United States: Ankura CTIX FLASH Update - May 12, 2023

Malware Activity

New Phishing-as-a-Service Platform Targeting Microsoft 365 Users

Researchers have released a new report on a previously undocumented phishing-as-a-service (PaaS) platform called "Greatness" that was first seen in various phishing campaigns in mid-2022, with spikes in activity occurring in December 2022 and March 2023. The observed campaigns have been targeting organizations utilizing Microsoft 365 (commonly within the manufacturing, healthcare, and technology sectors) throughout the United States, Canada, the United Kingdom, South Africa, and Australia. Researchers emphasized that Greatness is only focused on Microsoft 365 phishing pages as of May 10, 2023, and is a platform specifically well-suited for phishing business users. Actors utilizing the platform receive a phishing kit (including an admin panel), the service PAI, and a Telegram bot or email address. The service has various features, including "having the victim's email address pre-filled and displaying their appropriate company logo and background image." The images utilized are captured from the organization's legitimate Microsoft 365 login page. If a victim enters their password into the fraudulent login page and their account is protected by MFA, Greatness prompts the victim for the one-time code while triggering the real Microsoft service request, which sends the code to the user's device. Once the code is entered, the platform forwards the authenticated session cookie to an actor-controlled Telegram channel or the service's web panel. This session cookie can be utilized to quickly access the victim's email account, files, and other data in Microsoft 365 services. Researchers noted that the platform can be used by threat actors of all skill levels. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.

• Bleeping Computer: PaaS Greatness Platform Article
• Cisco Talos: PaaS Greatness Platform Report
  
  

Threat Actor Activity

Threat Profile: Red Stinger

Security researchers have uncovered a new threat organization targeting users in the Eastern Ukraine region throughout the Russia/Ukraine conflict. The group is known by the monikers 'Red Stinger' and 'Bad Magic' and is believed to be operational since 2020. Since their operations began, the group launched a cyber campaign in April 2021, another campaign in February 2022 after the Russia/Ukraine conflict began, and a recent campaign affecting those throughout Eastern Ukraine. Each of these operations had varying delivery methods with different payloads and scripts, all of which deployed a variant of the "DBoxShell" ("PowerMagic") malware. Threat actors conducting these operations have had success with exfiltrating documents from government entities. In one such case, Red Stinger actors targeted an individual in Ukraine and were able to detonate malware on their systems. In the short time before its detection, the malware was able to gather system screenshots, microphone audio recordings, internal documentation, and relay the data back to threat actor endpoints. Additional victims were also observed in Vinnitsya and Zhytomyr in the same operation while Russian-aligned entities were targeted in the most recent Red Stinger campaign. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.

• Malwarebytes: Red Stinger Article

Vulnerabilities

AndoryuBot Malware Botnet Exploits Critical Vulnerability to Conduct DDoS Attacks

A critical remote code execution (RCE) vulnerability is under active exploitation via a new malware botnet used to takeover Wi-Fi access points to conduct distributed denial-of-service (DDoS) attacks. The botnet is named "AndoryuBot", and the flaw it is exploiting exists in the Ruckus Wireless Admin panel within Ruckus wireless devices. The vulnerability, tracked as CVE-2023-25717, has a CVSS score of 9.8/10 and allows the threat actor to conduct RCE by sending maliciously crafted HTTP GET requests to vulnerable Ruckus Wireless devices. After the malware successfully infects a vulnerable wireless device, it downloads an additional script that establishes communication with actor-controlled command and control (C2) servers. This is covertly executed by utilizing the Socket Secure (SOCKS) proxy protocol, a network protocol that facilitates server communication through a firewall by routing any type of network traffic to the target server on behalf of the client. This allows the threat actor to bypass any firewalls and then wait for instructions from the C2. AndoryuBot malware supports twelve (12) DDoS attack modes and once communication is established, AndoryuBot is able to receive commands from the C2 server that dictate the target IP address, the DDoS type, and the service or port number to attack. AndoryuBot is a commercial product, and the operators/developers of the botnet advertise that they rent the service out to other threat actors, utilizing cryptocurrency as secure and anonymous payment. AndoryuBot poses a threat to individuals, organizations, and governments, as it could be leveraged by financially motivated and state-sponsored threat actors alike. To prevent exploitation, CTIX analysts urge all Ruckus Wireless customers to ensure their product has the most up-to-date software.

• Bleeping Computer: AndoryuBot Article
• Ruckus: CVE-2023-25717 Advisory

Honorable Mention

Google's New Privacy, Safety, and Security Update will Include Dark Web Monitoring Services

At their annual developer conference, Google unveiled new features related to privacy, safety, and security. This new initiative is aimed at protecting users from cybersecurity threats such as phishing attacks and harms related to malicious websites while additionally looking to grant users with greater control and transparency over their personal data. Included in these new features is a dark web report tool that United States based users will soon have access to. Gmail users will be able to monitor whether their profile data is present on the dark web, such as if they were linked to data breaches or mentioned on dark web forums, to further protect their accounts and data. If a presence of their Gmail address is reported, Google will take further action by offering guidance on how to best protect their account, such as enabling multi-factor authentication. The Google dark web reporting tool makes services available that haven't been feasible for everyday working-class users to implement due to pricing. The tool would grant these users a starting point to identify if their personal data is available on the dark web, which would help them identify what organization or tool to go to for help moving forward. That being said, knowing is only half the battle; once a user identifies their data on the dark web, they must take highly technical measures to safely access the marketplaces where this data is sold and analyze the datasets themselves. Ankura CTIX offers comprehensive dark web monitoring services, with a presence on the most popular dark web marketplaces and forums on the internet.

• Bleeping Computer: Google Article
• The Hacker News: Google Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.