<h2>Threat Actor in Focus – Andariel Deploys DTrack and Maui Ransomware</h2>
<strong>Suspected Threat Actors:</strong> Andariel (Lazarus Group, Silent Chollima, Stonefly)
<ul>
<li><strong>Attack Type:</strong> Malware Implant, Data Exfiltration, Ransomware, Vulnerabilities & Exploits</li>
<li><strong>Objective:</strong> Financial Gains, Data Theft, Payload Delivery</li>
<li><strong>Target Technology:</strong> Windows, Oracle WebLogic Server</li>
<li><strong>Targeted Industry:</strong> Multiple</li>
<li><strong>Target Geography:</strong> Global</li>
<li><strong>Business Impact:</strong> Data Loss, Financial Loss</li>
</ul>
<strong>Summary:</strong>
CISA’s alert on July 7, 2022, detailed Andrariel, a North Korean state-sponsored threat actor’s use of Maui ransomware to target healthcare organizations. Researchers, in a report, confirmed and attributed findings related to the Maui ransomware incident in 2022. While CISA had not included specific details attributing the ransomware to the North Korean actor, researchers have determined the following:
<ul>
<li>Threat actors deployed a well-known DTrack malware on the target before deploying Maui ransomware; and</li>
<li>they have used the 3proxy tool a couple of months earlier.</li>
</ul>
Based on the above points and other details in their report, researchers have attributed this campaign to the Korean-speaking APT threat actor group – Andariel. Researchers have also found the DTrack malware is being used to collect and send information from the victim’s systems using Windows commands.
<strong>Insights:</strong>
<ul>
<li>The July 2022 CISA alert warned that the US healthcare sector has been targeted by Maui ransomware. Researchers believe that this operation is targeting beyond the US and could be a global threat as incidents have been observed in Japan, India, Vietnam, and Russia.</li>
<li>The researchers suggest that the threat actors behind this operation are financially-motivated and capable of compromising any organization across the globe.</li>
<li>They also suspect that the threat actors prefer attacking vulnerable Internet-exposed web services and deploying the ransomware on selected targets.</li>
</ul>
<h2>Latest Cyber-Attacks, Incidents, and Breaches – Another AiTM phishing campaign now after G-Suite Users</h2>
<ul>
<li><strong>Attack Type:</strong> Phishing, Adversary-in-the-Middle (AiTM), Business Email Compromise (BEC)</li>
<li><strong>Objective:</strong> Data Theft, Unauthorized Access</li>
<li><strong>Target Technology:</strong> G Suite, MFA</li>
<li><strong>Business Impact:</strong> Data Loss, Financial Loss</li>
</ul>
<strong>Summary:</strong>
Researchers have recently discovered another phishing campaign which uses AiTM techniques to target G-Suite users – the business version of Gmail. The report comes as a follow-up on the recently reported large-scale phishing campaign that targets Microsoft email services.
In mid-July 2022, researchers observed the use of the same AiTM phishing attacks capable of bypassing Gmail MFA protection being used against enterprise users of Gmail. After further analysis, they found multiple similarities to previous AiTM phishing campaigns that targeted Microsoft email services. In this campaign, researchers observed that attackers were specifically targeting C-level and senior executives who use the G suite. The compromised email accounts were further used to carry out phishing attacks. Beyond similarities in TTPs, researchers also saw overlapping infrastructure and in several instances, they saw attackers switching from Microsoft AiTM phishing to Gmail AiTM phishing while leveraging the same infrastructure. Although, in comparison, the Gmail AiTM phishing campaign had a much lower number of targets.
<strong>Insights:</strong>
<ul>
<li>To note that this type of attack is not limited to enterprise users of Microsoft or Gmail and other email service providers could also be vulnerable. The attackers leveraging the AiTM proxy-based phishing kits capable of bypassing MFA protection put users of many different service providers at risk.</li>
<li>In addition, phishlets – YAML configuration files that proxies a legitimate website into a phishing website – make up the building block of phishing kits such as evilginx2. Attackers can quickly re-use them to target a new website.</li>
<li>These incidents highlight that Business Email Compromise (BEC) continues to be a threat to the organization. A recent report from the FBI revealed losses from BEC and Email Account Compromise (EAC) have surpassed USD 43 billion globally. The attackers are constantly updating their TTPs to bypass security measures. Further, the use of advanced phishing kits and clever evasion techniques have allowed attackers to circumvent advanced security controls.</li>
</ul>
<h2>Vulnerabilities and Exploits – Kaspersky VPN Bug Allows Privilege Escalation</h2>
<ul>
<li><strong>Attack Type:</strong> Vulnerabilities & Exploits, LPE (Local Privilege Escalation)</li>
<li><strong>Target Technology:</strong> Kaspersky VPN Secure Connection for Windows</li>
<li><strong>Vulnerability:</strong> CVE-2022-27535 (CVSS Base Score: 7.8)</li>
<li><strong>Vulnerability Type:</strong> Privilege Escalation</li>
<li><strong>Impact:</strong> Confidentiality (High), Integrity (High), Availability (High)</li>
</ul>
<strong>Summary:</strong><br>
Researchers have identified an LPE (Local Privilege Escalation) vulnerability in Kaspersky VPN Secure Connection for Microsoft Windows. According to researchers, in the ‘Support Tools’ part of the application, a regular user can use ‘Delete service data and reports’ to remove a privileged folder. Based on this capability, an attacker can leverage ‘Arbitrary Folder Delete to SYSTEM EoP’ to gain system privileges.
Researchers who discovered the bug have rated CVE-2022-27535 a high severity with 7.8 out of 10 under CVSS. However, Kaspersky rates the issue at medium-severity, with a 5.0 CVSS score.
According to Kaspersky, this vulnerability could lead to device malfunction or the removal of important system files required for the system to function properly. Kaspersky further elaborates to execute this attack, an intruder would have to create a specific file and convince users to run ‘Delete all service data and reports’ or ‘Save report on your computer’.
<strong>Insights:</strong>
<ul>
<li>LPE bug may not be as flashy as remote code execution which generally paves the way for attackers to achieve initial access. LPE bugs are usually leveraged by attackers to gain higher privileges which enable them to perform much more advanced tasks on target systems. In an ideal case, an attacker would want to boost his normal user profile to a SYSTEM profile. In this case, the researchers and the vendor appear to be divided on the potential ramification of this bug.</li>
<li>The researchers who found the bug assess that this particular LPE bug allows the elevation of privileges whereas Kaspersky believes that is limited. According to Kaspersky, the bug only allows attackers to delete files that are there for deletion, it does not lead to code execution or full control of the system, and “technically it can be considered LPE but with a very limited scope.”</li>
<li>Researchers, on the other hand, do not agree with Kaspersky and reportedly have demonstrated the ability to gain SYSTEM level privilege through Kaspersky’s product which allowed arbitrary local code execution.</li>
</ul>