Threat Actor in Focus

Researchers Detail Post Exploitation Framework Used by The Equation Group

Suspected Threat Actors: The Equation Group

• Attack Type: Malware Implant, Data Exfiltration, Persistence, Reconnaissance, Lateral Movement, Defence Evasion, Privilege Escalation
• Objective: Unauthorized Access, Data Theft
• Target Technology: Microsoft Windows, Linux
• Business Impact: Data Loss, Operational Disruption

Summary:

Researchers have recently disclosed a detailed analysis of a system called DoubleFeature logging component of DanderSpritz – a full-featured malware framework used by the Equation Group. The DanderSpritz was leaked by The Shadow Brokers in the past, has a modular structure, and contains a wide variety of tools. As per researchers, the framework relies on dozens of various plugins for post-exploitation activities on Windows and Linux hosts. The DoubleFeature is one such plug-in that functions as a “diagnostic tool for victim machines carrying DanderSpritz.” It is designed to maintain logs of the type of tools that could be deployed on a target machine. DoubleFeature is a Python-based dashboard that also acts as a reporting utility to exfiltrate the logging data from the infected machine. Some of the plugins and components used by DoubleFeature include:

• UnitedRake (UR) – remote access tool that can be used to target Windows machines.
• StraitBizarre (SBZ) – an implant used for stealthy data exfiltration.
• KillSuit (KiSu) – aka GrayFish is an unusual plugin whose miss is to run other plugins, providing a framework for persistence and evasion.
• DiveBar – Part of KillSuit responsible for persistence methods such as “KSLA” (KillSuit loader), “SolarTie”, “JustVisiting”, and “DoctorOcopus”.
• FlewAvenue(FlAv) – is an IPv4 driver that provides covert network access for other tools.
• DuneMessiah
• CritterFrenzy
• MistyVeal (MV) – A “validator” implant that is used to verify that the targeted machine is indeed an authentic victim and not a research environment.
• DiceDealer (DD) – Parsing tool for the logging data produced by all installations and uninstallations performed by DiveBar
• PeddleCheap ****(PC) – Among the first tools that run on a victim machine and are used to bootstrap a complete DanderSpritz installation.

 Insights:

Earlier this year, the researchers detailed an exploit dubbed Jian used by Chinese threat actor group APT31 which appeared to take heavy inspiration from an exploit used by the Equation Group – code-named “EpMe”. As per researchers, APT31 had access to EpMe’s files almost 2 years before the Shadow Brokers leak took place. According to researchers the APT group replicated the exploit around 2014, leveraged the exploit in their operations since at least 2015 before it was patched by Microsoft in 2017. The framework which homes the EpMe exploits dates back to 2013 and includes 4 privilege escalation exploits and two of them were zero-day during the framework’s development.

Vulnerabilities and Exploits

‘NotLegit’ Azure Flaw

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Azure App Service (aka Azure Web Apps)
• Vulnerability: (Unassigned CVE)
• Vulnerability Type: Sensitive Information Disclosure

Summary:

The researchers, back in October had detected an insecure default behavior in the Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”. According to researchers, the vulnerability dubbed as “NotLegit” has existed since September 2017. Microsoft clarified in their response that the vulnerability affected App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory. They also note that not all users of Local Git were impacted by the vulnerability and that the Azure App Service Windows was not affected.

Insights:

The exposed .git folder is a critical security issue and may put the organization at risk. Attackers are continuously looking for exposed Git repository for sensitive information which either aids them to perform more sophisticated attacks or steal secrets and intellectual property. Apart from the possibility that such source code may include credentials to critical systems such as passwords and access tokens, the exposed source code itself can be leveraged to recon the organizations, its infrastructure, and identify vulnerabilities – saving the trouble for an attacker looking to launch an attack.

While Microsoft has not clarified the exploitation of this bug in the wild, researchers deployed a vulnerable Azure App Service application to assess the possibility of its exploitation. The researcher observed multiple attempts from unknown actors trying to access the .git folder. Researchers highlight such exploitation methods are extremely easy, common, and under active exploitation.

Latest Cyber-Attacks, Incidents, and Breaches

Shutterfly Hit by Ransomware

• Attack Type: Ransomware, Data Leak
• Objective: Financial Gains
• Target Industry: Media
• Target Geography: United States
• Business Impact: Data Loss, Financial Loss

Summary:

Shutterfly Inc – American photography, photography products, and image sharing company – has recently suffered a ransomware attack which allegedly encrypted devices and stole corporate data. Reportedly, the incident took place approximately two weeks ago and was perpetrated by the Conti ransomware group who claimed to have “encrypted over 4,000 devices and 120 VMware ESXi servers” demanding millions of dollars as a ransom. Researchers report that the ransomware gang has created a private data leak page for Shutterfly to carry out negotiation as part of its double extortion tactic. The ransomware group is threatening to make this page public if the ransom is not paid. On December 26^th, Shutterfly released a statement stating that incident has not impacted their Shutterfly.com, Snapfish, TinyPrints, or Spoonflower websites, however, Lifetouch and BorrowLenses business, Groovebook, manufacturing, and some corporate systems have been experiencing interruptions.

Insights:

It is unclear as to why the Conti ransomware group is taking an unusual approach to demand ransom by creating a private data leak page one victim organization. It is suspected that the group is expecting a huge payout from this attack at the same time, less media attention which has often backfired for ransomware groups resulting in action from enforcement agencies.

A day after the report of this incident became public, CYFIRMA Researchers observed an advertisement for the sale of Shutterfly data on one of the underground forums.

The unknown threat actor has created the account in mid-December and appears to be of Russian origin as the Conti ransomware group. The threat actor largely invested in looking for “locker affiliates” and “network access” within the forum which indicates a link to ransomware group. The unknown threat actor is looking for affiliates likely to carry out their ransomware operations into various industries including healthcare across the United States, Ukraine, and Switzerland.