Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 28 Nov 2021

Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 28 Nov 2021

Threat Actor in Focus

TA406 Accelerates Attacks

Suspected Threat Actors: TA406 (Suspected Kimsuky Affiliate)

  • Attack Type: Malware Implant, Impersonation, Social Engineering, Credential Harvesting, Phishing, Data Exfiltration
  • Objective: Financial Gains, Unauthorized Access, Data Theft, Espionage
  • Target Geography: North America, Russia, China
  • Target Industry: Research, Education, Government, Media, NGOs, International governmental organizations (IGOs), Cryptocurrency, Finance, Defense, political and foreign policy organizations, and others
  • Target Technology:
  • Business Impact: Data Loss, Financial Loss

Researchers have recently published a detailed report on the malicious activities of an alleged North Korea-based threat group dubbed TA406. The threat actor group continues to leverage espionage, sextortion, and scam campaigns active since at least 2018, however, threat actor’s campaigns have been in volume since the beginning of this year. Researchers suspect the TA406 is associated with Kimsuky. TA406 phishing campaigns frequently masquerading as Russian diplomats and academics, representatives of the Russian Ministry of Foreign Affairs, human rights officials, or Korean individuals. As per researchers, TA406 uses several different methods and legitimate services for its attacks. Two of its recent campaigns this year attempted to spread malware – SANNY, KONNI, CARROTBAT, BabyShark, Amadey, and Android Moez—intending to gather information.

Beginning in January 2021, researchers have observed TA406 activities almost on a weekly basis. These campaigns were geared towards attempting to steal sensitive information such as steal credentials from targets in various sectors. As per researchers, the threat actor used malware in multiple campaigns this year that employs similar anti-analysis and periodic time-based command-&-control calls to exfiltrate data. Researchers suspects TA406 will continue corporate credential theft operations targeting entities of interest to the North Korean government.

 

Darkweb Database For Sale

Various databases are routinely uploaded on the Dark Web forums to be monetized. Some of the notable ones this week are as follows:

1) Chinese Elite Armed Police in Tibet leaked data is available in the underground forums.

 

2) HARON Ransomware Group Added a New Hack:

Quanfeng Electromechanical International Trade (Shanghai) Co., Ltd. was established on March 21, 2002. It is mainly engaged in the production of industrial electrical automation control systems, high and low-voltage complete power distribution equipment, various types of power, lighting distribution cabinets, and motor control centers. As furnished on the HARON data leak site, the organization has likely been compromised by a ransomware attack and hackers have asked for ransom payment or the exfiltrated files will possibly be leaked.

 

Latest Cyber-Attacks, Incidents, and Breaches

GoDaddy Says Data Breach Exposed Over a Million User Accounts

  • Attack Type: Data Leak, Compromised Credentials
  • Objective: Unauthorized Access, Potential Data Theft
  • Target Industry: Information Technology & Services
  • Target Geography: Global
  • Target Technology: Website
  • Business Impact: Data Loss, Financial Loss, Reputational Damage

Recently the web hosting giant GoDaddy has reported a data breach suspected that data of approximately 1.2 million customers may have been accessed. GoDaddy disclosed that an unknown attacker had secured unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting millions of their WordPress customers. As per the report filed to SEC (Securities and Exchange Commission), the unknown threat actor initially gained access via a compromised password on September 6, 2021, and unauthorized access was discovered on November 17, 2021, at which point their access was revoked. While immediate corrective actions were taken, the attacker had more than two months to carry out malicious activities. Notably, GoDaddy also stored sFTP credentials in plaintext, rather than encrypting them which allowed the attacker direct access to password credentials. GoDaddy said the attacker gained access to the following information:

  1. Approximately 2 million active and inactive Managed WordPress customers’ email addresses and customer numbers.
  2. Original WordPress Admin password issued at the time when the site was created.
  3. sFTP and database usernames and passwords of active customers.
  4. SSL private key of some active customers.

It has been emphasized that exposed email addresses and customer numbers may be subject to potential phishing attacks. However, the risk posed by exposed sensitive information of customers is minimal compared to the potential impact that can be caused by the exposed sFTP and database passwords.

Given that the attackers had an ample amount of time, it is suspected that attackers may have tried to ensure persistence by malicious actions such as uploading malware or creating a malicious administrative user. In doing so, the attackers would be able to maintain persistence and retain controls even after the password had been changed.

In addition, the stolen private keys of some of the websites can be used to decrypt the traffic between the affected site and visitors, in case the attackers are able to successfully perform a man-in-the-middle (MITM).

This data breach was likely to have far-reaching consequences since GoDaddy’s Managed WordPress offerings account for a significant portion of WordPress ecosystems. As expected, shortly after it was confirmed that multiple brands that resell GoDaddy Managed WordPress offerings were impacted. Including tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

 

Vulnerabilities and Exploits

Critical Code Execution Vulnerabilities Affecting OpenVPN-Based Applications

  • Attack Type: Vulnerabilities & Exploits, Local Privilege Escalation, Blind & Classic SSRF, RCE
  • Target Technology: OpenVPN-Based Applications
  • Vulnerability: The following vulnerabilities are included:
    • HMS Industrial Networks AB – eCatcher
      • CVE-2020-14498(CVSS Base Score: 9.6)
    • PerFact – OpenVPN-Client
      • CVE-2021-27406 (CVSS Base Score: 8.8)
    • Siemens – SINEMA RC Client
      • CVE-2021-31338 (CVSS Base Score: 7.8)
    • MB connect line GmbH – mbConnect Dialup
      • CVE-2021-33526 (CVSS Base Score: 7.8)
      • CVE-2021-33527 (CVSS Base Score: 7.8)

Vulnerability Type: Escalation of Privilege, Stack-based buffer overflow, External Control of Systems or Configuration Setting, Improper Privilege Management

Researchers have raised alarm for a series of severe code execution vulnerabilities affecting virtual private network (VPN) applications based on OpenVPN. As per the analysis, the flaws in products from various vendors may allow an attacker to achieve code execution by tricking potential victims into visiting a maliciously crafted webpage. According to researchers, a typical VPN client-server architecture (a front-end GUI application, a back end, and an OpenVPN service) in most cases allow cleartext protocol within the dedicated socket channel and without any form of authentication. Researchers highlight that anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration. To exploit this, an attacker can leverage a classic SSRF attack where victims are tricked into accessing a malicious webpage embedded with JavaScript code that is designed to send a blind POST request locally, to inject commands in the VPN client back end. To achieve code execution attackers are required to have access to SMB server which means attackers either must be on the same domain as the targeted systems or the victim system must be set to allow SMB access external servers.

As per researchers since OpenVPN requires high privileges, therefore, VPN vendors install OpenVPN as a service that runs with SYSTEM privileges and use the Management Interface to start a new session. This procedure ensures that even applications that do not require privileges could initiate a VPN connection without elevated permissions required. This is a potential risk that could allow privilege escalation and attacks that introduce significant risk to a business.