Weekly Intelligence Report – 23 Sep 2022

Threat Actor in Focus – New Gamaredon Campaign Targets Ukrainian Government Agencies

Suspected Threat Actors: Gamaredon (aka Armageddon, Armagedon, Shuckworm, UAC-0010)

• Attack Type: Phishing, Malware Implants, Data Exfiltration
• Objective: Espionage, Payload Delivery, Unauthorized Access, Data Theft
• Target Technology: Microsoft Office documents, PowerShell, VBScript, Windows
• Targeted Industry: Government
• Target Geography: Ukraine
• Business Impact: Financial Loss, Data Loss, Reputational Damage, Loss of Intellectual Property

Summary:
A new, ongoing campaign attributed to the Russia-linked threat actor group Gamaredon has been identified by researchers that attempts to infect Ukrainian users with info-stealing malware. The phishing emails leveraged in this campaign have Microsoft Office documents laced with remote templates containing malicious VBScript macros as an attachment and lure victims on themes of the Russian invasion of Ukraine. The malicious macros download and open a RAR archive that contains LNK files which subsequently leads to the download and activation of next-stage payload on infected systems. Beyond LNK files, PowerShell, and VBScript enabling initial access, researchers also observed attackers deploying malicious binaries in the post-infection phase. They also used a custom info-stealer implant that, as directed by attackers, exfiltrates victim files of interest and deploys additional malware.

Insights:

• According to researchers, the campaign is a part of an ongoing espionage activity observed as recently as August 2022. The primary objective appears to be the delivery of info-stealing malware to Ukrainian systems. As part of the infection chain attackers heavily used multiple modular PowerShell and VBScript (VBS) scripts.
• The said info-stealing malware has a dual purpose that includes capabilities of exfiltrating specific file types and deployment of additional binary and script-based payloads.
• The researchers’ analysis reveals considerable overlap between the tactics, techniques, and procedures (TTPs), malware artifacts, and leveraged infrastructure in this campaign and those used in a series of attacks attributed to Gamaredon by the Ukraine Computer Emergency Response Team (CERT-UA).

Major Geopolitical Developments in Cybersecurity – EU to Protect Journalists from Spyware

As a result of multiple high-profile incidents, the lawmakers in European Union are aiming to protect journalists against spyware threats from member states.

The proposed European Media Freedom Act (EMFA) will put forth “strong safeguards against the use of spyware against media, journalists and their families” alongside other measures including ownership transparency and editorial independence.

Article 4 of the regulation prohibits member states from attempting to “detain, sanction, intercept, subject to surveillance or search and seizure, or inspect media service providers” and extends to family members, employees or their family members, corporate and private premises.  Unless justified on grounds of national security, the regulation prohibits the installation of spyware on any device used by media service providers.

The European Commission’s Vice-President for values and transparency, highlighting recent incidents and the need for such principles to protect journalists as well as media houses, expects the proposal to be resisted by a few of the member states which may find it contrary to their interests.

On the other hand, media groups welcomed the EMFA, however, they cautioned that the measures including those against the surveillance of journalists should be expanded and strengthened.

Vulnerabilities and Exploits – Crypto-mining Malware Abuse WebLogic Vulnerabilities

• Objective: Resource Hijacking
• Attack Type: Cryptojacking, Vulnerabilities & Exploits, RCE, Defense Evasion, Persistence
• Target Technology: Oracle WebLogic Server
• Target Geography: Global
• Vulnerability: CVE-2020-14882 (CVSS Score:9.8)
• Vulnerability Type: Improper Input Validation
• Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary:
Researchers have recently observed attackers trying to exploit both recently disclosed and older WebLogic vulnerabilities to deploy crypto-mining malware. One of the older vulnerabilities CVE-2020-14882 – still being actively exploited by attackers – is an RCE due to improper input validation in Oracle WebLogic Server. The CVE-2020-14882 affects versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, and can be exploited via remote unauthenticated attacker sending a crafted HTTP request to affected servers leading to RCE. According to the researchers, multiple attackers have been observed deploying various malware families and provided technical details about Kinsing malware activity.

Insights:

• Through analysis, researchers did not find any special characteristics or features in the majority of the exploits they observed. Although, researchers highlight that the downloaded Shell and Python scripts performed a long list of actions including disabling basic OS security features such as Security-Enhanced Linux (SELinux), watchdog timers, and iptables, and disabling cloud service provider’s agents.