United States: Ankura CTIX FLASH Update - September 19, 2023

Malware Activity

Iranian Threat Group APT35 Observed Conducting Password Spray Attacks Since February 2023

Microsoft researchers have published a new report on the Iran-backed threat group APT35 (otherwise known as HOLMIUM, Refined Kitten, and Peach Sandstorm) targeting organizations across the globe with password spray attacks since February 2023. Password spraying is a technique where actors utilize a single password or a list of commonly used passwords in order to authenticate to various accounts. Researchers emphasized that this type of attack allows actors to "maximize their chances for success and minimize the likelihood of automatic account lockouts." In this campaign, APT35 "demonstrated interest in US and other country's organizations in the satellite, defense, and to a lesser extent, pharmaceutical sectors" to attempt to access various environments and exfiltrate sensitive information for suspected intelligence collection in support of Iranian state interests. To do this, APT35 utilized publicly available and custom tools as well as different combinations of tactics, techniques, and procedures (TTPs) between the earlier and later attacks in the campaign. The threat group was observed utilizing "AzureHound", a Go binary that gathers data from Microsoft Entra ID and Azure Resource Manager, as well as "Roadtools", a framework used to access Microsoft Entra ID, to collect cloud environment data and dump the data of interest into a database. APT35 also attempted to exploit the following vulnerabilities through public proof-of-concepts: CVE-2022-47966 (a remote code execution flaw impacting Zoho ManageEngine products) and CVE-2022-26134 (a remote code execution flaw in Confluence Server and Data Center). APT35 commonly targets organizations in the United States, Saudi Arabia, and South Korea within the government, defense, research, engineering, and finance industries. CTIX analysts will continue to monitor APT35's latest campaign and provide updates accordingly. Indicators of compromise (IOCs) as well as additional technical details can be viewed in the report linked below.

• Bleeping Computer: APT35 Password Spray Attacks Article
• Microsoft: APT35 Password Spray Attacks Report

Threat Actor Activity

UNC3944 (Scattered Spider) is Shifting Focus Towards Ransomware Attacks

UNC3944, aka Scattered Spider or 0ktapus, is evolving their attack methodology and expanding their target scope. The group has been notorious for phone-based social engineering and SMS phishing campaigns to obtain initial credentials that can be used to escalate access within a victim's organization. The threat actor has often leveraged victims' credentials to call the organization's service desk while impersonating the employee in order to gain multi-factor authentication (MFA) codes and/or initiate password resets. Researchers have directly observed the group expanding their targeting from primarily telecommunications and business process outsourcers (BPOs) to include a far wider range of industries including hospitality, retail, media and entertainment, and financial services. More notably, the financially motivated threat actors are pivoting to ransomware deployment as part of their expanding monetization strategy which began in mid-2023. They have showcased a greater ability and interest in stealing large amounts of sensitive data for extortion purposes, as opposed to their previous focus on collecting credentials and accessing systems used to enable SIM swapping attacks. UNC3944 was likely supporting secondary criminal operations throughout 2022 and has since transformed their end goals to become a threat actor with an expanded target scope and the capability to operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data in just a few days. Ransomware deployments by UNC3944 have involved heavy targeting of victim's business-critical virtual machines and other systems, likely as a means to maximize impact, relying on a combination of publicly available tools, legitimate software, and malware available on underground forums to carry out their attacks.

• The Hacker News: UNC3944 Article
• The Record: UNC3944 Article
• Mandiant: UNC3944 Blog

Vulnerabilities

New Fortinet XSS Vulnerabilities Patched

Fortinet has released patches for two (2) high-severity vulnerabilities impacting the FortiOS, FortiProxy, and FortiWeb products that could be exploited by threat actors to conduct cross-site scripting (XSS) attacks. The first flaw, tracked as CVE-2023-29183, is an improper neutralization of input flaw that occurs during web page generation. If successfully exploited, an authenticated attacker could trigger the execution of arbitrary JavaScript code via maliciously crafted guest management settings. The second vulnerability, tracked as CVE-2023-34984, is a protection mechanism failure in Fortinet's FortiWeb product. This flaw could be exploited by sending maliciously crafted HTTP requests, bypassing existing XSS and cross-site request forgery (CSRF) protections to execute unauthorized code or commands. Although at this time there is no evidence that these vulnerabilities are under active exploitation, Fortinet bugs are a very popular target for threat actors to compromise organizations. CTIX analysts recommend all network administrators responsible for Fortinet devices ensure that their infrastructure is running the most secure versions of these products to prevent exploitation.

• Security Week: Fortinet XSS Vulnerability Article
• CISA: Fortinet XSS Vulnerability Advisory

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.