Threat Actor in Focus

APT35 Attacks with PowerShell-based Malware

Suspected Threat Actors: APT35 (aka Charming Kitten, TA453, or Phosphorus)

• Attack Type: Malware Implant, Vulnerabilities & Exploits, Data Exfiltration
• Objective: Unauthorized Access, Payload Delivery, Potential Data Theft
• Target Technology: Product Using Vulnerable Log4j, Windows, Linux
• Target Industry: Government, Transport, Communications, Education & Research, Others
• Target Geography: Israel
• Business Impact: Data Loss, Financial Loss

Summary:

According to researchers, the Iranian nation-state actor groups have started widespread scanning and attempts to leverage Log4j flaw in the publicly exposed vulnerable systems in merely four days after public disclosure of the vulnerability. With rushed infrastructure, the threat actor group used open-source tools for exploitation and utilized infrastructure that was used in many of their previous attacks to carry out this operation. It allowed researchers to easily detect and attribute the activity. However, shortly after these attacks started, researchers observed a subgroup of APT35 engaged in a large-scale campaign that employed their own implementation of the exploit. The exploitation attempts were observed on approximately 150 organizations, though it is not clear how many of those were successful. Upon successfully exploiting the system vulnerable to Log4j vulnerability (CVE-2021-44228), the threat actor group deployed CharmPower – a PowerShell-based modular backdoor.

Insights:

As per researchers, the threat actor group is known in the cybersecurity community for making several OpSec mistakes. Once exposed, the group tends not to put too much effort into changing their infrastructure to make attribution harder for defenders. It comes as no surprise there is significant overlaps in the code and infrastructure with previous APT35 activities.

Further, while analyzing the infrastructure used in this attack, researchers made the following observation:

1. All the servers are hosted by OVH SAS and Hetzner Online GmbH as used previously in their campaign. As well as the specific pattern that the command-and-control (C2) domains share(0<word><letter><word>0.xyz) are named.
2. One of the C2 servers responded with modules that use 127.0.0.1 as a C2 server. Most likely it is a development server and researchers did not observe it in a known infection chain. The number of mistakes made in the code of modules also suggests that the PowerShell-based malware is still under active development.
3. The time it takes the C2 server to respond with a module, and the module type it responds with differs significantly between victims. It could be evidence for a manual operation of the C2, with the operator deciding which targets are interesting and which ones are not.

Latest Cyber-Attacks, Incidents, and Breaches

Edge Users Targeted by Ransomware

• Attack Type: Ransomware, Social Engineering, Impersonation
• Objective: Financial Gains, Data Theft
• Target Industry: Multiple
• Target Geography: South Korea
• Business Impact: Data Loss, Financial Loss, Operational Disruption

Summary:

Researchers have recently disclosed that attackers behind the Magnitude Exploit Kit(EK) have updated it to target Microsoft Edge users with a fake browser update. The EK uses a range of social engineering techniques and exploits users and installs ransomware. While the Magnitude EK has been known to target multiple geographies and deliver different kinds of ransomware in the past, currently they seem to target South Korean users with Magniber ransomware. A typical attack chain involves the following steps:

1. User visits an ad-heavy website and encounters the malicious ad
2. The malicious ad redirects users to a “gate”, known as Magnigate
3. Magnigate checks IP address and browser to determine if the user is the intended target
4. Users filling the attackers’ criteria are redirected to the Magnitude exploit kit landing page
5. Based on information from Magnigate, the EK chooses an attack from its collection
6. In this case, the EK determines the best attack is a fake Microsoft Edge update
7. The “update” is actually a malicious Windows Application package (.appx) file
8. The .appx file downloads Magniber ransomware
9. Magniber encrypts the user’s files and demands a ransom

Insights:

Historically, fake software updates have proven to be a prominent tactic employed by attackers in their campaigns for getting users into downloading malware. Often these tactics involve impersonation of a popular and well-known brand. The attackers who are also efficient social engineers, tune the messages with the right mixture of implied threat and urgency.

For years, fake Flash updates have been used by attackers to carry out web-based malware campaigns. Its popularity among attackers can be attributed to the fact that Flash was widely used, famously riddled with security flaws, and used to go undergo updates almost on a monthly basis. With the retirement of Flash, attackers had to look for other options. As such web browser is an ideal candidate for attackers since it maintains a frenetic update schedule and is widely used.

In the past, Flash and Internet Explorer vulnerabilities have been extensively targeted by Magnitude. However, changes in the software landscape force attackers to adapt. For example, the exploitation of sandbox escapes vulnerability in the Chromium-based browsers in late 2021.

The attacker behind the Magnitude regularly updated the EK with fresh attacks. Researchers highlight that the fake Edge browser update seems to be added in the last few weeks.

Vulnerabilities and Exploits

“powerdir” New macOS vulnerability

• Attack Type: Vulnerabilities & Exploits
• Target Technology: macOS
• Vulnerability: CVE-2021-30970
• Vulnerability Type: Persistent DoS

Summary:

Microsoft has recently disclosed details on a new macOS vulnerability dubbed “powerdir,” and identified as CVE-2021-30970. The vulnerability could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology resulting in unauthorized access to a user’s protected data. Introduced in 2012 on macOS Mountain Lion, the TCC essentially helps users to configure the privacy settings of their apps. To protect TCC, Apple implanted controls that prevented unauthorized code execution and enforced a policy that restricted access to TCC to only apps that had full disk access. Microsoft uncovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests.

Insights:

If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.

There have been the following previously reported vulnerabilities that allowed bypassing TCC technology:

1. Time Machine mounts (CVE-2020-9771)
2. Environment variable poisoning (CVE-2020-9934)
3. Bundle conclusion issue (CVE-2021-30713)

A similar exploit to the “first POC exploit” from Microsoft to plant a fake TCC database file and change the user’s home directory using the Directory Services command-line utility was presented at BlackHat USA 2021 in August. However, after the Monterey release, Microsoft used a “second POC exploit” to demonstrate the vulnerability.