AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Phishing with Chatbots
In the latest efforts to improve the authenticity of phishing scams, attackers are incorporating chatbots to aid with credential theft. Observed by Trustwave and BleepingComputer, phishing emails using DHL shipping themes containing a weblink to a phishing URL are being used. Once the victim opens a web link, a page to a webchat opens with a scripted conversation attempting to add legitimacy by posting a photo of the alleged package claiming that due to a damaged label the parcel could not be delivered. This creative setup is designed to coerce the victim into releasing personal and payment information under the guise they are agreeing to re-process the package. The victim would provide shipping information for name, address, and phone number as well as payment details for the cost of shipping. The payment page even requests a one-time-passcode to provide an extra layer of legitimacy.
Cryware
Microsoft’s latest research investigates the rise of Cryware targeting hot wallets (aka non-custodial cryptocurrency wallets). Cryware takes advantage of the accessibility of data stored locally on a user’s device to initiate information theft and conduct crypto transactions. An attacker’s objectives are aimed to obtain data associated with the hot wallet including private keys, seed phrases, and wallet addresses. With the information obtained a crypto transaction can be initiated and using the irreversible nature of blockchain transactions, and the victim is unable to recover their funds. The transaction can also be conducted without victim consent. Given the data strings used for wallet data (private key, seed phrase, and wallet address), attackers can craft regular expressions (regexes) to locate the information using a variety of techniques including, memory dumping, keylogging, exfiltrating the wallet’s application storage files, and clipping and switching. The clipping and switching technique involves “a Cryware monitors the contents of a user’s clipboard and uses string search patterns to look for and identify a string resembling a hot wallet address. If the target user pastes or uses CTRL + V into an application window, the Cryware replaces the object in the clipboard with the attacker’s address.”
iPhone Chip Low-Power Mode (LPM) Security Issue
A security issue has been identified in Apple’s iPhone chips. When the device is powered off the iPhone’s Bluetooth chip runs in Low-Power Mode (LPM), which is different from the “Lower Power Mode” a running device used to conserve battery. The security risk was discovered by researchers at the Germany’s Technical University of Darmstadt and explained “It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. hips responsible for near-field communication, ultra-wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.” Exploits researched utilized a jailbroken iPhone, limiting some real-world applicability, however the risk did remain with attackers capable of exploiting vulnerable devices and launching firmware. The security risk is not easily solvable “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.” Whilst the researchers have presented their findings to Apple, no comment or follow-up has been provided.
Chaos Ransomware Aligns with Russia
Amongst notable ransomware groups taking sides with Russia in the Ukraine conflict, Chaos appears to have joined the list as identified by Fortinet. The indication is based on the display message Chaos leaves when encryption has completed, speaking negatively of the Ukraine government. The arrival vector was not determined however, is likely to have come from an email or user browsing a forum post. The malware used by Chaos appears to be new, having compiled data of May 16th, 2022. The variant investigated by Fortinet is identified as a potential file destroyer as the attackers did provide options for recovery to the affected files and have deleted shadow copies from impacted workstations.
|
Twisted Panda Campaign Targets Russian Defense Institutions Industry: N/A | Level: Tactical | Source: CheckPointAn espionage campaign attributed to Chinese APT groups, APT10 (aka. Stone Panda) and Mustang Panda has been investigated by CheckPoint to be targeting Russian defense entities since June 2021 with recent activity observed in April 2022. The campaign is named, Twisted Panda given the attributed threat actors involved. The targeted Russian entities are those part of the state’s owned defense conglomerate, Rostec Corporation specializing in radio-electronics along with research, design, and manufacturing of warfare systems. Phishing emails containing malicious documents are distributed for the campaign, using themes that are related to events associated with the Russia and Ukraine conflict. The malicious document from the email contains an external template (.DOTM file) and with macro code downloads two DLL files and an INIT file. The dropped DLL files run shellcode from the INIT file to set persistence with a scheduled task. The infection leads to the SPINNER backdoor, created from a remote thread in MSIEXEC. The backdoor has capabilities to collect system information, exfiltrate files, download additional payloads and run OS commands. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
|
Unraveling Wizard Spider’s Operations Industry: N/A | Level: Tactical | Source: Hacker NewsIntelligence collected from Prodraft revealed the nuances of the cybercriminal group, Wizard Spider’s organizational structure, and goals. The group’s financial successes provides funding to advance their research and development plans, maintaining a effective toolset is a priority for the group. A hash cracking system was discovered by the team capable of unraveling “LM:NTLM hashes, cached domain credentials, Kerberos 5 TGS-REP/AS-REP tickets, KeePass files, MS Office 2013 files, and other types of common hashes.” Additionally, a cold-calling system used to pressure non-responsive victims into complying with the group’s ransom was reviewed. Wizard Spider’s primary method of initial access comes from distributing spam emails containing Qakbot malware or proxy malware such as SystemBC. Additionally, the group is found to be leveraging an exploit kit incorporating the Log4Shell vulnerability. Once the network has been infiltrated, the threat group conducts reconnaissance to identify high-value targets. Cobalt Strike is deployed to assist with lateral movement and the group prioritizes obtaining domain admin privileges to be able to deploy Conti ransomware. Various tools are identified to be used by Wizard Spider including numerous PowerShell scripts, Rubeus, SecretsDump, Adfind, Mimikatz, FileZilla, and Rclone. |
|
Anvilogic Use Cases:
|
|
Conti & Its Subsidiary Group Blackbyte Industry: N/A | Level: Tactical | Source: AdvIntelAdvIntel’s extensive research of the Conti ransomware group dives into its subsidiary group Blackbyte, which along with the data extortion group, Karakurt supports Conti’s operations. The relationship between Conti and Blackbyte was explored after reports of the NFL team San Francisco 49ers data breach on February 13th, 2022. Security news outlets pointed to Blackbyte as the perpetrator of the attack however, an investigation from AdvIntel identified the group was used “as a shell group to process the breach” with Conti as the true culprit of the attack. The breach of the 49ers’ network had begun on December 14th, 2021, with AdvIntel identifying a set of Cobalt Strike commands targeting the NFL team’s network. Identified from AdvIntel “the Conti team who began the operation against 49ers on December 14 were able to compromise the victim’s primary domain and get access to the local shares and core network segments for several departments, including the team’s finance and accounting sectors.” The Blackbyte-Conti alliance revealed a larger trend in the threat landscape of “sub-divisions,” groups created operating specifically in data exfiltration and doing so without the need for encryption. Conti has been identified by AdvIntel to also create alliances with other ransomware groups, including HelloKitty/FiveHands, Babuk, HiVE, BlackCat/ALPHV, and AvosLocker. Theorized for the future of ransomware groups, “As groups grow in size and scope, they will begin to spawn business derivatives to handle some of their smaller operations in return for assistance and resources. This, in turn, will allow those subgroups to grow independently of the larger group, before extenuating circumstances, such as sanctions, struggles for power, or impending dissolution of the parent collective eventually led them to split off and become their own threat entity.” Notable detection techniques for Blackbyte emphasized detections for Rclone, Cobalt Strike, Metasploit, and PowerShell commands. |
|
Anvilogic Use Cases:
|
|
Cisco Talos & BlackByte Ransomware Group Industry: N/A | Level: Tactical | Source: Cisco TalosCisco Talos reports activity associated with the BlackByte ransomware group. The threat group has targeted victims worldwide including North America, Colombia, Netherlands, China, Mexico, and Vietnam. Initial access has typically come from exploiting vulnerable services from Microsoft Exchange, such as ProxyShell or SonicWall VPN. Cisco Talos documented an intrusion that had taken place in March 2022. The infection starts with a BAT script executing and installing AnyDesk. A few hours following, a new account is created for persistence, and once again the attackers lay dormant for a few hours until proceeding to tamper with system services, modifying the registry, and creating firewall rules to ultimately deploy the Blackbyte ransomware. The entire infection takes 17 hours to achieve encryption. Commonalities in attacks with Blackbyte have identified a preference for the use of AnyDesk software along with utilizing living-off-the-land binaries (LoLBins). |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
IceApple Post-Exploitation Toolset
An Internet Information Services (IIS) post-exploitation framework named IceApple, was discovered by the CrowdStrike Falcon OverWatch team in late 2021. IceApple has mainly been observed to be deployed on Microsoft Exchange servers, however the threat is applicable to any Internet Information Services (IIS) web application. Deployment of this toolset has been observed in multiple verticles for academics, government, and technology and in impacted organizations in “geographically distinct locations.” The framework works in-memory, identified with 18 modules at a minimum and likely in development. IceApple maintains a low forensic footprint likely to enable long-term espionage and given this style of operation could align with a Chinese state-sponsored actor. Usage of the tool, varied based on the threat actor’s progress in a victim’s network, as stated by CrowdStrike “IceApple was observed being rapidly deployed to multiple hosts to facilitate credential harvesting from local and remote host registries, credential logging on OWA servers, reconnaissance, and data exfiltration. OverWatch then observed adversaries returning to networks daily to continue their activity.” Whilst, maintaining a reliable foothold in the target’s environment, attackers would return 10 to 14 days later to ensure access is still available. Recommended actions to defend against IceApple is to ensure web applications are updated and patched.
Increased Threats to Managed Service Providers
A warning was issued to managed service providers (MSPs) by Five Eyes, a collective intelligence alliance from the United States, United Kingdom, Australia, Canada, and New Zealand. As stated in the advisory, “Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.” The intelligence agencies have not provided any specific targets, only mentioning reports of an increase in cyber activity against MSPs. Recommendations provided by the agencies urge hardening defenses including reinforcing public-facing applications, enabling and improving logging, implementing MFA, segregating networks, utilizing the principle of least privilege, ensuring obsoleted accounts and systems are deprecated, updating systems, and creating regular backups of data.
