United States: Ankura CTIX Flash Update - July 8, 2022

Ransomware/Malware Activity

"Brute Ratel C4" Stepping in as the New Cobalt Strike for Threat Actors

Cobalt Strike, an attack simulation tool used by legitimate red teams and ethical hackers, has been used by malicious threat actors for years. Cracked versions of the software are often distributed on hacker forums to be used as a malicious command-and-control (C2) server for malware and ransomware operations. While Cobalt Strike has been one of the most popular pieces of malware for a long time, a new penetration testing tool named "Brute Ratel C4," has recently been used by multiple threat actors. Brute Ratel started as a simple C2 server developed part-time by security engineer Chetan Nayak, an ex-penetration tester for both Mandiant and CrowdStrike. In January of 2022, Nayak began working full-time on the project. The first major update features techniques that allowed Brute Ratel to evade most endpoint detection and antivirus software, a service that is extremely valuable to malicious threat actors. When first spotted in the wild, none of the antivirus solutions on the platform VirusTotal detected the Brute Ratel executable as malicious. Threat actors looking to gain access to Brute Ratel had to first pass a manual verification process by submitting an email address with a valid business domain. Researchers from Unit 42 discovered that several threat groups gained access to a license that Nayak claims was leaked by a disgruntled employee and was revoked shortly after. According to the CEO of AdvIntel, former members from the ransomware group Conti have begun acquiring licenses through the verification process by creating fake United States-based companies, indicating that the verification process may not be as strict as it needs to be. This new shift away from Cobalt Strike is a reminder to many endpoint detection and antivirus organizations that new malware is constantly being developed specifically to evade the best anti-malware solutions. With the rise of Brute Ratel being used by threat actors, endpoint detection and antivirus solutions have begun to detect the payload.

• Bleeping Computer: Brute Ratel Article
• Unit 42: Brute Ratel Report

Threat Actor Activity

TrickBot Sides with Russia, Targets Ukraine Assets with Six New Campaigns

Since the start of the Russia/Ukraine conflict, threat actors globally have chosen sides defending their respective countries. Recently, financially motivated TrickBot threat actors have started targeting Ukrainian assets, unleashing six campaigns since mid-April. These campaigns encompassed several new tactics, tools, and procedures including the deployment of infected Microsoft Excel documents to install payloads, and self-extracting archives designed to deliver AnchorMail, CobaltStrike, and IcedID. Statistics captured by X-Force analysts show that Excel downloaders were utilized in three (3) of the campaigns, and five (5) of the campaigns deployed CobaltStrike, Meterpreter, or AnchorMail to the target system. These campaigns targeted several audiences including general citizens of Ukraine, state departments, state authorities of Ukraine, critical infrastructure entities, and individual corporations or organizations throughout the region. To lure in their victims, TrickBot deployed several themed phishing emails with subjects such as "List of mobilized citizens", "Urgent! Unblocking Azovstal", "Decree of the Press Office of the European Union No. 576/22 on uninterrupted security measures", and "State Tax Service of Ukraine". With the recent takeover of TrickBot by pro-Russian Conti threat actors, it comes as no surprise that they have sided with Russia in the conflict. CTIX will continue to monitor threat actor movements throughout this conflict and provide additional updates as needed.

• SecurityIntelligence: TrickBot Article
• TheRecord: TrickBot Article

Chinese Threat Organizations Target Russian Entities

Russian organizations and government entities have been the targets of Chinese threat actors in a new targeting campaign. While not directly tied to one such threat organization, indicators of previous campaigns against Russia highlight several threat groups including Mustang Panda, Scarab, Space Pirates, and other groups. A recent campaign against Russia's cybersecurity incident response center (RU-CERT) and telecommunication sectors revealed the use of social engineering attacks leveraging malicious Microsoft Office documents laced with the decade-old Bisonal remote-access trojan (RAT). The malicious payload exploits CVE-2018-0798, which is a memory flaw within Equation Editor in Microsoft Office 2007-2016 which allows for threat actors to remotely execute arbitrary code on the system. This same vulnerability was utilized by Chinese nation state hackers when targeting a Russian defense contractor involved with nuclear submarine designs. Security researchers from Ukraine stated that these phishing emails were compiled with a tool called "Royal Road", which themes its payloads around Russian government interests. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.

• TheRecord: Chinese TA Article
• SentinelOne: Chinese Target Russia Article

Vulnerabilities

Microsoft Fixes "ShadowCoerce" NTLM Relay Attack Vulnerability

UPDATE to 6/21/2022 FLASH UPDATE: As part of their June 2022 updates, Microsoft has covertly patched a critical vulnerability known as "ShadowCoerce," which allows attackers to perform coercion abuse New Technology LAN Manager (NTLM) relay attacks against vulnerable Windows servers. If properly exploited, abusing the ShadowCoerce vulnerability could lead to a full takeover of the Windows domain by the attacker. Specifically, this flaw affects the remote procedure call (RPC)-based protocol known as File Server Remote VSS Protocol (MS-FSRVP) used to create volume shadow copies of file shares on remote computers. By exploiting this flaw, threat actors coerce domain controllers (DC) to authenticate against attacker-owned, malicious NTLM relays nodes. Once secured, the actor-controlled server forwards the authentication request to the target domain's Active Directory Certificate Services (AD CS) to acquire a Kerberos ticket-granting ticket (TGT). At this point, the threat actors can impersonate any authenticated device on the target network, including the DC, which is what allows for the privilege escalation to admin, leading to the full domain takeover. Interestingly enough, there is no official CVE for ShadowCoerce at this time. CTIX analysts recommend that all Windows network administrators install the latest patch immediately to prevent future exploitation. That being said, there is another actively exploited NTLM relay attack known as "DFSCoerce," which has yet to be patched. These relay attacks are preventable even without a software patch, and CTIX analysts recommend administrators apply hardening techniques to their infrastructure such as disabling the NTLM suite of protocols on domain controllers and disabling web services on AD CS servers.

• Bleeping Computer: ShadowCoerce Vulnerability Article

Honorable Mention

Human Error Blamed for Leak of 1 billion Records of Chinese Citizens

Zhao Changpeng, CEO of the cryptocurrency exchange Binance, announced Monday that human error is likely the cause of a twenty-three (23) terabyte leak from a Shanghai police database which stored the personal information of Chinese citizens. The Binance CEO stated that a government developer wrote a blog post on the China Software Developer Network (CSDN) that accidentally included credentials to the system where the data was being stored. Previously, Changpeng had stated that his threat intelligence team had detected 1 billion Chinese residents' records for sale on the dark web. The initial thought was that the leak was caused by, "a bug in an Elastic Search deployment by a gov agency." On Tuesday, numerous groups reported that an anonymous hacker or hacking group under the username "ChinaDan" had posted the data for sale on the dark web. The data includes names, addresses, birthplaces, national IDs, phone numbers, and criminal case information of Chinese citizens. The actors are demanding a ten (10) bitcoin ransom in exchange for the data. The silver lining to this incident is that the leak is now known to be caused by credential oversight and not a vulnerability exploit or malware strain. In fact, the 2022 Data Breach Investigations Report (DBIR) cited the "human element" as responsible for eighty-two (82) percent of the breaches analyzed by researchers. Since the human factor remains the greatest weakness in security systems, researchers are urging companies to continue to add more defense-in-depth measures to their systems rather than simple password protection. At this time, Shanghai authorities have not publicly responded to the latest data breach, nor are they responding to requests for comments. CTIX analysts will continue to monitor the fallout of this leak, and relevant updates may be posted in future issues.

• ThreatPost: Chinese Citizen Data Leak Article
• Bleeping Computer: Chinese Citizen Data Leak Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.