Weekly Cyber-Intelligence Trends and Advisory – 20 Mar 2022

Weekly Cyber-Intelligence Trends and Advisory – 20 Mar 2022

Ghostwriter Activity Against Ukraine and Other Countries

  • Attack Type: Phishing, Malware Implant, Persistence
  • Objective: Unauthorized Access, Payload Delivery, Data Theft
  • Target Technology: Email
  • Target Industry: Defence
  • Target Geography: Ukraine, Lithuania, and other countries
  • Business Impact: Data Loss, Financial Loss

In February, a phishing alert was issued by the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Agency for Special Communications and Information Protection of Ukraine (SSSCIP Ukraine) for an extensive campaign by Ghostwriter  targeting private email accounts of members of the Ukrainian armed forces. On March 1, researchers revealed that the attackers had used the mailboxes of suspected stolen Ukrainian army personnel to launch a phishing attack on European government personnel involved in managing the logistics of refugees fleeing Ukraine. An in-depth analysis revealed that such attack samples have appeared since at least September 2021 and are like the historical attack activities of Ghostwriter.

The sample “довідка.zip” (translates to certificate.zip) contains “dovidka.chm” – a Compiled Help Manual that is stored in a database-like form and saved in a compressed HTML format. The HTML contains two pieces of code, one is js code, which is used to display the bait content, and the other is obfuscated vbs code. The main function of vbs code is to release ignit.vbs and call WScript.exe. The released ignit.vbs mainly executes three functions, releasing core.dll, desktop.ini – used to load core.dll, and Windows Prefetch.lnk – used for persistence. As part of memory loading, the code is mainly divided into two parts, the first part is the dll loader, which is used to load the dll of the second part, and the dll is the open-source backdoor micro-backdoor. After successfully connecting to the server, obtain and execute the instructions issued by the server. The backdoor first obtains the C2 address xbeta[.]online and port (8443) from the conf section and establishes a connection. The instructions include conventional remote-control functions such as obtaining local information, executing programs, rebounding shells, uploading and downloading files.

The researchers spotted other three homologous samples with the same chm file type. Like an attack sample against Ukraine, the code in the chm file loads and displays the decoy content, and the vbs code in the chm releases the subsequent vbs script and executes it.

In one of the samples analysed by researchers, the attackers were not limited to Micro-backdoor. The backdoor used by the attacker is the Beacon Trojan from Cobalt Strike, which means that the attacker has a mature code framework adapted to different backdoor programs to generate the final attack sample.

 

Latest Cyber-Attacks, Incidents, and Breaches – Phishing Attempts Against Smartphones Are Rising

  • Attack Type: Phishing, Data Exfiltration
  • Objective: Data Theft
  • Target Technology: Mobile Devices
  • Target Industry: Unknown
  • Target Geography: Global
  • Business Impact: Data Loss

According to a recent Mobile Threat report, phishing attacks specifically designed to target smartphones have increased. The researchers analysed hundreds of thousands of phishing websites found that up to three-quarters of all phishing sites were designed specifically for mobile devices. As per researchers, the smaller screen of smartphones and other mobile devices presents challenges in spotting phishing emails or malicious websites. The report reveals that it is far less intuitive for a mobile user to run checks like checking the sender’s email address, hyperlinks, etc. While email remains to be the primary vehicle for phishing attacks, mobile devices offer the attacker an expanded variety of attack vectors including SMS, messaging application, in-app chat links, and much more.

Phishing attacks have been largely remained device agnostic and usually do not take into consideration if the target user is going to click on the malicious link from a computer or mobile device. Now, that people have increased reliance on their ever-connected mobile devices, organizations allowing remote and distributed workflows, high-speed connectivity, and access to critical data from remote has led to attackers targeting mobile users on mobile devices.

 

Vulnerabilities and Exploits – New Linux Bug in Netfilter Firewall Module

  • Attack Type: Vulnerabilities & Exploits, Local Privilege Escalation (LPE), Code Execution, DoS
  • Target Technology: Linux
  • Vulnerability: CVE-2022-25636 (CVSS score: 7.8)
  • Vulnerability Type: Out-of-bounds Write, Improper Privilege Management

Researchers have recently disclosed details on a newly identified security flaw in the Linux kernel. The bug is exploitable to achieve kernel code execution (via ROP), giving full local privilege escalation, container escape, or performing any action on the vulnerable system. The vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. The flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.

As per the CVE-2022-25636 relates to an issue with incorrect handling of the framework’s hardware offload feature (nf_tables_offload) that could be weaponized by a local attacker to cause a DoS or possibly execute arbitrary code.