UK: Ankura CTIX FLASH Update - August 5, 2022

Ransomware/Malware Activity

Ukraine Takes Down 1,000,000 Bots Used to Conduct a Russian Disinformation Campaign

The Ukrainian cyber police (SSU) have shut down a massive bot farm used to spread disinformation on social networks. The goal of the 1,000,000 bots was to discredit information coming from official Ukrainian state sources, destabilize the social and political situation in the country, and create internal strife. The bot farm is believed to have been part of a disinformation campaign run by Russian Special Services. SSU's investigation led to the identification of the criminal group's leader, a Russian "political expert" who has lived in Kyiv in the past. The farm that was dismantled by the SSU had nodes in Kyiv, Kharkiv, and Vinnytsiaarm. To amass the army of 1,000,000 bots, the threat actors used 5,000 SIM cards to register new social media accounts. Additionally, the operators used 200 proxy servers that masked their IP addresses and helped to evade detection by social media platforms. According the SSU, the threat actors developed and deployed custom software to remotely manage the pseudonymous social media accounts. This has been a common occurrence in that region since the beginning of the Ukrainian conflict. In February 2022, Meta removed multiple clusters of fake Facebook accounts that were spreading false information. In March 2022, the SSU announced the discovery and shut down of five (5) smaller bot farms, which operated approximately 100,000 fake social media accounts that were spreading misinformation. Ukraine's President Volodymyr Zelenskyy has been the main target of these disinformation campaigns, many of which claiming the president was in critical medical condition. Fighting these misinformation campaigns has been the goal of the SSU, who have identified and neutralized over 1,200 cyberattacks against the state and other critical entities and reported 500 YouTube channels comprising 15 million subscribers.

• Bleeping Computer: Ukraine Article

QuestionPro Investigating Potential Data Breach After Actor Attempts Extortion

QuestionPro, a leading online survey solutions company that allows businesses to create and conduct surveys for market research purposes, has suffered an extortion attempt when a threat actor demanded a ransom after allegedly exfiltrating data. QuestionPro has stated that an investigation is underway to determine whether a data breach occurred, and that customers will be informed if so. The threat actor, known as "pompompurin", claims to have stolen the QuestionPro database and allegedly alerted the company of the unsecured database in late May 2022. BleepingComputer explained, however, that an additional threat actor is involved who attempted to extort the company. Have I Been Pwnd (HIBP) owner Troy Hunt explained that the database contains records for roughly 22 million unique email addresses as well as IP addresses, geographic locations, and additional survey data. Due to "hundreds of thousands of entries using the @questionpro.com email addresses," Hunt has added the currently unverified breach to HIBP's database and QuestionPro users are recommended to review the HIBP site to ensure their email address is not present. CTIX analysts will provide an update once additional information is released.

• Bleeping Computer: QuestionPro Article

Threat Actor Activity

Association of German Chamber of Industry and Commerce Experiences National Shutdowns due to Cyber Attack

On August 4th, 2022, the Association of German Chamber of Industry and Commerce (DIHK) confirmed that they shut down all of their IT systems, digital services, telephones, and email servers in response to a cyber-attack. The attack and subsequent shutdown were confirmed on LinkedIn by the General Manager of the IHK Mittleres Ruhrgebiet (IHK in central Ruhr), Michael Bergman, stating that the attack was detected late in the afternoon on August 3rd and affected multiple locations across Germany. There appears to be no regional focus of the attack, since IHK locations in North Rhine-Westphalia, Lower Saxony, Mecklenburg-Western Pomerania, and Bavaria have all been affected. In addition, the Twitter accounts of the Köln, Würzburg, and Lüneburg-Wolfsburg locations all have Tweeted that their offices are currently unable to answer phones or emails since the cyber-attack. A spokesperson for IHK Gesellschaft for Informationsverarbeitung (information processing) in Dortmund confirmed that all IHK systems in Germany have been affected by the attack. All services are to undergo an investigation before being restarted. The DIHK website states that they are currently working on a "solution and defense," and that their homepage will be updated as systems return to functionality. At the time of writing, researchers from around the world suspect that ransomware was the source of the attack, but no confirmation has been made public and no ransomware groups have claimed responsibility. CTIX will continue to monitor the situation as more information is released.

• Köln Twitter
• Würzburg Twitter
• Lüneburg-Wolfsburg Twitter
• Bleeping Computer: DIHK Article

Vulnerabilities

CISA Warns of Critical Vulnerabilities in Popular VMware Products

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a security advisory released by VMware on August 2, 2022. VMSA-2022-0021 addresses multiple critical vulnerabilities affecting VMware's Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation products. The identification was a result of an effort by multiple security researchers and companies. The most severe vulnerability, tracked as CVE-2022-31656, has a CVSS score of 9.8/10 and is described as a critical authentication bypass. If exploited, remote attackers could use this vulnerability to elevate their privileges to administrator, giving themselves full reign to create and deploy catastrophic exploit chains at will. While on their own less severe, three (3) other vulnerabilities were found able to be paired with CVE-2022-31656 to achieve unauthenticated remote code execution (RCE). Although there is no evidence to suggest that this vulnerability has been exploited in the wild, a proof-of-concept (PoC) and technical writeup will soon be published by VNG Security researcher Petrus Viet. Due to the reluctance of many customers to update their VMware products, VMware vulnerabilities remain very popular attack vectors despite timely patches provided by the company. CTIX analysts recommend that administrators responsible for the above products update to the latest version immediately. If the patch cannot be applied immediately, VMware has provided a temporary manual workaround that will prevent exploitation, and administrators should immediately apply this technique while planning for the best time to officially update their products and infrastructure. Technical details on the other vulnerabilities, as well as the workaround instructions, can be found linked in the below advisories.

• CISA: Advisory
• The Record: VMware Vulnerabilities Article
• VMware: Security Advisory (VMSA-2022-0021)

DHS Warns of Severe Vulnerabilities to Critical Infrastructure Affecting the Emergency Alert System

The Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA) has issued an Integrated Public Alert and Warning System (IPAWS) advisory concerning critical vulnerabilities in unpatched Emergency Alert System (EAS) encoder/decoder devices that could be exploited by state-sponsored threat actors to conduct nationwide disinformation campaigns. The exploit has been demonstrated in a proof-of-concept (PoC) by CYBIR.com's Ken Pyle. If exploited, attackers could issue fraudulent EAS alerts over AM, FM, and satellite radio, as well as broadcast, cable, and satellite TV infrastructure. Following successful exploitation, Pyle stated that he could "...easily obtain access to the credentials, certs, devices, exploit the web server, send fake alerts via crafts message". Pyle further stated that this exploit could enable an attacker to prevent legitimate users from accessing the system, "neutralizing or disabling a response" by emergency personnel. In his PoC writeup, Pyle discovered multiple vulnerabilities in the Monroe Electronics R189 One-Net DASDEC EAS device, which was confirmed by other researchers. Many of these unpatched flaws are several years old, and Pyle states that these less severe vulnerabilities have now, "snowballed into a huge flaw." The EAS is critical to national security, and administrators responsible for these systems must ensure that they are up-to-date with the most recent secure version. To add defense-in-depth, FEMA strongly encourages that all EAS devices are protected behind a firewall and that audit logs are regularly reviewed to identify malicious behavior in EAS devices and the systems supporting them. With the uptick in state sponsored malicious campaigns following Russia's invasion of Ukraine, mitigating threats to critical infrastructure should be given the utmost priority. The specific details of the vulnerabilities have been withheld to prevent active exploitation by malicious actors, although FEMA reports that it may be publicly demonstrated at the 2022 DEF CON hacking conference in Las Vegas in August. If the PoC isn't shown during DEFCON, then it will be publicly released in the coming weeks according to FEMA.

• Bleeping Computer: EAS Vulnerability Article
• FEMA: IPAWS Advisory

Honorable Mention

Propaganda Campaign "HaiEnergy" Pushes Pro-China Narrative

Researchers from security firm Mandiant discovered dozens of news websites across the US, Europe, and Asia used in a pro-China propaganda campaign. In a report released on August 4th, 2022, the researchers claim they detected at least 72 fake websites and multiple bogus social media accounts related to the campaign. Mandiant attributes these sites to the Chinese public relations firm Shanghai Haixun Technology Co. and have named the campaign "HaiEnergy." The sites and accounts publish biased stories on various current events, such as the recent trip of US House Speaker Nancy Pelosi to Taiwan. Other stories pushed by the campaign use fabricated content. For example, social media accounts connected to the campaign have posted forged documents connecting Senator Marco Rubio and former White House Chief Strategist Steve Bannon to a prominent critic of China. Following the posting of these illegitimate documents, multiple pro-China news sites picked up the story, citing the original post. This allowed Mandiant to link the news sites and social media accounts together, creating a web of propaganda sources across the world. While the operation "appears to be large and sophisticated," the researchers doubt it was successful in advancing China's agenda. The researchers stated that "despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement." It is important to note that this is not the only propaganda campaign being run by pro-China organizations. Another campaign, known as "Dragonbridge," is distinct from HaiEnergy and uses accounts on authentic platforms to further their narrative, while HaiEnergy has crafted inauthentic websites and accounts. This campaign does pose a threat, but the lack of outside amplification essentially creates an echo-chamber with little chance of propaganda escaping to mainstream sources.

• The Record: HaiEnergy Campaign Article
• Mandiant: HaiEnergy Campaign Report

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.