Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 19 Dec 2021

Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 19 Dec 2021

Log4j Vulnerability – Two Linux Botnets Adopt Log4j Vulnerability

  • Attack Type: Vulnerabilities & Exploits (Log4Shell), Malware Implant, Remote Code Execution (RCE)
  • Objective: Unauthorized Access, Payload Delivery
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Apache Log4j, Linux
  • Business Impact: Data Loss, Financial Loss, Operational Disruption

Summary:

Researchers have recently observed two waves of attacks leveraging the Log4j vulnerability to form botnets. Sample analysis by researchers further revealed that the attacks were related to Muhstik and Mirai botnets, targeting Linux devices. As per researchers:

The Mirai botnet wave propagates a new variant of Mirai with changes to the initial code. A top-level domain was used as its command & control (C2) domain name which is not common.

The Muhstik botnet – disclosed in 2018 and a variant of Tsunami, also based on Mirai code – was observed. The new Muhstik variant adds a backdoor module, ldm, capable of adding an SSH backdoor public key that allows an attacker to log into the remote server without the need for password authentication.

Insights:

The vulnerability tracked as CVE-2021-44228, (aka Log4Shell) is an RCE vulnerability in the Apache Log4j2 Java logging framework that has been under active exploitation after the public release of its exploit. Multiple security researchers and vendors are witnessing active probes by several threat actors and attackers trying to find ways to exploit this vulnerability. As per a researcher, the vast majority of attacks appear to originate from crypto miners and DDoS botnets.

Interestingly, researchers have found evidence of the Log4j exploit dating back to December 1st while the public PoC was released last Thursday. Meaning, the exploit was in wild for at least 9 days before the public release of the exploit.

So far, researchers have identified 10 different families of malware being spread with the help of Log4j RCE vulnerability including:

  1. Muhstik, DDoS+backdoor
  2. Mirai
  3. DDoS family Elknot
  4. mining family m8220
  5. SitesLoader
  6. pe
  7. ELF
  8. attack tool 1
  9. attack tool 2
  10. Unknown PE family

Given the criticality and impact of Log4j vulnerability, the exploitations from attackers involved in crypto-mining and DDoS botnet is expected to increase, and more dangerous attacks such as state-sponsored threat actor groups and ransomware gangs are expected to join the fray at scale. So far, Khonsari ransomware – a new ransomware group, and Nemesis Kitten – an Iranian state-sponsored threat actor group, have been reportedly observed exploiting the Log4j vulnerability.

Refer to CYFIRMA’s Technical Analysis of Log4j 

Threat Actor in Focus

TA575 Starts Holiday Season with Year-end, Festive Lures

Suspected Threat Actors: TA575

  • Attack Type: Malware Implants, Potential Data Exfiltration
  • Objective: Unauthorized Access, Data Theft, Payload Delivery
  • Target Geography: United States
  • Target Industry: Education, Manufacturing, Government, Insurance, Finance
  • Target Technology: Email, Microsoft Excel, Microsoft Word
  • Business Impact: Data Loss, Operational Disruption

Summary:

Researchers have recently observed the threat actor tracked as TA575 with holiday-themed lures in their latest high-volume campaigns. Researchers have observed a range of email subjects including “Black firday and Cyber Monday Survey Scam alert,”  “Christmas tips: Preparing for Holydays,” “Holiday Survey Threats beware,” and even “Winter lifehacks: Cutest Tax Credit.” The motive behind this campaign appears to lure potential victims into downloading the Dridex banking trojan. In November, the emails delivered malicious Excel files attachment that when opened, leveraged XL4 macros to download and execute Dridex malware from URLs including Discord URLs. The campaign observed in December used both Microsoft Excel and Word attachments to deliver the same malware using Discord URLs, HTA files, and remote templates. In some cases, the lures used both holiday theme and US tax filing themes to lure unsuspecting users.

Insights:

As per researchers the threat actor TA575 – like any other sophisticated threat actor – is adept at using current events-based lures to take advantage of the opportunity. During the holiday season when users become desensitized, receiving numerous advertisements, shopping deals, and offers, may not be on their guard or think twice about opening a malicious file or suspicious link.

Dridex is a prolific piece of malware that has been associated and distributed by multiple threat actors. The malware is leveraged to perform data theft and also facilitates the installation of additional malware such as ransomware. Given the widespread nature and high volume of these campaigns, iIt can be suspected that any number of users and/or organizations could be impacted.

 

Major Geopolitical Developments in Cybersecurity

US, Australia Agree to Share Phone, Text Records in Criminal Probes

The United States and Australia signed an agreement this week to ease access by their justice departments to digital phone and email records needed in criminal investigations.

US Attorney General and Australian Minister for Home Affairs said the agreement would allow both the countries to obtain “timely access” to electronic information crucial for serious crime investigations without first going through a lengthy process in the courts.

It means Australian investigators will be able to acquire the communications of a suspect even if they are held on a server located inside the United States and US justice authorities are not part of the investigation.

Until now, Australian agencies depend on complex and time-consuming processes, such as mutual legal assistance agreements, to access crucial evidence from other countries.

Both officials emphasized that rules of privacy and civil rights would be followed, amid concerns that the Cloud Act is opening the door to unwarranted searches of people’s private information not only by their governments but by others as well.

Source

UK’s New Cyber Strategy Designed to Boost Position as “Global Cyber Power”

The UK government has published a new national cyber strategy to boost the nation’s defensive and offensive capabilities amid rising attacks from nation-state actors and criminal gangs.

The government needs its wide-ranging strategy to harden the UK’s “position as a global cyber power.” Plans to enhance the nation’s cyber-defences include implementing the recently announced Product Security and Telecommunications Infrastructure (PSTI) that enforces minimum security standards on smart device manufacturers and increased funding in public sector cybersecurity. Additionally, the government stated that there will be an expansion of the National Cyber Security Centre (NCSC)’s research capabilities.

There is also a strong prominence on promoting offensive measures in the policy to better equip the police and military to take the fight against cyber-threat actors. For this, funds will be increased for the UK’s recently established National Cyber Force and for law enforcement to help disrupt and target cybercrime groups.

An additional aspect of the policy is developing the UK’s cyber talent pool and calling for “all parts of society to play their part in reinforcing the UK’s economic and strategic strengths in cyberspace.” Among the measures outlined in this area, the government declared a new ‘Cyber Explorers’ online training platform to enable young people to learn cyber skills in classrooms and a new scheme to help adults from all backgrounds access jobs in this sector.

The sheer growth of cyber incidents, the increasing geopolitical relevance of cyber, and the country’s growing dependence on technology as a society have further underlined how critical effective cybersecurity is for its future prosperity and national security. This view is reinforced in this strategy, with the government emphasizing how all – be that public, private, big, or small enterprise – must play their part in this important sector.

Source

 

Vulnerabilities and Exploits

SanDisk SecureAccess Vulnerability allows Brute Force Attacks

  • Attack Type: Vulnerabilities & Exploits, Brute Force
  • Target Technology: SanDisk SecureAccess
  • Vulnerability CVE-2021-36750 (CVSS Base Score: NA)
  • Vulnerability Type: Improper Restriction of Excessive Authentication Attempts

Summary:

Western Digital has recently patched a security vulnerability in SanDisk SecureAccess (rebranded as SanDisk PrivateAccess) that allows users to store and protect sensitive files in SanDisk USB flash drives. The vulnerability could enable attackers to brute force a SanDisk SecureAccess password and get access to the users’ protected data. As explained by Western Digital in a security advisory – “SanDisk SecureAccess 3.02 was using a one-way cryptographic hash with a predictable salt making it vulnerable to dictionary attacks by a malicious user.”

Insights:

The researcher who discovered the issue highlights that SanDisk SecureAccess is affected by a couple of key derivation function issues that can allow an attacker to crack user passwords. As explained in the security advisory, the software utility made use of a password hash with an insufficient computational effort which would allow an attacker to crack the password and secure unauthorized access to the user’s data.

With the patch, the derivation function issues have now been addressed with the use of PBKDF2-SHA256 alongside a randomly generated salt. Within cryptography, the PBKDF2 are key derivation functions that are used to reduce vulnerabilities related to brute force attacks.

 

CYFIRMA Research – Karma Leak

“Karma Leak” was first been detected in June 2021 and is a fairly new ransomware. There is another group with the same name in 2016 but may not have any link to the current working threat group “Karma Leaks”. It has been observed that Karma may have linkage to Milihpen and Gangbang in accordance with similarities observed in the coding.

Karma Ransomware is constantly evolving, upgrading and improving on a regular basis. It encrypts all files except some extensions on the compromised system and appends the encrypted files with the extension .KARMA_V2. Earlier it was using the extension .KARMA. Karma ransomware also drops the ransomware note into each folder with the name KARMA_V2-ENCRYPTED.txt.

“Karma Leaks” have the following capabilities or functionality:

  1. Capability to collect system information.
  2. Capability to create mutex, so that only one instance of the malware can run at a particular time.
  3. Dynamic memory allocation and manipulation capability.
  4. Capability to synchronize between various threads, processes and while accessing shared resources.
  5. Have the capability to access native APIs to perform low-level functions like handling/manipulation of hardware, memory, and processes directly.
  6. Capability to create new threads and processes.
  7. Capability to access registry entries and manipulate them.
  8. Capability to load other DLLs, libraries, and processes in memory.
  9. Capability to sleep or deactivate when want to hide itself.
  10. Ability to handle, search, open, close, write, access and manipulate files.
  11. Capability to search Drives, Folders and exclude some specific files/folders from encrypting.
  12. Capability to handle command-line arguments.
  13. Ability to encrypt files.
  14. Ability to check the status of last command execution or error status and execute the code accordingly.
  15. Malware used API CreateIOCompletionPort which indicates the capability of malware to maintain communication between the main thread and its sub-threads and is most probably used to handle encryption process with efficiency.