Weekly Intelligence Report – 31 Jul 2022

Threat Actor in Focus – A Potential APT37 Campaign

Suspected Threat Actors: Group123 (Konni APT37), Potential Correlation to Fancy Bear (APT28)

• Attack Type: Phishing, Malware Implant, Persistence, Potential Data Exfiltration
• Objective: Data Theft
• Target Technology: Email, Microsoft Windows
• Target Geography: Czech Republic, Poland, and Others
• Business Impact: Data Loss, Financial Loss

Summary:

Researchers have recently disclosed details on a new attack campaign attacking high-value targets in the Czech Republic, Poland, and other countries. The ongoing campaign tracked as STIFF#BIZON by researchers has been linked to North Korea APT group Konni aka APT37 based on some of the artifacts and tradecraft. According to researchers, the trivial initial infection starts with phishing emails that entice victims to open a malicious document that has the Konni-based malware embedded into a document as a compressed file attachment. The archive contains files “missile.docx” and “_weapons.doc.lnk” that when opened start the infection chain and lead to a modified version of Konni malware being used.

Insights:

• The current activity has been attributed to APT37, however, researchers state they are “not 100% certain” due to the dynamic nature of the artifacts and the shared opsec, tradecraft, and malware variants observed. In addition, researchers also found a direct correlation between IP addresses, hosting providers, and hostnames between this activity and historical data previously observed attributed to Fancy Bear aka APT28.
• While the TTPs are leaning towards APT37, Russia and APT28, have a lot more geo-political motivation to target Central European countries like the Czech Republic and Poland.
• As the STIFF#BIZON is ongoing and researchers continue to track this activity, it is important to make note of a common practice observed among nation-state-sponsored attacks where an APT group may try to mimic the TTPs of another group to mislead researchers. Hence there remains a possibility of false positive attribution.

Major Geopolitical Developments in Cybersecurity – Cyberwar Between Iran And Israel Intensified

The cyber conflict between Iran and Israel has grown increasingly in the past couple of years. Israel has traditionally been sticking to ambiguous responses, which might change as Iran also broke the silence and discussed some of the incidents publicly.

Experts suggest the following reasons for the cyber conflict between the two countries going public:

Cyber-actions are becoming less covert

Both nations have been engaged in offensive covert cyber-operations, although neither took credit publicly. The discovery of Stuxnet malware was the first public evidence to be used as a cyberweapon against Iran. There have been multiple other alleged cyberattacks and incidents between the two countries giving it global attention.

A recent comment about Israel’s strategy toward Iran from Israeli Prime Minister Naftali Bennett landed the long-running conflict in the spotlight.

The reason for going public

Experts argue that giving up on the advantages of covertness and choosing to disclose the detail to the public allows victims of a cyberattack to respond in a variety of ways. This includes complete silence, attribution, and assigning blame. For example, Israel chooses to publicize the cyberattack on its “water command and control systems.”

This strategy not only allowed them to set the public narrative but also avoid any further humiliation in case Iran or any third party claimed credit for the attack. It also helped Israel minimize the risk of escalation by not directly blaming Iran, despite media reports doing so.

Cybercriminals Leverage Messaging Apps in Their Malware Campaigns

• Attack Type: Data Exfiltration, Malware Implants
• Objective: Data Theft, Payload Delivery
• Target Industry: Unknown
• Target Technology: Instant Messaging Platforms (Telegram, Discord)
• Target Geography: Global
• Business Impact: Data Loss, Financial Loss,

Summary:

Researchers have recently observed several different methods that cybercriminals are leveraging to spread malware by utilizing messaging platforms like Telegram and Discord. They have figured out ways to use these platforms to host, distribute, or execute various functions that eventually lead to data from unsuspecting users. There are several info stealers freely available in the wild that rely on Discord or Telegram for their functionality.

One such Info stealer malware known as Blitzed Grabber leverages Discord’s webhooks feature to store data exfiltrated through the malware. This malware is capable of pillaging a host of information including autofill data, bookmarks, browser cookies, credentials from virtual private network (VPN) clients, payment card information, cryptocurrency wallets, OS information, passwords, and Windows products keys. Several of this malware including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials of gaming platforms Minecraft and Roblox.

Another Telegram-focused malware known as X-files – whose functionally are accessible via bot commands inside Telegram – can siphon various user details and direct them to the Telegram Channel of their choosing.

Researchers observed that attackers are abusing the cloud infrastructure of these apps to facilitate their malware campaign. Many of these attackers are hosting the malware payload on Discord’s content delivery network (CDN) and seemingly remain unrestricted when hosting such malicious payloads. Below are the malware families observed by researchers whose payloads were hosted by Discord CDN:

• PrivateLoader
• Discoloader
• Colibri
• Warzone RAT
• Modi stealer
• Raccoon stealer
• Smokeloader
• Amadey
• Agent Tesla stealer
• GuLoader
• Autohotkey
• njRAT

Insights:

• Beyond just sending messages to recipients these messaging applications are feature-rich which has yielded immense popularity for apps like Telegram and Discord in recent times, including among cyber criminals. Its underlying elements allow its users to create and share programs that can be used inside the platform. Commonly referred to as ‘Bots’, these programs allow users to perform automated tasks among other various actions. Such a type of automation offering provides a low barrier to entry for attackers.
• While these apps are geared toward the general public as a whole and are not used in business operations, their increasing popularity and current remote work culture together provide an opportunity to attackers and a wider attack surface.

Vulnerabilities and Exploits – SonicWall critical SQL injection Bug

• Attack Type: Vulnerabilities & Exploits, SQL Injection
• Target Technology: SonicWall Global Management System (GMS) and SonicWall Analytics On-Prem
• Vulnerability: CVE-2022-22280 (CVSS Base Score: 9.4)
• Vulnerability Type: SQL Injection

Summary:

SonicWall has recently issued a public security notice about a critical SQL injection vulnerability that affects SonicWall GMS and Analytics On-Prem. SonicWall is urging customers to update to patched versions. Specifically, customers using Analytics 2.5.0.3-2520 or earlier and/or GMS 9.3.1-SP2-Hotfix1 or earlier are advised to apply patches Analytics 2.5.0.3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2, respectively. Both the affected products do not have any workarounds.

Insights:

• Researchers assess that the vulnerability can cause high damage and has low attack complexity. Meaning, that any amateur malicious actor with a little know-how of SQL injection bugs, cloud be able to successfully exploit this vulnerability. The vulnerability also does not require any user interaction or authentication.
• As per the security notice issued by SonicWall, they are unaware of the exploitation of this in the wild. There have been no reports of public proof of concept (POC) exploits as well.