AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Operation CuckooBees
Cybereason conducted a 12-month investigation named Operation CuckooBees, researching a sophisticated global cyber espionage campaign stealing intellectual property. The campaign is considered to be attributed to the Chinese state-sponsored APT group, Winnti. Industries impacted are identified as Aerospace, Biotechnology, Defense, Energy, and Pharmaceuticals. Geographical impact was found in North America, Europe, and Asia. Cybereason has identified many companies as never reveling a breach and evidencing pointing to a longer campaign, stemming as far back as 2019. The business impact of intellectual property theft is not as immediate as threats like ransomware, DDoS, and others however, the market and financial impact is a long game. Company investment in research and development (R&D) efforts can’t be recouped and competition becomes more difficult if they’re competing against their own product. Many common means of exploits are pointed to as the cause of compromise to organizations such as “unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts, and a lack of multi-factor authentication.” Despite a representative from the Chinese Embassy denying Chinese involvement in cyberattacks, it is likely untrue coming from a nation-state actor.
After 157 years of academic services in Illinois, liberal-arts school, Lincoln College will be ceasing operations and closing after the spring semester on May 13th, 2022.
|
German Automotive Sector Targeted with Info-Stealer Campaign Industry: Automotive | Level: Tactical | Source: CheckPointA threat operation, discovered by Check Point, identified information-stealing malware targeting 14 German organizations, primarily those in the automotive industry including dealerships and manufacturers. The campaign was tracked back to at least July 2021. German automotive businesses were used for the disguise of this campaign, with the attackers hosting domains imitating the businesses to distribute emails and host malware. The phishing email contains an ISO file to bypass NTFS Mark-of-the-Web trust control (MOTW) with an HTA within. The HTA file then spawns Mshta.exe with either VBScript or PowerShell being executed to download additional payloads or to modify the registry. Payload delivered would include various information-stealing malware such as Raccoon, AZORult, and BitRAT. Information compromised would include personal, and credit card information. The attribution of the campaign is currently unclear, hosted infrastructure was identified in Iran, but doesn’t provide any definitive evidence of attribution. Additionally, the attacker’s exact motives remain undetermined, despite obtaining personal and financial information, a larger play of espionage or business fraud is a potential. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
|
Bitter APT Targets Bangladesh Industry: N/A | Level: Tactical | Source: CiscoTalosCisco Talos found threat activity from Bitter APT group targeting the Bangladesh government dating back to August 2021. Historically the threat group has targeted Asian entities in China, Pakistan, and Saudi Arabia, making the shift to Bangladesh new. The campaign is initiated through spear-phishing masquerading as “regular operational tasks” with emails containing a malicious Word document to abuse Microsoft vulnerabilities, such as Equation Editor, CVE-2017-11882. Software used to send emails include Zimbra and JavaMail. An embedded object in the weaponized Excel document configures a scheduled task. Once initial access is obtained the threat actor’s trojan, named “ZxxZ” by Cisco Talos, is deployed providing capabilities such as remote code execution, disguising itself as a Windows Security update. System information discovery is initiated along with identifying defensive tools such as Windows Defender or known antivirus software. The group’s main objective is to conduct cyber espionage. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
|
Phishing with World Health Organization Themes Industry: N/A | Level: Tactical | Source: ProofPointResearch from ProofPoint has identified the distribution of Nerbian remote access trojan (RAT), through phishing emails using COVID-19 and World Health Organization themes. The threat campaign was traced back to getting its start April 26th, 2022, with emails targeting entities located in Italy, Spain, and the United Kingdom. Emails delivered contain either a malicious document or a compressed archive containing a malicious document. The process flow upon the execution of the embedded macro is, CMD calls PowerShell to download a BAT file, the BAT file launches the PowerShell to download additional payloads including the malicious RAT. The RAT establishes persistence and has the capabilities to download additional payloads as needed. There is currently no attribution placed on the Nerbian RAT. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
|
Ursnif Phishing Campaigns Industry: Financial, Government | Level: Tactical | Source: QualysAnalysis of banking malware, Ursnif has been reviewed by Qualys. The information-stealing malware, with capabilities to steal credentials, keylogging, and download additional payloads, has been a prevalent threat since 2020. Ursnif is predominantly distributed through phishing emails targeting verticles in banking, financial services, and government agencies. In the latest stream of phishing campaigns, attackers are leveraging current events and impersonating government authorities to lure victims. Malicious attachments for the email either contain an Excel document or a zip attachment, the infection chain for both scenarios is slightly different, but the result is the same. In the Excel infection scenario, a binary is downloaded upon execution of the Excel macro. The binary spoofs the parent PID to explorer.exe for defense evasion. In the zip attachment scenario, an HTA file is attached and when triggered launched PowerShell to download a DLL file to be executed with rundll32. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
|
Linux Backdoor, BPFDoor Industry: Education, Government, Logistics, Telecommunications | Level: Tactical| Source: SandFlySecurityBPFDoor, an evasive Linux backdoor, to be utilized by Chinese Red Menshen threat actors. has been researched by Kevin Beaumont, PricewaterhouseCoopers (PwC), and The Sandfly Security Team. The stealth capabilities of the tool make it ideal for espionage and persistent attacks. Utilizing the Berkeley Packet Filter sniffer, BPFDoor is capable of monitoring network traffic and sending network packets. Operating at the network layer level, the malware is unhindered by firewall rules and does not require any open ports. The malware once downloaded, requires root permissions for execution and will be set up as an in-memory implant. Persistence for the malware is set up with scripts or a crontab scheduled task. Attackers are able to control the implant once the backdoor modifies firewall configurations, “Upon receiving a special packet, it will modify the local firewall to allow the attacker IP address to access resources such as a spawned shell or connect back bindshell.” Additionally, attackers are able to control the implant through a “magic” password as identified by security researcher Kevin Beaumont. Targets by Red Menshen are organizations in verticals for education, government, logistics, and telecommunication. Geographically targets are in Asia and the Middle East. |
|
Anvilogic Scenario:
Anvilogic Use Cases:
|
AGCO, Farming and Equipment Maker Hits By Ransomware
A ransomware attack impacted AGCO, an agricultural equipment manufacturer and distributor, on May 5th, 2022. AGCO provided a statement regarding the incident, expecting operations to be impacted by the attack requiring “Several days and potentially longer to fully resume all services depending upon how quickly the Company is able to repair its systems.” No details are mentioned regarding the ransomware strain that has impacted the company.
National Emergency Declared in Costa Rica
As cyber-attacks from the Conti ransomware group have targeted multiple Costa Rica government agencies, a national emergency has been declared by the Costa Rican President Rodrigo Chaves on May 8th, 2022. The following was quoted by news outlet Amelia Rueda from the Costa Rican president “The attack that Costa Rica is suffering from cybercriminals, cyberterrorists is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts.” The impact was identified by BleepingComputer amounting to a 672 GB data dump associated with Costa Rican government agencies. Based on the ransomware group’s data leak site, of the 672 GB of stolen data, 97% of the data has been leaked. From an initial review of the data posted, the data appears to be related to source code and SQL database information. A message from Conti on the leak site, mentions “UNC1756” as the actor responsible for the attack. The objective of the actor for the attacks is for financial gain and has warned of more attacks “I will definitely carry out attacks of a more serious form.”
New REvil Malware
Following an update of a potential return from a new TOR site reported on April 20th, 2022, by security researchers and BleepingComputer, and a sighting of new malware, it appears to confirm REvil’s has return. The new REvil encryptor was identified by AVAST researcher Jakub Kroustek and a review of the malware’s code identified it as being compiled from source code with new modifications. Advanced Intel CEO Vitali Kremez, discovered the malware was compiled on April 26th, 2022, and upon additional reviews of found the version value incremented to version 2.08 retaining version values from when Revil supposably shut down.
