Suspected Threat Actors: UNC215 (aka APT27, Iron Tiger)
Researchers have disclosed multiple intrusion activities attributed to UNC215 – a Chinese cyber-espionage group aimed at Israeli organizations. The threat actors exploited a SharePoint vulnerability (CVE-2019-0604) to gain initial access and carried out a fixed pattern for credential harvesting and internal reconnaissance (via web shells) to identify important systems within the targeted network. In each phase of the attack, the threat actor had made notable efforts to make detection harder by removing any traces of forensic artifacts from infected machines, as well as improving the FOCUSFJORD backdoor malware. The activities also involved the installation of a custom implant known as HyperBro, equipped with multiple features such as a keylogger and screen capture. Most notably around April 2019, the threat actors used the SEASHARPEE web-shell – linked with Iranian APT groups – to mislead forensic analysis by masquerading as Iranian actors and succeeded in doing so for almost eight years.
Expert outlook and suspected motivations behind these Chinese cyberespionage activities in the Middle East region suggest 3 possible explanations:
As China’s BRI moves westward, its most important construction projects come down to the high-speed railway (Red-Med) to Eilat and Ashdod, a private port at Ashdod, and the port of Haifa. Reportedly, China has been known to conduct numerous intrusion campaigns along the BRI route to monitor potential obstructions. To further its political, economic, and security objective, researchers anticipate UNC215 may continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the future.
According to researchers ransomware operators namely Magniber and Vice Society were seen actively exploiting recently disclosed vulnerabilities in Windows Print Spooler referred to as PrintNightmare flaws. The ransomware operators are looking to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems. Researchers observed using the same methods Magniber ransomware has made a comeback exploiting unpatched PrintNighmare vulnerability targeting South Korean victims. A separate report by another set of researchers also observed threat actor Vice Society is also leveraging this vulnerability to carry out post-compromise discovery and reconnaissance. As per the report, the vulnerability was leveraged to bypass the native Windows protection, allowing privilege escalation, and credential theft.
Since June 2021, a series of “PrintNightmare” flaws have been reported that comprises multiple vulnerabilities affecting Windows Print Spooler service that enable attackers to perform remote code execution. The timeline of the PrintNightmare Vulnerabilities are as follows:
The researchers highlighted that multiple threat actors have found Printnightmare flaws easy to exploit and this would likely lead to even more attacks.
Ransomware operators are constantly refining their approach as they strive to carry out more effective, efficient, and evasive operations. The abuse of recently disclosed flaws by ransomware operators indicates adversaries would quickly incorporate new tools into their attack chain.
NjRAT, also known as Bladabindi, is a Remote Access Tool (RAT) or Trojan which allows a Threat Actor to control the victim’s machine. Built on .NET framework, apart from controlling the victim’s machines remotely, NjRAT also allows hackers to steal data and credentials, log keystrokes, and activate webcams. Another unique feature of NjRAT is that it allows hackers access to the command line on the compromised machine.
NjRAT’s other significant features include:
Blacklisted IP: 3.131.147[.]49
Risk Score: 10
Confidence Level: High
Associated Malware: NjRAT
Function: NjRAT C&C
ITW Associations: Multiple
Associated Hash (MD5): a509dfc6d5bc2e23a7ae3751ba073dae
File Name: nitrog.exe
C&C process name: nitrog.exe
DeCYFIR Threat Actor Association: Lazarus group
Tracked CVE-2021-34641, the vulnerability affects the SEOPress WordPress plugin that is used by approximately 100,000 websites. This flaw allows a potential attacker to inject arbitrary web scripts on a vulnerable site which would then execute anytime a user visits the “All Posts” page. The vulnerability is caused by one of the newly introduced REST-API endpoints being insecurely implemented.
Cross-site scripting vulnerabilities such as this one can allow attackers to carry out a variety of attacks. Successful exploitation of this vulnerability may lead to an attacker being able to perform malicious actions such as new administrative account creation, web-shell injection, arbitrary redirects, and others. The vulnerability could easily be used by an attacker to take over a WordPress site.