Weekly Intelligence Trends and Advisory – 26 Sep 2021

Weekly Intelligence Trends and Advisory – 26 Sep 2021

CYFIRMA Research

A critical Remote Code Execution (RCE) Vulnerability tracked as CVE-2021-40444 in Microsoft Windows MSHTML has been found to be exploited actively in the wild.

Multiple threat actors have been seen abusing the vulnerabilities to carry out malicious activities. The threat actors observed are as follows:

  • Mustang Panda
  • FIN11
  • OceanLotus
  • TA551

Upon analyzing the associated Indicators of Compromise (IOCs), we observed indicators predominantly linked to several malware families such as Donoff downloader, Cobalt Strike and a number of others.

The primary motives behind abusing the vulnerability appears to be the theft of sensitive information and financial gains.

Threat Actor in Focus – Turla Deploys New Malware

Suspected Threat Actors: Turla Group

  • Attack Type: Data Exfiltration, Malware Implant, Persistence, Defence Evasion
  • Objective: Unauthorized Access, Payload Delivery, Data Theft
  • Target Geography: USA, Germany, Afghanistan
  • Target Industry: Unknown
  • Target Technology: Windows
  • Business Impact: Data Loss, Financial Loss, Loss of Intellectual Property

Summary

Researchers have spotted a previously undiscovered backdoor dubbed TinyTurla attributed to the Turla group in the wild. According to researchers, the backdoor is likely used as a second-chance backdoor to maintain access if the primary malware is removed from the infected system. The backdoor can also be leveraged as a second-stage dropper to install additional malware in the system. To hide its presence on a system the malware is installed as a service named Windows Time Service and allows the attacker to upload, execute, and exfiltrate files from the infected system. Researchers highlight that the malware contacts the command & control (C2) server every five seconds over an encrypted channel to receive new commands. They were able to command and control codes for a different backdoor function that includes authentication, execute process, execute with output collection, download file, upload file, create a subprocess, close subprocess, subprocess pipe in/out, set timelong, set timeshort, set new security password, set host(s).

Insights

As per researchers, the backdoor was potentially used to target the Afghan government before the Taliban took over power in the country following the pullout of military forces backed by the West.

The backdoor’s code is simple yet efficient enough to fly under the radar. This activity is also a good example of how defenders may easily overlook malicious services that are clouded by the myriad of legitimate services. It is essential to have automated solutions detecting unknown running services in addition to a team of skilled professionals to overcome such shortcomings.

Turla groups have been known to use and re-use the compromised server during their campaigns. In this instance as well, the researcher observed the same infrastructure being used to push the TinyTurla backdoor which has been attributed to Turla groups in previous attacks.

Latest Cyber-Attacks, Incidents, and Breaches

Large-Scale Phishing-as-a-Service (PhaaS) Operation

  • Attack Type: Phishing, Defence Evasion, Data Exfiltration, Impersonation
  • Objective: Data Theft
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Email, Website
  • Business Impact: Data Loss, Financial Loss

Summary

Microsoft’s security team has unearthed a large-scale phishing-as-a-service operation called BulletProofLink (aka BulletProftLink or Anthrax) – offering phishing kits, email templates, hosting, and automated services at a relatively low cost. The BulletProofLink PhaaS group has been active since 2018 maintains multiple sites under aliases, BulletProftLink, BulletProofLink, and Anthrax including instructional advertisement on YouTube, Vimeo, and promotional material in other forums and sites. The operators offer over 100 available phishing templates that impersonate well-known brands and services and are designed to evade detection while successfully phishing for credentials. The service is said to be an evolution on “phishing kits” and BulletProofLink operators have taken this to a whole new level by providing built-in hosting and email sending. For a fee of USD 800 BulletProofLink operators offers service that includes setting up a web page to host the phishing site, installing the phishing template itself, configuring domain (URLs) for the phishing sites, sending the actual phishing emails to desired victims, collecting credentials from attacks, and then delivering the stolen logins to paying customers. Other services cost about USD 50 dollars for a one-time hosting link.

Insights

As per researchers the campaign used an interesting technique dubbed “infinite subdomain abuse”, where attackers compromise a website’s DNS or a compromised site is leveraged to configured in a manner to allows wildcard subdomains. This essentially allows attackers to use infinite subdomains delivering a unique URL for each recipient at the cost of purchasing or compromising only one domain. The tact is gaining popularity among attackers – researchers highlight.

To evade detection, the messages used a technique called zero-point font where characters that are rendered invisible to the users are inserted into the HTML body of the messages.

It is also noted that the PhaaS model is reminiscent of the ransomware-as-a-service (RaaS) model in one more aspect which involves a similar workflow of double extortion. It was observed that operators kept copies of all the collected credentials which are believed to be monetized at a later stage in underground forums.

Vulnerabilities and Exploits

Zero-click RCE Vulnerability in Hikvision Security Cameras Could Lead to Network Compromise

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Hikvision cameras (Multiple Products)
  • Vulnerabilities: CVE-2021-36260 (CVSS Score: 9.8)
  • Vulnerability Type: Command Injection, RCE
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary

The critical bug tracked as CVE-2021-36260 affecting the majority of the recent Hikvision camera product ranges allow for critical remote unauthenticated code execution even with the latest firmware (as of 21 June 2021), including some older models. Researchers highlight that given the deployment of such devices, critical infrastructure may also be at risk. Due to the insufficient input validation, attackers can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands, according to the advisory. An updated firmware to guard against the vulnerability has been made available by the vendor.

Insights

Researchers assessed this is definitely not a Chinese Government-mandated backdoor, however, it poses a greater risk around the globe since it is the most widely used video surveillance manufacturer. In addition, there are growing security concerns given Hikvision was one of entity blacklisted by the 2019 NDAA and the US government is planning to ban FCC authorizations.

Firmware from as long ago as 2016 has been found to be vulnerable. It should also be noted that cybercriminals only need access to a web server over port 80/433 without the need for any actions to be initiated by the camera owner or credentials in order to exploit these devices. While a PoC exists – it has not been made public due to the severity of the issue.