The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Server Software Component – T1505 | [MITRE ATT&CK] Exploitation of Remote Services – T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists’ arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPhone and Android phones. Pegasus is being delivered by either an app vulnerability exploitation (for example, vulnerability in iMessage), or through a malicious link in a message. Once installed, Pegasus has capabilities to harvest any data from the mobile device, activate microphone and camera, and to log a person’s past and current location in real time.
Analyst Comment: Some individuals whose phone numbers were targeted by Pegasus were likely able to avoid being infected. In some cases, they were already overly cautious and changing their devices and/or phone numbers on a regular basis. In other cases, a spear phishing attack that relies on user interaction can be foiled by a user not clicking the malicious link sent by the Pegasus operators.
MITRE ATT&CK: [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Audio Capture – T1123 | [MITRE ATT&CK] Email Collection – T1114 | [MITRE ATT&CK] Video Capture – T1125
Tags: NSO Group, Pegasus, Spyware, Android, iPhone, iMessage, Spear phishing, Private-sector offensive actor, Israel, Mexico, Saudi Arabia, India
(published: July 15, 2021)
Pysa (also known as Mespinoza) is a prolific ransomware group. They have attacked education, manufacturing, retail, and other organizations with ransom demands as high as $470,000. Unit 42 researchers describe PYSA using new tools written in the Go language. Gasket backdoor tool is delivered obfuscated with the open-source Gobfuscate tool. Gasket is an evolving maware with at least 16 versions documented in the wild. In addition, Pysa also uses a version of open-source Chisel tunneling tool named MagicSocks to hide the outbound traffic destination. Prior to deploying ransomware, Pysa exfiltrates sensitive files to use them in a double-extortion scheme.
Analyst Comment: Organizations should protect their internet-facing Remote Desktop Protocol (RDP) servers. Some of the Pysa Gasket versions were reusing command and control (C2) domain infrastructure, making it easier to detect the ongoing intrusion.
MITRE ATT&CK: [MITRE ATT&CK] PowerShell – T1086 | [MITRE ATT&CK] Connection Proxy – T1090 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Remote Desktop Protocol – T1076 | [MITRE ATT&CK] File Deletion – T1107 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Credentials in Files – T1081 | [MITRE ATT&CK] Disabling Security Tools – T1089 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071
Tags: Mespinoza, Pysa, Gasket, Gobfuscate, MagicSocks, Socks5, Tunneling, Rsocks, PsExec, Go, EU, UK, USA, Ransomware
Protecting Customers From a Private-Sector Offensive Actor Using 0-day Exploits and DevilsTongue Malware
(published: July 15, 2021)
Microsoft uses the cover name Sourgum to track activity from Israeli company Candiru that is a sophisticated private-sector offensive actor (PSOA). Based in Tel Aviv, this mercenary spyware firm markets “untraceable” spyware to government customers. Known Canduri customers were agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia. Approximately half of the observed victims were in Palestinian Authority, with most of the remaining located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. Canduri was actively using two Windows zero-day exploits CVE-2021-31979 and CVE-2021-33771, both of which have been fixed only very recently in the July 2021 security updates. Canduri uses the initial access to deploy DevilsTongue – complex modular multi-threaded malware with several novel anti-detection capabilities. For DevilsTongue files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted. DevilsTongue DLLs are also encrypted on disk and only decrypted in memory. Configuration and tasking data is separate from the malware.
Analyst Comment: To prevent compromise from browser exploits, it’s recommended to use an isolated environment, such as a virtual machine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents this malware’s Local Security Authority Subsystem Service (LSASS) credential-stealing capabilities. Enabling the attack surface reduction rule ‘Block abuse of exploited vulnerable signed drivers’ in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known Sourgum/Canduri domains.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Component Object Model Hijacking – T1122 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Automated Collection – T1119 | [MITRE ATT&CK] Credential Dumping – T1003
Tags: CVE-2021-33771, CVE-2021-31979, Government, Middle East, DevilsTongue, PSOA, Private-sector offensive actor, Sourgum, Candiru, Israel, Palestine, Hacking-as-a-service, Detection evasion, COM hijacking
(published: July 14, 2021)
Intezer researchers have identified a phishing campaign targeting Georgian government entities. The phishing emails contain a URL shortener which then redirects to the command and control (C2) which drops a malicious file – varying between an RTF, DOC, PDF, LNK, EXE or JS. The file communicates to the C2 to drop the payload. The payload, written in AutoIt, loads into memory and steals files from the victim’s machine. Intezer has noted the similarities between this campaign and campaigns carried out by Russia’s APT28 (FancyBear).
Analyst Comment: Social engineering awareness helps with spear phishing attacks. Use an email gateway to analyze attachments and links. Conduct proactive threat hunting on all endpoints inside your organization.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Command-Line Interface – T1059
Tags: AutoIt, APT28, Fancy Bear, GRU, Government, Russia, Georgia, Ukraine, Eastern Europe, Spear phishing, Infostealer, Espionage, Malicious documents
(published: July 14, 2021)
LuminousMoth is an advanced persistent threat activity (APT) that was observed by Kaspersky researchers in Southeast Asia and dates back to at least October 2020. Most of the early sightings were in Myanmar (~100 observed victims), but now the attackers are much more active in the Philippines (~1,400 observed victims). LuminousMoth uses two infection vectors: first, it tries to infect by sending a spear-phishing email containing a Dropbox download link to a malicious archive. Second, it tries to deploy the malware on all connected removable devices, such as USB sticks or external drives. In Myanmar, for exfiltration, the attackers were using a Zoom video conferencing software signed with a valid certificate issued to a Peking University subsidiary. LuminousMoth activity is likely (with medium to high confidence) connected to Chinese APT Mustang Panda (HoneyMyte).
Analyst Comment: Organizations should train their users on detecting spear phishing attacks and executing caution with USB sticks and external drives that might be infected. Sensitive environments should implement additional security measures ranging from internal sandboxing of downloaded files to blocking USB ports on certain machines.
MITRE ATT&CK: [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] DLL Side-Loading – T1073 | [MITRE ATT&CK] Credentials in Files – T1081 | [MITRE ATT&CK] Hidden Files and Directories – T1158 | [MITRE ATT&CK] Replication Through Removable Media – T1091 | [MITRE ATT&CK] File and Directory Discovery – T1083
Tags: Mustang Panda, HoneyMyte, LuminousMoth, Cobalt Strike, Spear phishing, Removable media, Government, China, Myanmar, Philippines
(published: July 13, 2021)
The government sector, both U.S. and international, is a prime target for threat actors. Symantec analysts provide an overall picture of trending attacks on government institutions coming from Iran, China, Russia, and North Korea. Two important case studies are specifically detailed: one is the abuse of legitimate executables to side-load malicious DLLs (example campaign targeting Asian countries with RDoorBackdoor). And another is early access to unpatched Microsoft Exchange Server Vulnerabilities (pictured by Chinese group Calypso using ProxyLogon vulnerabilities to compromise the email servers of government entities in the Middle East, South America, Africa, Asia, and Europe).
Analyst Comment: Ensure that your server is always running the most current software version. Additionally, maintaining secure passwords for Remote Desktop Protocol (RDP) and other remote access systems is paramount. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company’s network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Modify Registry – T1112
Tags: Government, EU & UK, North America, Asia, Iran, China, Russia, North Korea, DLL side-loading, Microsoft Exchange, DDoS, SolarWinds, Supply chain, APT, Ransomware, RDoorDropper, ProxyLogon, Calypso
(published: July 12, 2021)
Analyst Comment: Users should be aware that extensive web-surfing exposes them to the potential drive-by exploit. Pay attention to the legitimacy of warning pop-ups, as they could be a sign and/or a next step to the infection.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol – T1048 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071
Tags: Biopass, RAT, Cobalt Strike, BPS backdoor, Adobe Flash Player, Microsoft Silverlight, Aliyun, WeChat, QQ Browser, Winnti, APT41, China
(published: July 12, 2021)
The Ransomwhe.re is an open, crowdsourced site that tracks ransomware payments, offering a breakdown of victim payments in bitcoin linked to a dozen major ransomware variants. Across all time, the Mailto/Netwalker ransomware leads the ransomware pack, with Locky and Conti taking the second and the third place respectively. In 2021 so far, Conti is leading with $12.7 million payments received, closely followed by the REvil/Sadinokibi – which was behind the attacks on meat processor JBS SA and on the Kaseya customer base. Third place is so far taken by DarkSide, famous for their Colonial Pipeline attack. The tracking site has been created by Jack Cable, a security researcher who works with the Krebs Stamos Group cyber consultancy and the US Defense Digital Service.
Analyst Comment: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Netwalker, Malito, Conti, Locky, Sodinokibi, REvil, DarkSide, Kaseya, Ransomware, Bitcoin