United States: Ankura CTIX FLASH Update - May 3, 2022

Ransomware/Malware Activity

UNC3524 Observed Targeting Corporate Development, Merger, and Acquisition-Focused Employees

UNC3524, an emerging advanced persistent threat (APT) group tracked by Mandiant, has been observed breaching corporate networks to target "executive teams and employees that work in corporate development, mergers, and acquisitions, or IT security staff." The threat group's goal is to gain privileged credentials from these specific targets' mail environments in order to make Exchange Web Services (EWS) API requests to Microsoft Exchange or Microsoft 365 Exchange Online environments in order to exfiltrate emails. The exfiltrated emails span over a specified date range rather than through keyword-filtering, which is a tactic utilized by Russian-backed threat group Cozy Bear. In addition to tactics linked to Cozy Bear, researchers have noted that UNC3524 has used tools and tactics previously linked to Russian-backed Fancy Bear, or APT28, but there is currently not enough high-confidence attribution for a linkage to be defined. UNC3524 is described by researchers as "advanced" and "stealthy," as the group has the ability to remain undetected on a compromised system for a longer time period than average (which is twenty-one days as reported in 2021 by Mandiant). The longest time period currently identified is eighteen (18) months. The threat group does this by installing backdoors on "appliances within victim environments that do not support security tools, such as antivirus or endpoint protection." Researchers observed UNC3524 utilizing "QUIETEXIT", a newly identified backdoor, for persistent remote access as well as a reGeorg web shell on a DMZ web server as an alternative access point. An in-depth technical analysis of UNC3524 recent activity as well as indicators of compromise (IOCs) can be viewed in Mandiant's report linked below.

• UNC3524 Article
• Mandiant UNC3524 Report

Threat Actor Activity

Killnet Threat Actors Target Romania; Shutting Down Infrastructure Websites

Killnet, a pro-Russian threat group, has been targeting government agencies and corporate banks with distributed denial-of-service (DDoS) attacks throughout the United States, Estonia, Poland, Czech Republic, and other NATO allied-countries since the beginning of the Ukraine-Russia conflict. It is assessed that threat actors old and new are trying to tip the scales with continuous cyber-attacks against industries and countries worldwide. Highlighting the aspect of threat actor attractiveness to geopolitical matters and their response to such actions, Killnet targeted websites of the Romanian government, ministry of defense, border security, national railway, and the OTP Bank just one day after Romania pledged to provide military assistance and weaponry to Ukraine. Killnet actors exploited vulnerabilities within systems with little resistance due to the lack of cybersecurity measures in place at the time, causing the websites to go down for several hours CTIX analysts continue to monitor threat actors linked to the Ukraine/Russia conflict and will provide additional insight accordingly.

• Killnet Article

Emerging Threat Organization: Moshen Dragon

The telecommunication industry throughout Central Asia has seen a significant rise in threat activity with indicators linking to an emerging Chinese threat organization, now being tracked as Moshen Dragon. Moshen Dragon is employing some tactics, techniques, and procedures (TTPs) also used by two (2) additional threat groups: RedFoxtrot and Nomad Panda. While there are similarities, researchers believe there are enough distinctions to merit tracking Moshen Dragon as a separate entity. Primarily focused on cyberespionage, Moshen Dragon utilizes a variety of actor-created payloads to attack their targets. However, in these operations when a payload gets locked by the system, Moshen Dragon relies heavily on verified software applications to inject "ShadowPad" and "PlugX" malware variants onto the target system. This is possible due to an old security vulnerability within the Windows operating system that allows for DLL search order hijacking, allowing threat actors to deploy malicious payloads once the exploit is completed. CTIX analysts will continue to monitor the movements of this new threat group along with threat organizations worldwide and provide additional updates accordingly.

• Moshen Dragon Article

Vulnerabilities

Pilot Defense Industrial Base Bug Bounty Program Identifies Hundreds of Vulnerabilities

The results from a year-long bug bounty program aimed at the U.S. defense industrial base highlighted more than 400 critical and high-severity vulnerabilities that require patches and/or mitigations. The pilot research project, called the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), had almost 300 participants from cybersecurity research firm HackerOne, who piloted the exercise alongside the Department of Defense Cyber Crime Center's (DC3's) DoD Defense Industrial Base Collaborative Information Sharing Environment (DCISE), DoD Vulnerability Disclosure Program (DoD VDP), and the Defense Counterintelligence and Security Agency (DCSA). The program examined forty-one (41) networks of participating defense contractors and 348 different systems over the course of the year. This pilot program only investigated a fraction of the DIB sector, and further iterations of the DIB-VDP will be much more expansive. The results of this program give these defense contractors perspective and guidance by which they can mitigate risk and defend against specific attacks. They also offer advice on technical controls that the companies are not compliant with and point them to the industry best practices. Threats to supply-chains and other critical infrastructure have grown exponentially with the onset of the COVID-19 pandemic, and now the Russia-Ukraine conflict. With the Cybersecurity and Infrastructure Security Agency (CISA) now mandating that government agencies and federal contractors disclose vulnerabilities and breaches in a narrow window of time, the DIB-VDP proves that having a long-term coordinated army of ethical hackers is the most efficient method to date.

• DIB-VDP Article
• DC3's DIB-VDP Pilot Conclusion

Critical Vulnerability in IoT Devices Could be Exploited Via DNS Poisoning

A critical domain name system (DNS) vulnerability identified in a great deal of well-known IoT devices and routers could allow threat actors to redirect victims towards spoofed malicious web servers and websites to conduct a multitude of different attacks and compromises. The flaw, tracked as CVE-2022-05-02, exists in a C standard library for embedded systems called uClibc, and its DNS implementation allows the library to perform functions like DNS lookups and translating IP addresses to website domain names. Researchers from Nozomi Networks performed an internal DNS lookup function and realized that the transaction ID from the request was predictable, making the brute-forcing of the 16-bit source port value a possibility that could allow attackers to perform DNS poisoning. Once redirected, the malicious website can force an authenticated response, execute malware on the victim's device, spy on communications, run scripts to pilfer sensitive information, and much more. At this time there is no available patch or mitigation technique, and due to the scale of affected devices, the brands and models have not been disclosed to the public due to the threat of compromise. The CTIX team urges our readers to keep an eye out for IoT firmware releases, and we will provide an update to this piece as the patches become available and specific devices are identified.

• CVE-2022-05-02 Article

Honorable Mention

REvil Ransomware Operation Relaunches TOR Websites and Returns with Updated Malware

In October 2021, the infamous REvil ransomware was shut down by Russian law enforcement. The Federal Security Service (FSB) of the Russian Federation seized REvil TOR servers and arrested a number of affiliates. Following the takedown, Russian and US representatives negotiated the details and potential extradition of the REvil members, a communication channel that was closed following the conflict with Ukraine. In April 2022, TOR domains belonging to REvil sprung to life, hosting a webpage for a ransomware payment and leak sites. These domains are protected by a private key, meaning only those with access to the original REvil servers could run websites on the domains. The leak site lists twenty-six (26) pages of victims, the majority of whom are from the old REvil domain. Only two (2) pages of the site relate to new operations. This coincides with the discovery of a new REvil sample by Avast researchers. The new sample appears to not encrypt files and just simply adds an extension to them, causing researchers to believe this sample may have been a test build. The ransomware sample does include a ransom note that is identical to REvil's previous notes. The new ransomware operation claims to be "Sodinokibi" on the payment website, an old name used by the REvil ransomware. Threat intelligence researcher FellowSecurity claims that one of the original developers of the old REvil operation not captured by FSB agents has relaunched the new websites and is beginning to update the malware itself. Ransomware operations frequently relaunch and rebrand to evade law enforcement or sanctions put on them that deny ransom payments. While it is no surprise REvil has reappeared due to the decline in relations between Russia and the US, the brazen return of REvil has stumped many security professionals. Had the group stealthily changed their name, used different TOR domains, and rebuilt their ransomware, the security community may not have even been aware of the return, allowing them to slip back into the shadows and evade sanctions or other legal action.

• REvil Return Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.