On-Demand Webinar

Forge Charged News: The Most Electrifying News From August 2023

Forge News
On-Demand Webinar

Forge Charged News: The Most Electrifying News From August 2023

Detection Strategies

The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From August 2023
(1) Exploring the Latest Tools & Tactics of Cuba Ransomware

Category: Ransomware News | Source: BlackBerry

Throughout 2023, the Cuba ransomware group has exhibited consistent activity, directing their efforts primarily towards Western targets. In a report from BlackBerry's Threat Research and Intelligence team, the gang's latest endeavors have involved targeting a critical infrastructure organization within the United States, as well as an IT service company located in Latin America. The tactics, techniques, and procedures (TTPs) demonstrated in the attack aligned with TTPs previously attributed to Cuba. However, some new tricks seem to have been adopted, such as exploiting vulnerable Veeam servers through CVE-2023-27532. This vulnerability exposes access to encrypted credentials stored in the Veeam Backup & Replication component's configuration database. 

Among overlapped tool sets used, Cuba has incorporated the enumeration tool, netpingall.exe, into their arsenal as well. This particular tool was also observed in action during Hancitor campaigns in 2021. New additions to the toolkit include a customer downloader identified as BUGHATCH, a Metasploit DNS Stager, Wedgecut—an additional enumeration tool, and BURNTCIGAR—a process killer with kernel-level capabilities. Alongside these new tools, the Cuba actors have remained devoted to their established favorites. This entails employing well-known techniques like ZeroLogon CVE-2020-1472 for exploitation, while consistently leveraging tools such as PsExec, Cobalt Strike, and living-off-the-land binaries (LOLBins) like cmd.exe, powershell.exe rundll32.exe, ping.exe, net.exe, and nltest.exe.

In a documented intrusion attributed to Cuba, BlackBerry's findings revealed that the attackers had effectively employed compromised credentials to establish an RDP connection. BlackBerry noted, "This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This suggests that the attacker likely obtained valid credentials through alternative malicious methods prior to launching the attack." Subsequently, the attackers leveraged LOLBin binaries to execute batch scripts and exploited a vulnerable driver through a new Windows service, thereby initiating reconnaissance activities within the network. Furthermore, they exploited vulnerabilities associated with NetLogon and Veeam, all while deploying a range of other malicious tools. While Cuba ransomware activity demonstrated consistency throughout the year, BlackBerry highlighted intermittent periods of downtime on Cuba's data leak site. The pattern involved the gang intermittently posting new victims, only to then go "dark" again for a time. Despite their periods of inactivity, Cuba ransomware activity continues to be a significant concern within the threat landscape, as the attackers have maintained their presence for the past four years.

(2) Nitrogen Malware Bonds to the Trend of Impersonating Popular Software

Category: Malware Campaign | Source: Sophos

Through malvertising and impersonating downloads of popular software, an initial access malware tracked as Nitrogen is being used to deliver Cobalt Strike against technology and non-profit organizations located in North America. According to researchers from Sophos, the Nitrogen infection chain has been identified as a precursor to ransomware deployment, as a previous Nitrogen infection analyzed by Trend Micro, led to the deployment of the BlackCat ransomware. The Nitrogen malware family consists of the following main components: NitrogenStager, MsfPythonStager, and NitroInstaller. Based on these components, Sophos suspects a "relation to the Metasploit Framework (MSF), which is leveraged in the Nitrogen campaign to generate the reverse shell scripts used in NitrogenStager.

Nitrogen infections are initiated through Google or Bing Ads, disguising themselves as commonly used tech utility software like AnyDesk, WinSCP, TreeSize Free, or a setup file for Cisco's AnyConnect VPN. An anti-analysis component is incorporated in the campaign, redirecting researchers to Rick Astley’s 'Never Gonna Give You Up' YouTube video when they directly visit the phishing page instead of accessing it through the advertisement. Upon the initial download, an ISO file is mounted and hosts an executable file named 'install' or 'setup,' which is actually a renamed msiexec executable and a DLL file. Upon execution of the install/setup file, the DLL recognized as NitrogenInstaller is sideloaded. This installer drops a legitimate version of the downloaded application; however it serves as a decoy with two Python packages downloaded to progress the infection.

NitrogenInstaller will also abuse Cmstp to elevate its privileges through UAC bypass and establish persistence through the AutoRun registry key and a scheduled task. From there, the NitrogenStarger can abuse DLL search-order hijacking and connect to their command and control (C2), paving the way for a Meterpreter shell and/or Cobalt Strike activity. During the manual portion of the infection, Sophos observed the threat actors downloading additional payloads, gathering credentials, and enumerating the network.

(2) FIN8 Compromised an EMEA Retailer

Category: Threat Actor Activity | Source: Darktrace

An intrusion attributed to the financially motivated threat group FIN8, also known as Syssphinx, was detected in a retail organization based in the EMEA region. Darktrace researchers responded to the incident, tracing the origins of suspicious beaconing activity on April 30th, 2023. The activity involved an influx of SSL connections to an IP address flagged with a bad reputation. Later during the day, signs of reconnaissance and privilege escalation activity were observed with over 100 DRSGetNCChanges requests to a domain controller, indicating a potential DCSync attack. The threat actors engaged in lateral movement using the WMI process and accessed SMB and admin shares.

Key activity from the intrusion lasted approximately five and a half hours then on May 1st at 03:31:41 UTC the threat actors were able to exfiltrate data using Rclone. "In total, nine separate devices were involved in this pattern of activity. Five of these devices were labeled as ‘administrative’ devices according to their hostnames. Over the course of the entire exfiltration event, the attackers exfiltrated almost 61 GB of data from the organization’s environment," Darktrace cyber analyst, Adam Potter reports. While Darktrace was unable to identify the initial access vector from the attack it is suspected to have been initiated through a phishing email since social engineering and phishing techniques are favored by FIN8 attackers.

Grounding the Storm with Detections from the Forge
(1) Vast Potential of a New Chinese Espionage Group Targeting Taiwanese Organizations

Category: Threat Actor Activity | Source: Microsoft

Taiwanese organizations are discovered to be in the crosshairs of an espionage operation run by a nation-state threat group linked to the Chinese government, tracked as Flax Typhoon. This revelation is revealed by Microsoft's Threat Intelligence team in their latest report tracing Flax Typhoon's activity as far back as mid-2021. While Taiwan appears to be the focus of Flax Typhoon's campaigns, their activities are observed in other regions, including Southeast Asia, North America, and Africa. Based on Microsoft's research, "Flax Typhoon's observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible." However, the actor's ultimate objective has yet to be captured.

Flax Typhoon emphasizes stealth and employs living-off-the-land techniques to evade defense. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks." Microsoft's analysis reveals that Flax Typhoon exploits known vulnerabilities in public-facing servers for initial access and favors tools like China Chopper, Metasploit, the local privilege escalation tool Juicy Potato, Mimikatz, and the SoftEther VPN software.

Notably, "the actor establishes a long-term method of accessing the compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables network-level authentication (NLA) for RDP, replaces the Sticky Keys binary, and establishes a VPN connection." Despite the persistence of the group's activities, Microsoft has not observed any concrete actions beyond unauthorized access, noting a lack of observed data collection or exfiltration activities. The activity reported by Microsoft for Flax Typhoon is noted to have overlaps with a threat actor CrowdStrike tracks as Ethereal Panda, characterized through the group's "distinctive pattern of malicious activity," aimed at Taiwan. The capabilities showcased by Flax Typhoon's tactics, techniques, and procedures (TTPs), coupled with their potential extensive impact on organizations, motivated Microsoft to publish their report, aiming to enhance detection and awareness within the security community.

Host Tampering Leads to Native Tool Abuse/RDP & Credential Theft
Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.


- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
White Paper

Forge Charged News: The Most Electrifying News From August 2023

Forge News
September 26, 2023

Forge Charged News: The Most Electrifying News From August 2023

Forge News

The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From August 2023
(1) Exploring the Latest Tools & Tactics of Cuba Ransomware

Category: Ransomware News | Source: BlackBerry

Throughout 2023, the Cuba ransomware group has exhibited consistent activity, directing their efforts primarily towards Western targets. In a report from BlackBerry's Threat Research and Intelligence team, the gang's latest endeavors have involved targeting a critical infrastructure organization within the United States, as well as an IT service company located in Latin America. The tactics, techniques, and procedures (TTPs) demonstrated in the attack aligned with TTPs previously attributed to Cuba. However, some new tricks seem to have been adopted, such as exploiting vulnerable Veeam servers through CVE-2023-27532. This vulnerability exposes access to encrypted credentials stored in the Veeam Backup & Replication component's configuration database. 

Among overlapped tool sets used, Cuba has incorporated the enumeration tool, netpingall.exe, into their arsenal as well. This particular tool was also observed in action during Hancitor campaigns in 2021. New additions to the toolkit include a customer downloader identified as BUGHATCH, a Metasploit DNS Stager, Wedgecut—an additional enumeration tool, and BURNTCIGAR—a process killer with kernel-level capabilities. Alongside these new tools, the Cuba actors have remained devoted to their established favorites. This entails employing well-known techniques like ZeroLogon CVE-2020-1472 for exploitation, while consistently leveraging tools such as PsExec, Cobalt Strike, and living-off-the-land binaries (LOLBins) like cmd.exe, powershell.exe rundll32.exe, ping.exe, net.exe, and nltest.exe.

In a documented intrusion attributed to Cuba, BlackBerry's findings revealed that the attackers had effectively employed compromised credentials to establish an RDP connection. BlackBerry noted, "This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This suggests that the attacker likely obtained valid credentials through alternative malicious methods prior to launching the attack." Subsequently, the attackers leveraged LOLBin binaries to execute batch scripts and exploited a vulnerable driver through a new Windows service, thereby initiating reconnaissance activities within the network. Furthermore, they exploited vulnerabilities associated with NetLogon and Veeam, all while deploying a range of other malicious tools. While Cuba ransomware activity demonstrated consistency throughout the year, BlackBerry highlighted intermittent periods of downtime on Cuba's data leak site. The pattern involved the gang intermittently posting new victims, only to then go "dark" again for a time. Despite their periods of inactivity, Cuba ransomware activity continues to be a significant concern within the threat landscape, as the attackers have maintained their presence for the past four years.

(2) Nitrogen Malware Bonds to the Trend of Impersonating Popular Software

Category: Malware Campaign | Source: Sophos

Through malvertising and impersonating downloads of popular software, an initial access malware tracked as Nitrogen is being used to deliver Cobalt Strike against technology and non-profit organizations located in North America. According to researchers from Sophos, the Nitrogen infection chain has been identified as a precursor to ransomware deployment, as a previous Nitrogen infection analyzed by Trend Micro, led to the deployment of the BlackCat ransomware. The Nitrogen malware family consists of the following main components: NitrogenStager, MsfPythonStager, and NitroInstaller. Based on these components, Sophos suspects a "relation to the Metasploit Framework (MSF), which is leveraged in the Nitrogen campaign to generate the reverse shell scripts used in NitrogenStager.

Nitrogen infections are initiated through Google or Bing Ads, disguising themselves as commonly used tech utility software like AnyDesk, WinSCP, TreeSize Free, or a setup file for Cisco's AnyConnect VPN. An anti-analysis component is incorporated in the campaign, redirecting researchers to Rick Astley’s 'Never Gonna Give You Up' YouTube video when they directly visit the phishing page instead of accessing it through the advertisement. Upon the initial download, an ISO file is mounted and hosts an executable file named 'install' or 'setup,' which is actually a renamed msiexec executable and a DLL file. Upon execution of the install/setup file, the DLL recognized as NitrogenInstaller is sideloaded. This installer drops a legitimate version of the downloaded application; however it serves as a decoy with two Python packages downloaded to progress the infection.

NitrogenInstaller will also abuse Cmstp to elevate its privileges through UAC bypass and establish persistence through the AutoRun registry key and a scheduled task. From there, the NitrogenStarger can abuse DLL search-order hijacking and connect to their command and control (C2), paving the way for a Meterpreter shell and/or Cobalt Strike activity. During the manual portion of the infection, Sophos observed the threat actors downloading additional payloads, gathering credentials, and enumerating the network.

(2) FIN8 Compromised an EMEA Retailer

Category: Threat Actor Activity | Source: Darktrace

An intrusion attributed to the financially motivated threat group FIN8, also known as Syssphinx, was detected in a retail organization based in the EMEA region. Darktrace researchers responded to the incident, tracing the origins of suspicious beaconing activity on April 30th, 2023. The activity involved an influx of SSL connections to an IP address flagged with a bad reputation. Later during the day, signs of reconnaissance and privilege escalation activity were observed with over 100 DRSGetNCChanges requests to a domain controller, indicating a potential DCSync attack. The threat actors engaged in lateral movement using the WMI process and accessed SMB and admin shares.

Key activity from the intrusion lasted approximately five and a half hours then on May 1st at 03:31:41 UTC the threat actors were able to exfiltrate data using Rclone. "In total, nine separate devices were involved in this pattern of activity. Five of these devices were labeled as ‘administrative’ devices according to their hostnames. Over the course of the entire exfiltration event, the attackers exfiltrated almost 61 GB of data from the organization’s environment," Darktrace cyber analyst, Adam Potter reports. While Darktrace was unable to identify the initial access vector from the attack it is suspected to have been initiated through a phishing email since social engineering and phishing techniques are favored by FIN8 attackers.

Grounding the Storm with Detections from the Forge
(1) Vast Potential of a New Chinese Espionage Group Targeting Taiwanese Organizations

Category: Threat Actor Activity | Source: Microsoft

Taiwanese organizations are discovered to be in the crosshairs of an espionage operation run by a nation-state threat group linked to the Chinese government, tracked as Flax Typhoon. This revelation is revealed by Microsoft's Threat Intelligence team in their latest report tracing Flax Typhoon's activity as far back as mid-2021. While Taiwan appears to be the focus of Flax Typhoon's campaigns, their activities are observed in other regions, including Southeast Asia, North America, and Africa. Based on Microsoft's research, "Flax Typhoon's observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible." However, the actor's ultimate objective has yet to be captured.

Flax Typhoon emphasizes stealth and employs living-off-the-land techniques to evade defense. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks." Microsoft's analysis reveals that Flax Typhoon exploits known vulnerabilities in public-facing servers for initial access and favors tools like China Chopper, Metasploit, the local privilege escalation tool Juicy Potato, Mimikatz, and the SoftEther VPN software.

Notably, "the actor establishes a long-term method of accessing the compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables network-level authentication (NLA) for RDP, replaces the Sticky Keys binary, and establishes a VPN connection." Despite the persistence of the group's activities, Microsoft has not observed any concrete actions beyond unauthorized access, noting a lack of observed data collection or exfiltration activities. The activity reported by Microsoft for Flax Typhoon is noted to have overlaps with a threat actor CrowdStrike tracks as Ethereal Panda, characterized through the group's "distinctive pattern of malicious activity," aimed at Taiwan. The capabilities showcased by Flax Typhoon's tactics, techniques, and procedures (TTPs), coupled with their potential extensive impact on organizations, motivated Microsoft to publish their report, aiming to enhance detection and awareness within the security community.

Host Tampering Leads to Native Tool Abuse/RDP & Credential Theft
Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.


- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want