Ransomware/Malware Activity
Optus Confirms Data Breach Impacting 9.8 Million Individuals
On October 3, 2022, Optus, a major telecommunications company headquartered in Australia, confirmed that 2.1 million customers had valid or expired government identification numbers compromised and 9.8 million customers total had personal data exposed due to a cyberattack that occurred in September. Of the 2.1 million individuals with government IDs compromised, 1.2 million had their current form of ID exposed and 900,000 had expired forms of ID exposed. All 9.8 million individuals had their names, email address, date of birth, and phone number exposed. The threat actor behind the cyberattack initially attempted to extort Optus with a $1 million ransom demand in order to not publish the exfiltrated data but ended up leaking the data of 10,000 individuals on a hacking forum after not receiving the payment. The leaked data included names, addresses, date of birth, email addresses, and phone numbers. The threat actor claimed to have deleted all of the stolen data days after leaking the small portion and apologized to the victims. Optus has sent SMS messages with next step information to those whose IDs were exposed. Customers who had their driver license details compromised can request a new license number to mitigate the risk of identity theft or fraud. It is currently unknown if the threat actor actually deleted the exfiltrated data, so Optus users should remain vigilant against suspicious communications claiming to be Optus. CTIX analysts will continue to monitor and report on data breaches across the globe.
Threat Actor Activity
The BlackByte Ransomware Group Utilizes New "Bring Your Own Driver" Technique for Disabling Drivers En Masse
The BlackByte ransomware group has begun using a new technique dubbed "Bring Your Own Driver" to disable hundreds of drivers used by various security solutions including Endpoint Detection and Response (EDR) solutions, as well as multiple antivirus solutions. Attributed attacks have been using a version of the "MSI Afterburner RTCore64.sys" driver which is currently vulnerable to a privilege escalation flaw and arbitrary code execution within the kernel memory, a flaw tracked as CVE-2019-16098. To begin the attack, the kernel version is identified in order to select the corresponding kernel offset. Next, the MSI Afterburner RTCore64.sys driver is placed into the "AppData\Roaming" directory before the threat actor creates a new service which removes the Kernel Notification Routines for the various security tools. This prevents those tools from accurately informing users of alerts from the EDR or antivirus solution being used. This is done by checking the various drivers within the system against a list of different antivirus solutions and EDR drivers which then have their callback functions replaced with zeros, preventing that driver from functioning. To prevent exploitation, the driver utilized for this exploit, MSI Afterburner RTCore64.sys, should be added to blocklists in order to prevent the disabling of security drivers and the execution of arbitrary code on the system.
Vulnerabilities
Mitigation Techniques for "ProxyNotShell" Microsoft Exchange Vulnerabilities Still Leaves Hybrid Deployments at Risk for Attack
UPDATE to September 30, 2022 FLASH UPDATE: Security researchers have revealed that updated mitigation techniques recently offered by Microsoft for an actively-exploited critical zero-day exploit-chain named "ProxyNotShell" are too specific and still leave many organizations with partial on-premise Exchange email environments vulnerable to compromise. The first vulnerability, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) which gives authenticated threat actors the ability to escalate their privilege on the server. The second vulnerability, tracked as CVE-2022-41082, is a remote code execution (RCE) vulnerability that allows an attacker to execute arbitrary code within the target infrastructure. In Microsoft's original advisory, the company recommended that Exchange server administrators block remote PowerShell access for non-administrator users in the organization via a rule in the Internet Information Services (IIS) Manager. Due to the mitigations being limited to only blocking the URL patterns of known attacks, it still leaves hybrid Exchange environments vulnerable to attack. This exploit bypass was identified by cybersecurity researcher Jang, and he released a video of the bypass as proof-of-concept (PoC) and offered a broader blocking rule for Exchange administrators to use. Hybrid Exchange setups are "extremely common" in enterprise environments, and over 1,200 organizations expose their hybrid deployments to the public internet. After researchers were able to prove that the original mitigation technique could be bypassed, Microsoft released an update to their advisory, giving administrators three (3) mitigation options to prevent exploitation, based on the conditions of their Exchange environments. This attack-chain has yet to be patched, and the updated mitigation rules can be found in the Microsoft advisory linked below. CTIX analysts recommend that any administrators responsible for on-premise or hybrid deployments of Microsoft Exchange ensure they are implementing one (1) of the three (3) mitigations. Although the patch is still unpublished, the severe nature of the active exploits indicates that Microsoft will likely patch these flaws in the near future. Exchange server vulnerabilities are a massive target for cyber-espionage and extortion schemes, and the CTIX team will continue to provide actionable intelligence to our readers.
- The Record: ProxyNotShell Article
- Bleeping Computer: ProxyNotShell Article
- Microsoft: ProxyNotShell Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.