United States: Ankura CTIX FLASH Update - July 22, 2022

Ransomware/Malware Activity

Redeemer 2.0 Ransomware Builder Released on Hacking Forums for Unsophisticated Actors

"Redeemer", a ransomware builder produced by "Cerebrate" who provides Ransomware-as-a-Service (RaaS) operations, has been recently updated to version 2.0. Cerebrate's services are generally promoted to unsophisticated threat actors on hacking forums. Redeemer 2.0 is written in the C++ programming language and can be used on Windows Vista, 7, 8, 10, and 11. This operation is unlike many others since the ransomware itself is free of charge, though Redeemer's developer receives a 20% cut of ransoms paid from attacks using the ransomware. This is achieved through a new campaign ID tracking system, which facilitates affiliates to track various campaigns as well as set a specific ID to the executable to ensure the integrity of the set ransom amount in Monero. Redeemer's operator also "shares the master key to be combined with the private builder key held by the affiliate for decryption." Version 2.0 also features a new graphical user interface and instructions on how to build the ransomware executable and decryption tool in a ZIP folder. Cyble researchers released a report on July 20, 2022, which detailed additional Redeemer 2.0 functionality, such as a modified ransom message, the addition of using XMPP Chat/Tox Chat/up to two (2) emails for communication, a new icon for encrypted files, and various small fixes. Researchers also identified the ransomware first creates a mutex called "RedeemerMutex" to "ensure that only one instance of malware is running on the victim's machine" and then "creates a folder, copies itself into the Windows directory with legitimate file names, ...and executes itself as a new process by using the ShellExecuteW() API function." Redeemer 2.0 also launches various Windows Event Utility commands to clear all event logs before encrypting victim files, deletes "the shadow copies, backup catalog, and system state backups," as well as kills all actively running processes on the victim machine. An in-depth analysis of Redeemer 2.0 as well as indicators of compromise (IOCs) can be viewed in Cyble's report linked below.

• Bleeping Computer: Redeemer 2.0 Article
• Cyble: Redeemer 2.0 Report

Threat Actor Activity

TA4563 Targets European Financial Organizations with "EvilNum" Malware

Over the past few months, TA4563 has been targeting European financial organizations in several campaigns with the end goal of delivering the "EvilNum" malware variant. Since December 2021, TA4563 has conducted three separate campaigns against cryptocurrency, foreign exchanges, and decentralized finance (DeFi) institutions throughout the financial sector. The first campaign attempted to deliver malicious documents posing as registration forms for a financial trading platform. The malicious documents, once downloaded, communicate with actor-operated command-and-control (C2) nodes to download additional files to deliver the final EvilNum payload on the compromised system. Similarly in the succeeding campaign, TA4563 actors attempted to deliver the EvilNum payload via OneDrive to download either a Windows shortcut file (.lnk) or a CD/DVD image (.iso). Lastly, in the most recent campaign TA4563 changed their method of attack once more and attached macro-infected Microsoft Word document templates to their social engineering emails. Once macros were enabled on the victim system, the infected document would communicate with TA4563 C2 nodes to download additional files to install the EvilNum payload. In terms of malware, EvilNum has the capabilities to detect and avoid anti-virus programs, perform device reconnaissance, send device data back to C2 servers, and download additional malware tools from the Golden Chickens malware-as-a-service. While the campaigns are targeted towards European financial institutions, all institutions throughout the industry should be on high alert for similar malicious activity. CTIX continues to urge users to validate the integrity of email communications prior to downloading any attachments or visiting any embedded links to lessen the risk of threat actor compromise.

• ProofPoint: TA4563 Article
• DarkReading: TA4563 Article

Vulnerabilities

Hardcoded Credentials, Critical Vulnerabilities Discovered in Atlassian Products

Multiple new critical vulnerabilities have been discovered affecting the Atlassian products. The first affected application, Confluence, is a web-based wiki application that allows organizations to share knowledge about internal products, it is often used in software engineering. On July 20, 2022, Atlassian warned of a vulnerability for the "Questions For Confluence" app, tracked as CVE-2022-26138, was "likely to be exploited in the wild" due to a Twitter user publicly disclosing a hardcoded password. The app, which acts as an extension to the Confluence product, creates its own account with users' permissions. The underlying issue is the developers of the app decided to not use a unique password for each instance and instead hardcoded a globally used username and password combination. An attacker with knowledge of the hardcoded username and password credentials can log in to any Confluence instance with the app installed and access pages visible to the "confluence-users" group, potentially leaking company secrets and internal documents. The "Questions For Confluence" app is currently installed, and was likely vulnerable at the time of disclosure, on over 8,000 instances. Confluence administrators that manage a vulnerable instance must either disable or remove the app's account, "disabledsystemuser". On the same day, Atlassian released another advisory for two (2) other vulnerabilities, tracked as CVE-2022-26136 and CVE-2022-26137, that affect eight (8) Atlassian products. The vulnerabilities allow a remote unauthenticated attacker to bypass the "Servlet Filter," a function that processes HTTP responses to and from a client device and often implements security mechanisms for the application. The first vulnerability allows authentication bypass through specially crafted HTTP requests as well as cross site scripting using a malicious URL. The second vulnerability allows attackers to invoke additional Servlet Filters, ultimately leading to a Cross-Origin Resource Sharing (CORS) bypass. An attacker exploiting a CORS bypass can trick users into visiting malicious URLs then access the vulnerable application using the victims' permissions. Atlassian has released patches for both of these vulnerabilities across the affected products. CTIX analysts urge administrators of Atlassian products to ensure their applications are up to date and the weak app account is not exploitable by attackers.

• The Record: Atlassian Vulnerabilities Article
• Atlassian: Questions For Confluence Advisory
• Atlassian: CVE-2022-26136 and CVE-2022-26137 Advisory

MiCODUS MV720 GPS Trackers Contain Six Vulnerabilities that Affect 169 Countries

The US Cybersecurity Infrastructure Security administration (CISA) and security company BitSight released reports regarding six (6) unpatched security vulnerabilities in the MiCODUS MV720 Global Positioning System (GPS) trackers. This tracker is installed in over 1.5 million vehicles worldwide. Exploitation of these vulnerabilities allows remote threat actors to gain control of the GPS tracker, revealing the exact location of the vehicle. The vulnerabilities also impact "access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed." The six (6) flaws are as follows:

• CVE-2022-2107: Hardcoded master password on the API server that could allow an unauthorized attacker to gain complete control of the tracker. The severity score is 9.8.
• CVE-2022-2141: Broken authentication scheme that could allow commands to be sent to tracker via SMS to be run with administrator privileges. The severity score is 9.8.
• CVE-2022-2199: Reflected cross-site scripting (XSS) on the main web server which could allow an attack to access user accounts and all information accessible to compromised users. The severity score is 7.5.
• CVE-2022-34150: Insecure direct object reference on the main web server which could allow logged-in users to access the data of any Device ID in the server database. The severity score is 7.1.
• CVE-2022-33944: Insecure direct object reference on the main web server which could allow unauthorized attackers to gain Excel reports about GPS tracker activity. The severity score is 6.5
• No CVE: Weak default password on all MV720 trackers with no rule in place for users to change passwords after initial device set up. The severity score is 8.1.

The MV720 is the basic model produced by MiCODUS and cost $20 retail. Approximately 169 countries currently have MiCODUS trackers employed in organizations with the most users located in Chile, Australia, Mexico, Ukraine, Russia, Morocco, Venezuela, Brazil, Poland, Italy, Indonesia, Uzbekistan, and South Africa. BitSight researchers also discovered evidence that these vulnerabilities could be used to track individuals without their knowledge, disable vehicles, and even pose national security threat - especially considering militaries and law enforcement agencies use the trackers for real-time monitoring. For example, the Ukrainian military uses MiCODUS GPS trackers, allowing Russian hackers to exploit these flaws and use them to track troop movements, supply routes, or patrol routes. There are currently five (5) Proof-of-Concept exploits developed by BitSight to demonstrate how they could be exploited in the wild, and CTIX analysts will provide updates as more become available.

• Bleeping Computer: GPS Vulnerabilities Article
• The Hacker News: GPS Vulnerabilities Article
• CISA: GPS Vulnerabilities Advisory
• BitSight: GPS Vulnerabilities Report

Be On the Lookout

LockBit Publicly Posts Victim Negotiation Chat Log, Unusual Change in Threat Actor Behavior

Ankura CTIX analysts discovered a new technique being utilized by LockBit. In a leak posted on July 19, 2022, LockBit publicized the chat history of ransomware payment negotiations between the threat actors and a victim. In the negotiations LockBit initially gave a ransom demand of $5 million, which is twice as much as what ALPHV has recently raised their initial demand to. Negotiations continue from there, eventually dropping down to $3.75 million and ending at "3,3kk" (likely meaning $3.3 million). The victim did not pay the ransom demanded by LockBit, causing the data and this documented chat history to be posted on their leak site. Previously, ransomware groups have been known to harass and attack researchers and journalists who post their negotiations publicly, making this an extremely unusual move for LockBit. It is not yet known why the group has decided to leak this negotiation and if this is a tactic that will be used in the future. It is possible the group will use this technique in the future to put additional pressure on victims, though this chat log leak was not mentioned during the negotiations posted.

A follow-up report regarding this new technique and its potential implications will be posted early next week.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.