Weekly Cyber-Intelligence Trends and Advisory – 6 Mar 2022

Weekly Cyber-Intelligence Trends and Advisory – 6 Mar 2022

Belarusian APT Group UNC1151 Targets Military Personnel with Spear- Phishing

  • Attack Type: Phishing, Malware Implant, Credential Stuffing
  • Objective: Espionage, Data Exfiltration, Unauthorized Access, Data Theft, Lateral Movement
  • Target Technology: Microsoft Windows
  • Target Industry: Defence
  • Target Geography: Ukraine
  • Business Impact: Data Loss

The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel. The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151. In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. Unlike other disinformation campaigns, GhostWriter does not spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

 The nation-state group is using compromised accounts to target contacts in the victims’ address books. Their spear-phishing messages have been sent from email accounts using the domains i[.]ua-passport[.]space and id[.]bigmir[.]space.

The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts. The phishing attacks are also targeting Ukrainian citizens, as reported by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

 

Social Media Hijacking Malware Spreading Through Gaming Apps on Microsoft Store

  •  Attack Type: SEO Poisoning, Click Fraud, Malware Implant
  • Objective: Bot Activity, Payload Delivery
  • Target Industry: Multiple
  • Target Technology: Microsoft Windows
  • Target Geography: Sweden, Bulgaria, Russia, Bermuda, and Spain
  • Business Impact: Data Loss

A new malware capable of controlling social media accounts is being distributed through Microsoft’s official app store in the form of trojanized gaming apps, infecting more than 5,000 Windows machines. Cybersecurity researchers dubbed the malware “Electron Bot,” in reference to a command-&-control (C2) domain used in recent campaigns. The identity of the attackers is not known, but evidence suggests that they could be based out of Bulgaria.

Electron Bot is a modular SEO poisoning malware, which is used for social media promotion and click fraud. It is mainly distributed via the Microsoft store platform and dropped from dozens of infected applications, mostly games, which are constantly uploaded by attackers.

The malware is said to have undergone numerous iterations that equip it with new features and evasive capabilities. In addition to using the cross-platform Electron framework, the bot is designed to load payloads fetched from the C2 server at run time, making it difficult to detect. This enables the attackers to modify the malware’s payload and change the bots’ behavior at any given time.

Electron Bot’s core functionality is to open a hidden browser window in order to carry out SEO poisoning, generate clicks for ads, direct traffic to content hosted on YouTube and SoundCloud, and promote specific products to generate profits with ad clicking or increase store rating for higher sales.

As the bot’s payload is loaded dynamically at every run time, the attackers can modify the code and change its behavior to high risk. For example, they can initialize another second stage and drop a new malware such as ransomware or a RAT. All of this can happen without the victim’s knowledge.

 

Actively Exploited Flaws in Zabbix Network Monitoring Platform

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Network Monitoring Platform (Zabbix)
  • Vulnerability: CVE-2022-23131 (CVSS score: 9.8) and CVE-2022-23134 (CVSS score: 5.3)
  • Vulnerability Type: Privilege Escalation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of two security flaws impacting Zabbix open-source enterprise monitoring platform, adding them to its Known Exploited Vulnerabilities Catalog. The flaws could lead to the compromise of complete networks, enabling a malicious unauthenticated actor to escalate privileges and gain admin access to the Zabbix Frontend as well as make configuration changes. Zabbix Web Frontend versions up to and including 5.4.8, 5.0.18, and 4.0.36 are affected. The issues have since been addressed in versions 5.4.9, 5.0.9, and 4.0.37.

Both the flaws are the result of what the company calls “unsafe session storage,” allowing attackers to bypass authentication and execute arbitrary code. It is, however, worth pointing out that the flaws only impact instances where Security Assertion Markup Language (SAML) Single sign-on (SSO) authentication is enabled.