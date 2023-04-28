Malware Activity

Private Sector Offensive Actor QuaDream Linked to DEV-0196

Microsoft researchers have linked, with high confidence, a threat group tracked as DEV-0196 to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream has been targeting the iOS devices of journalists and political figures across Europe, North America, Southeast Asia, and the Middle East with malicious spyware. QuaDream is known to market a surveillance platform to governments for "law enforcement purposes" known as "REIGN," which is "a suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices." The malware, dubbed "KingsPawn," is developed by DEV-0196 and has a monitor agent that is responsible for reducing the malware's footprint on the victim device to evade detection. The primary malware agent has the capabilities to collect device data, cellular and Wi-Fi data, access location, gather files, access the device's camera, obtain call logs, and more. Citizen Lab researchers also observed a "zero-click exploit" dubbed "ENDOFDAYS" which they suspect was used to hack into target devices with the iOS versions 14.4 and 14.4.1. Researchers explained that the exploit uses two (2) backdated and overlapping iCloud calendar invites (that are invisible to the account owner) as an initial attack vector and are automatically processed due to a flaw in iOS 14, which does not notify the account owner of these invites. When deployed, the spyware attempts to bypass detection by covering its tracks. QuaDream has previously been in the media for taking advantage of the FORCEDENTRY zero-click exploit in iMessage in order to deploy REIGN in early 2022, and approximately 250 of its fraudulent Instagram and Facebook accounts that were used to "infect Android and iOS devices and exfiltrate personal data" were taken down in late 2022. Additional technical details regarding DEV-0196 and QuaDream, as well as indicators of compromise (IOCs), can be viewed in the two reports linked below.

Threat Actor Activity

Threat Profile: Read The Manual Gang

A new ransomware organization has emerged in the threat landscape and is actively being tracked as the "Read The Manual" (RTM) Locker Gang. Motivated by opportunity rather than specific industries, RTM actors operate under the modus operandi of stealth, avoiding headlines in the news all while still making money from ransom demands. What is slightly different with this threat organization is that all mission dossiers and attacks are carried out by individual subgroups of the organization, adhering to strict rules of engagement set by group leaders. RTM actors will utilize social engineering and/or vulnerability exploitation to gain access into victim systems. Once compromised, threat actors will utilize numerous customized scripts to quietly encrypt their victim's data, tactically removing data from the recycle bin and any shadow copies created from the device. After the data is communicated back to actor-controlled command-and-control (C2) servers, victims have forty-eight (48) hours to begin negotiations with the threat actors before their data gets posted on the RTM public leak site. Ransom demands are often low enough that the group does not attract significant attention from the media, fulfilling their modus operandi. CTIX continues to monitor threat organizations throughout the landscape and will provide additional details accordingly.

Vulnerabilities

Critical Windows Zero-day Exploited in Nokoyawa Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft Windows zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is being actively exploited by threat actors to conduct Nokoyawa ransomware attacks. The Nokoyawa ransomware group is a financially motivated threat actor first seen in February 2022, and the ransomware is a strain capable of targeting 64-bit Windows systems in double extortion attacks. The flaw, tracked as CVE-2023-28252, is an escalation of privileges (EOP) vulnerability in the Windows Common Log File System (CLFS) that allows attackers to gain SYSTEM privileges on a targeted vulnerable system. The attacks are low complexity, requiring no user interaction, and if successfully exploited, allow the threat actors to conduct a full takeover of targeted Windows systems. The vulnerability affects all supported Windows server and client versions, and its presence on the KEV means that all Federal Civilian Executive Branch (FCEB) agencies must secure their systems against it by May 2, 2023, or face regulatory fines. Microsoft patched this zero-day as part of this month's Patch Tuesday release. Researchers from Kaspersky's Global Research and Analysis Team (GReAT) uncovered the vulnerability in February 2023 as a result of investigations into multiple attempts to execute similar EOP exploits on Microsoft Windows systems. The researchers identified that the Nokoyawa ransomware group has utilized at least five (5) other CLFS exploits to target various industries since June 2022. CTIX analysts urge all Windows users to ensure they have installed the most recent patch to prevent future exploitation.

Honorable Mention

Secret U.S. Documents Leaked in Private Discord Server Pose Serious Risk to U.S. National Security

The Pentagon is in the midst of conducting an interagency effort to assess the impact that recently leaked highly classified documents might have on U.S. national security and that of their allies and partners. The 300-plus photos of classified documents were leaked on a Discord server by the group's leader, alleged to be a man in his early twenties referred to as "OG." The chat group began as a close-knit group of twenty (20) to thirty (30) individuals who met online during the pandemic, but things shifted as OG started sharing detailed posts with annotations of classified documents. According to his posts in the Discord group, he believed that the U.S. government, law enforcement, and the intelligence community were sinister forces that had overreaching powers and suppressed their citizens. OG's posts did not pick up much attention from the group until he stopped sending plain-text renderings of the documents and started sending photographs of the classified articles. Members of the group cited that the contents included Ukrainian battlefield charts, Russian-Ukrainian causality tallies, satellite images of Russian missile strikes, North Korean ballistic nuclear missile trajectories, eye-level pictures of the Chinese spy balloon along with diagrams of the technology attached to it, and more. The documents OG uploaded to the Discord server reportedly covered an extensive breadth of military and intelligence reports. It is still unclear how these secret documents started circulating around the world and whether OG shared such documents with individuals outside of the private chat room. While the Pentagon is being careful to certify the validity of the contents within the documents, they have stated that the documents "present a very serious risk to national security and have the potential to spread disinformation." Jack Teixera, a twenty-one (21) year-old who works in the intelligence wing of the Massachusetts Air National Guard, was arrested on Thursday by the FBI for his involvement in leaking massive amounts of secret U.S. documents under his discord alias "OG."

