Weekly Intelligence Trends and Advisory – 22 Aug 2021

Chinese Espionage Campaign in Israel

Suspected Threat Actors: UNC215 (aka APT27, Iron Tiger)

• Attack Type: Impersonation, Espionage, Vulnerabilities & Exlploits, Credential Harvesting, Reconnaissance, Data Theft
• Objective: Unauthorized Access, Malware Implant
• Target Geography: Israel
• Target Technology: Information Technology & Services, Government, Telecommunications
• Business Impact: Data Loss, Financial Loss, Operational Disruption, Loss of Intellectual Property

Researchers have disclosed multiple intrusion activities attributed to UNC215 – a Chinese cyber-espionage group aimed at Israeli organizations. The threat actors exploited a SharePoint vulnerability (CVE-2019-0604) to gain initial access and carried out a fixed pattern for credential harvesting and internal reconnaissance (via web shells) to identify important systems within the targeted network. In each phase of the attack, the threat actor had made notable efforts to make detection harder by removing any traces of forensic artifacts from infected machines, as well as improving the FOCUSFJORD backdoor malware. The activities also involved the installation of a custom implant known as HyperBro, equipped with multiple features such as a keylogger and screen capture. Most notably around April 2019, the threat actors used the SEASHARPEE web-shell – linked with Iranian APT groups – to mislead forensic analysis by masquerading as Iranian actors and succeeded in doing so for almost eight years.

Expert outlook and suspected motivations behind these Chinese cyberespionage activities in the Middle East region suggest 3 possible explanations:

1. China’s consistent and strategic interest towards the Middle East.
2. The activities are taking place against the backdrop of China’s multi-billion-dollar investments in the Belt and Road Initiative (BRI or B&R). It is suspected that the activities may be the steps to safeguard its huge investments.
3. China’s interest in Israeli’s robust technology sector.

As China’s BRI moves westward, its most important construction projects come down to the high-speed railway (Red-Med) to Eilat and Ashdod, a private port at Ashdod, and the port of Haifa. Reportedly, China has been known to conduct numerous intrusion campaigns along the BRI route to monitor potential obstructions. To further its political, economic, and security objective, researchers anticipate UNC215 may continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the future.

Ransomware Threat Actors Exploiting PrintNightmare Flaws

• Attack Type: Ransomware, Vulnerabilities & Exploits
• Target Industry: Multiple
• Target Geography: Global
• Target Technology: Windows Print Spooler
• Business Impact: Data Loss, Financial Loss, Operational Disruption

According to researchers ransomware operators namely Magniber and Vice Society were seen actively exploiting recently disclosed vulnerabilities in Windows Print Spooler referred to as PrintNightmare flaws. The ransomware operators are looking to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems. Researchers observed using the same methods Magniber ransomware has made a comeback exploiting unpatched PrintNighmare vulnerability targeting South Korean victims. A separate report by another set of researchers also observed threat actor Vice Society is also leveraging this vulnerability to carry out post-compromise discovery and reconnaissance. As per the report, the vulnerability was leveraged to bypass the native Windows protection, allowing privilege escalation, and credential theft.

Since June 2021, a series of “PrintNightmare” flaws have been reported that comprises multiple vulnerabilities affecting Windows Print Spooler service that enable attackers to perform remote code execution. The timeline of the PrintNightmare Vulnerabilities are as follows:

• • June 8, 2021: The PrintNightmare (CVE-2021-1675) vulnerability was initially discovered and reported to Microsoft. The researcher attempted to bypass a previous patch addressing the “PrintDemon” (CVE-2020-1048) vulnerability.
  • June 21, 2021: Despite the availability of a patch for CVE-2021-1675 the vulnerability was elevated to Critical by Microsoft, after determining it allows for RCE.
  • June 29, 2021: While investigating a similar issue the Windows Print Spooler service independent researchers inadvertently published a POC exploiting CVE-2021-1675 While PoC was shortly removed from public access, it had already caught attackers’ attention and potential abuse.
  • July 1, 2021: Although CVE-2021-1675  was now patched, the leaked POC exploited a separate attack vector that triggered the Print Spooler vulnerability. As of July 1, several different PoC exploiting the Printer Spooler vulnerability came to light. As a result, a second vulnerability CVE-2021-34527 was created which Microsoft stated as CVE-2021-1675.
  • July 6, 2021: In an out-of-band (OOB) update Microsoft attempted to mitigate the CVE-2021-34527 vulnerability, but hours later researchers discovered the patch was ineffective and it was again possible to bypass imposed mitigations under certain conditions. Paving the way for attackers to use popular exploit tools, such as Metasploit and Mimikatz to start exploiting the vulnerability.

The researchers highlighted that multiple threat actors have found Printnightmare flaws easy to exploit and this would likely lead to even more attacks.

Ransomware operators are constantly refining their approach as they strive to carry out more effective, efficient, and evasive operations. The abuse of recently disclosed flaws by ransomware operators indicates adversaries would quickly incorporate new tools into their attack chain.

NjRAT Trojan Making its Rounds

NjRAT, also known as Bladabindi, is a Remote Access Tool (RAT) or Trojan which allows a Threat Actor to control the victim’s machine. Built on .NET framework, apart from controlling the victim’s machines remotely, NjRAT also allows hackers to steal data and credentials, log keystrokes, and activate webcams. Another unique feature of NjRAT is that it allows hackers access to the command line on the compromised machine.

NjRAT’s other significant features include:

1. Modifying files
2. Open a process manager to kill processes
3. Modify the system registry
4. Collect System Information and Metadata
5. Steal passwords stored in web browsers or in other applications
6. Maintain Persistence by using .NET obfuscation
7. Target cryptocurrency wallet and steal cryptocurrency from PC’s

Blacklisted IP: 3.131.147[.]49

Risk Score: 10

Confidence Level: High

Associated Malware: NjRAT

Function: NjRAT C&C

ITW Associations: Multiple

Associated Hash (MD5): a509dfc6d5bc2e23a7ae3751ba073dae

File Name: nitrog.exe

C&C process name: nitrog.exe

DeCYFIR Threat Actor Association: Lazarus group

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover 

• Attack Type: Vulnerabilities & Exploits
• Target Geography: Global
• Target Technology: SEOPress
• Vulnerabilities: CVE-2021-34641 (CVSS Score 6.4)
• Vulnerability Type: Stored Cross-site Scripting (XSS)

Tracked CVE-2021-34641, the vulnerability affects the SEOPress WordPress plugin that is used by approximately 100,000 websites. This flaw allows a potential attacker to inject arbitrary web scripts on a vulnerable site which would then execute anytime a user visits the “All Posts” page. The vulnerability is caused by one of the newly introduced REST-API endpoints being insecurely implemented.

Cross-site scripting vulnerabilities such as this one can allow attackers to carry out a variety of attacks. Successful exploitation of this vulnerability may lead to an attacker being able to perform malicious actions such as new administrative account creation, web-shell injection, arbitrary redirects, and others. The vulnerability could easily be used by an attacker to take over a WordPress site.