Weekly Intelligence Report – 6 Jun 2021

Weekly Attack Type and Trends

Key intelligence signals:

Attack Type: Phishing, Malware Implants, Ransomware, Vulnerabilities & Exploits, Social Engineering, Execution, Credential Dumping, Data Encryption

Objective: Data Theft, Payload Delivery, Cyber Espionage, Data Encryption, Financial Gains

Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption

Ransomware – Avaddon Ransomware | Malware – Agent Tesla, BazaLoader, Facefish

Avaddon Ransomware – Offered as ransomware-as-a-service (RaaS) model

Agent Tesla – A popular malware-as-a-service (MaaS) remote access trojan (RAT)

BazaLoader – A backdoor

Facefish – A new backdoor consisting of dropper and rootkit

Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, and defense evasion tactics are being observed.

Insights:

1. After the launch of a massive spam campaign targeting victims globally utilizing Avaddon ransomware, the operators started recruitment of affiliates which molded it into Ransomware-as-a-Service (RaaS) operations. Along with data encryption and the threat to leak the data, in January 2021, the operators started using distributed denial-of-service (DDoS) attacks as an extortion tactic to pressure victims into paying the ransom. Despite the recent Colonial Pipeline ransomware attack and response action taken by law enforcement agencies which reportedly affected some of the ransomware operators, the Avaddon ransomware operators seem to have remained undeterred.
2. Malicious spam remains to be the most common delivery method for Agent Tesla. The malware continues to be a consistent threat for many months and has managed to remain among the top families of malware. It is suspected that the malware authors will continue to update and modify the code to evade endpoint detection and protection.
3. Researchers disclose the threat actors behind BazaLoader campaign require a significant amount of human interaction to execute and install the BazaLoader backdoor. The threat actor directs unsuspecting users to download and install the malware by leveraging phone-based customer service. The malware is currently suspected to be used by multiple threat actors and server a loader for Ryuk and Conti ransomware. It is apparent that by including human interaction in the infection chain the threat actors are attempting to bypass some of the automated threat detection.
4. Rootkits are particularly dangerous because they allow attackers to gain elevated privileges in the system, allowing them to interfere with core operations performed by the underlying operating system. This rootkit’s ability to disguise itself into the fabric of the operating system gives attackers a high degree of stealth and avoidance.
5. Multistage malware has an extended dwell time between when a hack occurs and when it is detected. Between the first and final stages of the attack, the malware has time to move across systems and networks, communicate with the entity behind the attack, and better prepare for an eventual incident involving data theft, espionage, or infrastructure damage.

Threat Actor in Focus

Russian Hackers Used Four New Malware Families in Recent Phishing Attacks

Suspected Threat Actors: Cozy Bear

1. Attack Type: Phishing, Unauthorized Access, Malware Implant, Persistence, Credential Dumping
2. Target Industry: Government, Humanitarian, and Human Rights Entities
3. Target Geography: The United States & Others
4. Target Technology: Microsoft Windows
5. Ransomware / Malware: EnvyScout, BoomBox, NativeZone, and VaporRage
6. Objective: Impersonation, Data Theft, Unauthorized Access
7. Business Impact: Data Loss, Financial Loss, Reputational Damage

Summary: Last week, researchers disclosed that threat actor Cozy Bear (aka APT29, Nobelium) used four new malware families in recent phishing attacks that impersonated the United States Agency for International Development (USAID). The Russian threat actors compromised the Constant Contact account of USAID and sent phishing emails that contained a link that eventually distributes a backdoor called NativeZone. The phishing emails are believed to be sent to approximately 3,000 email accounts impacting more than 150 different government, international development, humanitarian, and human rights organizations.

In an update to this attack campaign, researchers further disclosed the below given four new families utilized by Cozy Bear:

1. EnvyScout: NV.html (malicious HTML file)
2. BoomBox: BOOM.exe (malicious downloader)
3. NativeZone: NativeCacheSvc.dll (malicious loader)
4. VaporRage: CertPKIProvider.dll (malicious downloader)

In addition, Cozy Bear is known to have used multiple custom Cobalt Strike Beacon loaders. In this campaign, the researcher also identified additional variants of custom Cobalt Strike loaders.

Insights:

1. The threat actor group behind these attacks is believed to be the same group that was behind the SolarWinds supply-chain attack. Taking SolarWinds attacks into consideration, it is evident that part of the threat actor’s playbook includes compromising trusted entities to exponentially increase the probability of collateral damage in espionage-like operations and widened the attack surface.
2. A glance at the activities of Cozy Bear and similar actors shows their tendency to sync with issues concerning the nation-state from their suspected location of origin.
3. By focusing these attacks on one particular type of organization, this attack campaign showcases how cyberattacks are emerging as a tool of choice for nation-states to achieve their wide variety of political objectives.

Major Geopolitical Developments in Cybersecurity

Phishing Campaign Impersonating USAID

Microsoft last week has warned that Nobelium was conducting a phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform. The two domains part of the phishing campaign impersonating the U.S. Agency for International Development (USAID) to distribute malware was seized by the US authorities, the domains are listed below:

• theyardservice[.]com
• worldhomeoutlet[.]com

The nation-state hackers used the account to send out 3,000 phishing messages to more than 150 organizations across 24 countries.

The emails had a hyperlink that downloaded malware from a sub-domain of theyardservice[.]com, and from there the threat actors behind the attack could download the Cobalt Strike tool to maintain persistence presence and possibly deploy additional tools or malware to the victim’s network.

This instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com.

Since attackers often reuse components of previous malware or even naming tactics in their campaigns, a large enough dataset will be able to identify and protect against both known and unknown threats before they reach any sort of sizable scale.

Chinese Cyberspies are Targeting the US, EU Orgs with New Malware

Summary: Chinese threat groups continue to deploy new malware strains on the compromised network of dozens of US and EU organizations after exploiting vulnerable Pulse Secure VPN appliances. After compromising the targeted devices, they deployed malware to maintain long-term access to networks, collect credentials, and steal proprietary data. Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan.

According to researchers, the malware used by the Chinese cyberspies is SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, HARDPULSE, QUIETPULSE, PULSEJUMP, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE.

Researchers still collecting evidence and responding to more incidents linked to Pulse Secure VPN compromises at US and European organizations across several verticals, including defense, government, high tech, transportation, and financial sectors.

Targets of Chinese cyber-espionage operations are often selected for their alignment with national strategic goals, and there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber espionage activity.

Latest Cyberattacks, Incidents and Breaches

New COVID-19 Phishing Tactics Impersonating CIO

1. Attack Type: Impersonation, Phishing, Social Engineering
2. Target Industry: Multiple
3. Target Geography: Global
4. Target Technology: Email
5. Business Impact: Data Loss, Reputational Damage

Summary: The ease in COVID-19 grip and ongoing vaccination efforts around the globe allowing employees to resume work from office has forced cybercriminals to change their tactics. A new phishing campaign identified by researchers is attempting to exploit those who have started to resume work at the physical workplace. By impersonating as Chief Information Officer (CIO) the email-based phishing campaign attempts to gather login credentials from employees. The email body appears to be sourced from within the company using the logo in the header and spoofed CIO sign. The false newsletter from the executive  explains new precautions and changes in business operations due to the pandemic. Upon interacting with the email, users are redirected to a Microsoft SharePoint-like hosting with two documents which produces a login panel prompting them to provide login credentials to access the two files.

Insights:

1. The tactic of not simply redirecting users to the phish landing page, but including an additional step where users are presented with documents mentioned in the mail, adds depth to elaborate attack scenario. It is also suspected that cybercriminals are preying on the fact that many organizations are making changes to their operations and providing appropriate guidelines to employees.
2. The attack involves misrepresentation – a form of social engineering where attackers pose as a trusted source – in this case, the executive of the organization, to convince people to give in their login credentials. Recent research suggests that the frequency of misrepresentation attacks has increased 15 folds since last year.

Vulnerabilities and Exploits

New Bug in Siemens PLCs Allows Attackers to Run Malicious Code Remotely

1. Target Geography: Global
2. Target Technology: SIMATIC S7-1200 and S7-1500 CPU products
3. Vulnerability Type: Memory Protection Bypass
4. Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary: The security flaw tracked as CVE-2020-15782 is a memory protection bypass vulnerability, that may allow an attacker to write arbitrary data and code to protected areas of memory or read sensitive data to launch further attacks. The vulnerability was discovered by an operational technology security researcher while reverse-engineering the MC7 / MC7+ bytecode language used to execute PLC (programmable logic controller) programs in the microprocessor.

Insights:

1. Being able to perform native code execution on an ICS (industrial control system) such as a PLC is the ultimate end-goal, however, only relatively few advanced attackers have achieved such a feat. Researchers highlight that the complex ICS systems have numerous in-memory protections which would have to be bypassed to successfully run the code of attacker’s choice, and at the same timeremain undetected as well.
2. In this case, not only does the flaw allow for native code execution, but a sophisticated remote attacker may also evade detection by the underlying operating system or any other diagnostic tool.

Reach us at [email protected]