Weekly Cyber-Intelligence Trends and Advisory – 25 Feb 2022

Weekly Cyber-Intelligence Trends and Advisory – 25 Feb 2022

Stone Panda Linked to Months-Long Attack against Taiwan’s Financial Sector

  • Suspected Threat Actors: Stone Panda (aka APT10, Cicada, POTASSIUM, Red Apollo, CVNX, HOGFISH)
  • Attack Type: Vulnerability Exploitation, Malware Implant, Credential Stuffing
  • Objective: Espionage, Data Exfiltration, Unauthorized Access, Data Theft
  • Target Technology: Microsoft Windows
  • Target Industry: Financials
  • Target Geography: Taiwan
  • Business Impact: Data Loss

Researchers have observed an attack that has been active since November 2021 and tracked this campaign under the code name “Operation Cache Panda” and attributed it to the Chinese government affiliate cyber espionage group “Stone Panda.” The attack was undetected until November 2021 as researchers initially saw it as only a credential stuffing attack to get access to some trading accounts. Further investigations showed hackers were using the stolen credentials to execute large transactions in the Hong Kong stock market.

This credential stuffing attack, actually, was used by the threat actors to cover the main attack wherein they exploited a vulnerability of a security tool web interface. Earlier, the researchers considered these two attacks as separate but later on they found it to be a part of one prolonged attack campaign using advanced obfuscation techniques not observed previously.

The threat actors exploited vulnerability used to plant “ASPXCSharp” web shell and leveraged “Impacket” tool to scan the internal network of the target company. Post this, the attackers used “Reflective Code Loading” technique to execute malicious code over the victim machine and install a version of “Quasar RAT” to get persistent remote access of compromised systems using reverse RDP tunnels.

The vulnerability exploited by the attackers is part of a software solution roughly used by 80% of the financial organization in Taiwan. The researchers have not shared the name of the software exploited in the attack due to ongoing efforts in releasing patches and installation across the local financial organizations.

The main motive behind the attack is not financial gain but rather the exfiltration of data which includes brokerage information, PII data, and to disrupt the economic growth of Taiwan.

 

Cybercriminals Seek to Profit From Russia-Ukraine Conflict

Dark web threat actors are looking to take advantage of the tensions between Russia and Ukraine, offering network access and databases that could be relevant to those involved in the conflict.

Since mid-January, cybercriminals have started to advertise compromised assets relevant to the Russia-Ukraine conflict, and they are expected to increase their offering of databases and network access, with potentially crippling effects for the targeted organizations.

Some of these threat actors appear to have high reliability, being backed by other users on the same underground forums, which indicates that some of these claims might be legitimate. Others, however, do not have the same level of feedback, making it difficult for security researchers to assess the credibility of their claims.

Nation-state actors could acquire and force network access to critical infrastructure organizations, such as telecommunications or energy organizations, as well as banks. They could utilize the accesses with asymmetrical tactics to cause disruptions, including depriving users of interconnectivity, energy, or financial transactions.

 

Newer Version of CryptBot Malware with Enhanced Capabilities Distributed through Pirated Software Sites

  • Attack Type: Data Exfiltration, Exploit Kit
  • Objective: Data Theft
  • Target Industry: Multiple
  • Target Technology: Microsoft Windows
  • Target Geography: Multiple
  • Business Impact: Data Loss, Financial Loss

As per the researchers, a revamped version of CryptBot malware was detected that distributed through malicious websites pretending to offer cracked software versions for games, key generators, and other commercial software. The CryptBot malware is an information stealer used to steal confidential information by accessing cookies, browser history, stored browser and credit-card credentials, cryptocurrency wallets, and files. The detected enhanced version removes some of the older functionality to make the malware light and more efficient, several new capabilities and optimizations are also added.

The researchers observed that to promote and to gain wider visibility among prospective victims, the attackers are using SEO techniques to rank these malicious distribution sites on top during Google searches. As per the screenshots shared by researchers of these malicious sites, the attackers are using both custom domains or websites hosted on Amazon AWS and the websites are constantly being refreshed. The attackers constantly upgrade the malware, its dropper sites, and C2. Threat actors also used a series of redirections before the victim ended up on the delivery page and the landing page could be part of some compromised legitimate website.

The previous version of CryptBot code was structured in a way that if at least one piece of data did not exist out of the list of target data for stealing, the info stealing behavior would fail. So, info stealing was successful only when the infected system used Chrome browser v81 – v95. The recently improved code searches on all file paths and has the ability to steal if the target data exists regardless of the version.

 

Critical Vulnerabilities Patched in WordPress Plugin

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: WordPress plugin (UpdraftPlus)
  • Vulnerability: CVE-2022-0633(CVSS Score: 8.5)
  • Vulnerability Type: Arbitrary Backup Downloads

Researchers have disclosed a severe security vulnerability in WordPress Backup Plugin, which is used by more than three million WordPress websites. This vulnerability could allow low-privileged users like subscribers to download a site’s latest backups. This flaw impacts UpdraftPlus versions from 1.16.7 to 1.22.2 and is fixed in versions 1.22.3 (free version) and 2.22.3 (paid version).

The zero-day vulnerability allowed any logged-in user on a WordPress installation with UpdraftPlus active to practice the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only.

One of the features that the plugin developer implemented was the ability to send backup download links to an email of the site owners’ choice. This functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files.

The attack begins with the WordPress heartbeat The threat actor sent a specially crafted heartbeat request containing a data[updraftplus] parameter, by supplying the appropriate subparameters. An attacker is able to acquire a backup log containing a backup nonce and timestamp which they can then use to download a backup.