malicious outgoing traffic, and data exfiltration.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1055 - Process Injection | [MITRE ATT&CK] T1059.001: PowerShell
Tags: ProxyNotShell, CVE-2022-41082, CVE-2022-41040, Microsoft Exchange, PowerShell, PowerShell Remoting, XML SOAP, WSMAN, file-type:DLL, file-type:EXE, Windows
Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:
The Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military. The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon. The Gamaredon group has shown an increase in technical capabilities since the 2013 report discussing Operation Armageddon with the creation and distribution of their own custom malware, dubbed Gamaredon Pteranodon. Prior to this, the group was known for using malicious tools, and legitimate tools for malicious purposes that could be purchased in legitimate locations and underground markets. This custom malware was used in targeted attacks against Ukrainian entities and individuals. The Security Service of Ukraine (SBU) attributes this malicious activity conducted against their country to the 16th (for Federal Agency of Government Communications and Information) and 18th Centers of the Russian Federal Security Service (FSB).
Topics:Anomali Cyber Watch