The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

‍What’s Surging? Our Picks of The Most Thunderous News From July 2023

‍(1) FIN8 Bolsters its Arsenal with BlackCat and Updated Backdoor

Category: Threat Actor Activity | Source: Symantec

In a recent cyber incident tied to the FIN8 (aka Syssphinx) threat group, researchers from Symantec's Threat Hunter Team unveiled a sophisticated toolkit, showcasing an upgraded Sardonic backdoor and incorporating the BlackCat/AlphV (aka Noberus) ransomware encryptor. Previously, FIN8 had utilized the Ragnar Locker ransomware in their campaigns. Symantec highlights FIN8's ability to evolve and expand its capabilities, as they "initially specialized in point-of-sale (POS) attacks" before transitioning to ransomware attacks in recent years. This strategic shift reflects their pursuit of more lucrative profit-gaining opportunities. FIN8 has a history of targeting verticals associated with chemicals, entertainment, financial services, healthcare, hospitality, insurance, retail, and technology.

FIN8's latest capabilities came to light following an intrusion attributed to FIN8 dating back to December 2022, resulting in the attempted deployment of the BlackCat ransomware encryptor. Symantec first observed "the attackers connected with PsExec to execute the command "quser" to display the session details" and followed up with PowerShell invoke-expression utility to download and run their backdoor. The threat actors connected to their backdoor the following day and appear to have utilized the Impacket script, wmiexec.py. "One of the interesting features of the backdoor is related to interactive sessions, where the attacker runs cmd.exe or other interactive processes on the affected computer. Interestingly, the sample allows up to 10 such sessions to run simultaneously. In addition, when starting each individual process, the attacker may use a process token stolen from a specified process ID that is different for each session." The operators prefer the use of native tools and living-off-the-land binaries including PowerShell and WMI to ensure stealth. FIN8's intrusion has also typically been initiated by social engineering and phishing messages.

(2) TeamTNT Scans Relentlessly to Compromise Targets

Category: Threat Actor Activity | Source: AquaSec

Through successfully infiltrating TeamTNT's command and control (C2) server, AquaSec researchers Ofek Itach and Assaf Morag have uncovered a highly "aggressive cloud campaign" driven by the relentless scanning capabilities of the threat actor's botnet. Unlike previous TeamTNT campaigns that primarily focused on cryptocurrency mining, the objective of this campaign is to expand its botnet. AquaSec's investigation of the infrastructure revealed that the botnet persistently scans for misconfigurations and exposed services in various platforms, including Kubernetes, Docker, Weave Scope, JupyterLab, Jupyter Notebook, Redis, Hadoop, Tomcat, Nginx, and SSH. According to AquaSec, their research indicates "this botnet perpetually scans the entirety of the internet. Consequently, every IP address undergoes a scan at least once every hour. We discovered that the rate of infection is fairly rapid, with a minimum of two new victims emerging every hour." 

To get an idea of the scope of TeamTNT's botnet efficiency, AquaSec conducted a seven-day scan, identifying "196 unique infected hosts. This equates to ~1.3 new victims every hour." TeamTNT's scanning mechanisms are documented with three key stages involving (1) scanning for new targets, (2) dropping their malware and worm to infect the target, and (3) notifying their C2 when the compromised host has been infected. An extensive toolbox of scripts was observed on AquaSec's honeypots displaying TeamTNT's arsenal capable of scanning for additional hosts, changing host configurations, downloading other tools, establishing persistence, stealing credentials, their Tsunami malware which uses the Internet Relay Chat (IRC) protocol for its C2 and much more.

To expand their infection, TeamTNT focuses on gathering credentials "across multiple cloud environments, including AWS, Azure, and GCP. They are not only looking for general credentials but also specific applications such as Grafana, Kubernetes, Docker Compose, Git access, and NPM. Additionally, they are searching for databases and storage systems such as Postgres, AWS S3, Filezilla, and SQLite." Despite a supposed hiatus, TeamTNT appears to have fully emerged back into the threat landscape, albeit being less vocal in their exploits on social media. The proficiency in their infrastructure and attack is a warning for organizations to properly configure and secure their cloud instances.

(3) A Sophisticated But Thwarted Intrusion from Volt Typhoon

Category: Threat Actor Activity | Source: CrowdStrike

Threat activity from Chinese threat group Volt Typhoon, also tracked as Bronze Silhouette or Vanguard Panda, was recently discovered and prevented by CrowdStrike. In the reported incident, Volt Typhoon "employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," said CrowdStrike. The threat actors' activities were consistent with the initial reports from CISA and Microsoft on May 24th, 2023, where operators stressed the importance of operating covertly. They heavily relied on using living-off-the-land binaries (LOLBins), deploying them in "short bursts" and removing traces of their activity in logs. 

The compromised ManageEngine ADSelfService Plus application ran on an Apache Tomcat web server. It is surmised that the threat actors exploited an RCE vulnerability in ManageEngine, CVE-2021-40539; however, log activity to support the exploitation was absent. The threat actors likely removed traces of their activity in the necessary access logs. Although not all of Volt Typhoon's activity was covered up by the threat actors as the presence of Java and Class files were found, leading to the discovery of "numerous web shells and backdoors all connected to this same attack." 

Further investigation into the web shells used in the attack revealed that the web shell had been deployed almost six months prior to the hands-on-keyboard activity. This extended dwell time indicates that Volt Typhoon had dedicated significant effort to conducting thorough reconnaissance on the targeted network. Their familiarity with the environment facilitated the "rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI."

Grounding the Storm with Detections from the Forge

BlackCat Abuses Search Ads with Malicious WinSCP Downloads

Category: Ransomware News | Source: Trend Micro

The incident response team at Trend Micro investigated a network intrusion linked to the BlackCat/ALPHV ransomware gang, which originated from fictitious search advertisements promoting the download of the WinSCP file transfer application. Disguised as a WinSCP tutorial, the deceptive website would land on a compromised WordPress site when the victim attempts to download the application. Then the final stage payload would be downloaded from the file-sharing site named 4shared. "The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor," said Trend Micro. 

Before Trend Micro’s engagement, the hackers gained top-level administrator privileges, leveraging them to carry out unauthorized activities, including establishing persistence, creating backdoor access using remote management tools like AnyDesk, engaging in password theft, and attempting to access backup servers. During the intrusion, the threat actors utilized tools such as Python scripts, batch scripts, AdFind, Cobalt Strike, PowerShell, PowerView, PsExec, BitsAdmin, and AnyDesk. Following Trend Micro's response to the incident, the "attacker was successfully evicted from the network before they could reach their goal or execute their final payload." The tactics, techniques, and procedures (TTPs) from BlackCat enabled Trend Micro to attribute the group to a separate intrusion, in which a specialized EDR and security monitoring disabling tool named SpyBoy terminator was deployed.

Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.

- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy