United States: Ankura CTIX FLASH Update - September 13, 2022

Ransomware/Malware Activity

Researchers Attribute Recent Critical Mitel VOIP Vulnerability Exploitation to the Lorenz Ransomware Group

UPDATE to June 24, 2022 FLASH UPDATE: Artic Wolf Labs researchers have recently published a report detailing, with medium confidence, that the Lorenz ransomware group has begun utilizing a critical Mitel MiVoice Voice-over-IP (VOIP) vulnerability to gain initial access into victims' phone systems and later breach their networks. The vulnerability, tracked as CVE-2022-29499, is a remote code execution (RCE) flaw that impacts the Mitel Service Application component of MiVoice Connect and was patched in April 2022. The Lorenz group, first observed in February of 2021, has recently been targeting small to medium-sized businesses located across the United States as well as in Mexico and China. Researchers observed recent activity in which Lorenz exploited this flaw to obtain a reverse shell in combination with using the Chisel tunneling tool to gain access into the victim environment. Once initial access was established, the threat group did not proceed with further activity for approximately one (1) month. After this time period, the threat actor utilized the post-exploitation tool "CrackMapExec" for credential access purposes as well as "certutil", "ipconfig", and "findstr" for network and domain enumeration purposes. Finally, Lorenz discovered credentials for two (2) privileged administrator accounts that allowed the group to move laterally throughout the victim environment and conduct exfiltration and encryption activity. What is notable about Lorenz exploiting this specific vulnerability is that "no public proof-of-concept (PoC) exploit code for this vulnerability has ever been released" as well as the fact that "there is very little known about which threat actors possess the exploit." Adrian Korn, the manager of threat intelligence research at Artic Worf Labs, provided two (2) possibilities for this exploitation. The first possibility is that "there is an Initial Access Broker (IAB) that has exclusive access to the exploit for CVE-2022-29499". The second possibility is that "the actors behind Lorenz have exclusive access to an exploit for CVE-2022-29499." Mitel VOIP products are used by governments and organizations within critical industries globally and administrators must ensure that their products remain up to date. A further in-depth analysis of the Lorenz activity as well as indicators of compromise (IOCs) can be viewed in Artic Wolf's report linked below.

• Bleeping Computer: Lorenz Article
• The Record: Mitel Article
• Article Wolf: Lorenz Report

Threat Actor Activity

TA453 Targets Nuclear Employees with Multi-Persona Impersonation Tactics

Iranian-tied threat actors are utilizing multiple personas in a new phishing campaign targeting users and organizations involving Israel, Gulf States, Abraham Accords, and nuclear weapons. These threat actors have been connected to TA453 (Cobalt Illusion, Charming Kitten), which is a threat organization that conducted several long-term cyberespionage operations on behalf of the Islamic Revolutionary Guard Corps. In previous operations, TA453 have targeted government military personnel, journalists, and academics in sophisticated social engineering attacks. The recent social engineering operation carried out by TA453 involves threat actors spoofing legitimate employee email accounts from PEW Research Center, Foreign Policy Research Institute, UK's Chatham House, and Nature scientific journal. These spoofed accounts allow threat actors to create email threads with multiple other spoofed accounts to make communications appear legitimate to users; this technique is classified as "Multi-Persona Impersonation" (MPI). Once the victim is lured, TA453 threat actors will embed a malicious URL for the user to download an infected Microsoft Word file that delivers a customized payload to the victim's device. With MPI becoming a more viable tactic in phishing campaigns, CTIX urges users to validate the integrity of all email communications prior to downloading any attached documents or visiting embedded links to lessen the risk of threat actor compromise.

• The Record: TA453 Article
• Proofpoint: TA453 Article

Vulnerabilities

Apple Patches Eighth Zero-Day Flaw Identified This Year

Apple has just released an emergency security advisory following the patch of five (5) vulnerabilities including a critical zero-day vulnerability that has been actively exploited in the wild. The zero-day flaw, tracked as CVE-2022-32917, is an out-of-bounds write vulnerability in the Kernel component, caused when the operating system writes data past the end, or before the beginning of an intended memory buffer. This causes memory corruption and can crash the affected system or allow for code execution. To exploit this vulnerability, an attacker could craft a malicious application to perform arbitrary code execution against a vulnerable device with kernel privileges. Along with this zero-day vulnerability, and the other four (4) newly patched flaws, Apple has backported patches for a critical zero-day out-of-bounds write vulnerability initially patched on August 31, 2022. This flaw, which is tracked as CVE-2022-32894, also affected the operating system's kernel and was exploited via maliciously crafted applications allowing for arbitrary code execution with kernel privileges. The backport included in this patch was updated to remediate the operating systems of Mac computers running macOS Big Sur. CVE-2022-32917 marks the eighth (8) zero-day flaw patched by Apple since January 2022. Vulnerabilities that allow for arbitrary code execution, especially with elevated privileges, pose a significant threat to Apple users as well as the enterprise organizations implementing Apple infrastructure. CTIX analysts recommend that iOS users and macOS administrators ensure they have downloaded the latest patch and continue to monitor Apple's security updates page to be aware of any other emergency advisories patching critical flaws and zero-day vulnerabilities in the future. CTIX analysts will monitor the exploitation of this flaw and may publish an update to this piece in the near future.

• The Hacker News: CVE-2022-32917 Article
• Bleeping Computer: CVE-2022-32917 Article
• Apple: Security Advisory

Honorable Mention

China's NCVERC Accuses US NSA of Conducting Cyber Attack Against Northwestern Polytechnical University

China's National Computer Virus Emergency Response Centre (NCVERC) released a report accusing the US National Security Agency of conducting cyberattacks against China's Northwestern Polytechnical University. The university is an "aeronautical and military research-oriented" research and training center in the city of Xi'an. According to the US DOJ, the researchers "[work] closely with the People's Liberation Army on the advancement of its military capabilities." NCVERC's report asserts that the Office of Tailored Access Operations (TAO), a "cyber-warfare intelligence-gathering unit" of the NSA, "carried out tens of thousands of malicious cyberattacks on China's domestic network targets... and stole more than 140GB of high-value data" during June 2022. For initial access, TAO allegedly used two zero-day exploits against the SunOS Linux operating system used by the university. NCVERC identified forty (40) different cyber tools that were used in the attacks for backdoor access, information stealing, and persistence. Examples of these tools include "OPEN Trojan," "Fury Spray," "Cunning Heretics," "Stoic Surgeon," and "Acid Fox," some of which have been used in previous attacks. This is not the first time China has accused the US of using cyber weapons to steal information and hack Chinese devices. In February, Chinese security-research laboratory Pangu Lab discovered a previously unknown backdoor "Bvp47" and attributed it to the TAO-linked Equation Group. In April, the NCVERC released a report attributing the malware platform "Hive" to the US Central Intelligence Agency (CIA). While Chinese media has condemned the US for cyber aggression citing these recent reports, security professionals have spoken out against them. Catalin Cimpanu, writer of the Risky Biz security newsletter, writes: "The reports and claims lacked any substantial evidence that there was any actual hacking taking place. No new malware was being discovered, officials always cited old historical events, and the vast majority of reports seemed to have been copied from Wikipedia pages." CTIX analysts are monitoring this situation and will provide updates for any new developments.

• The Hacker News: China's Accusation Article
• Risky Biz: China's Accusation Newsletter Section

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.