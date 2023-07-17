Malware Activity

Cloaked Ursa Targets Diplomats in New Malware Campaign

Threat actors from the Cloaked Ursa (APT29) threat organization have been targeting and exploiting high-level diplomatic figures across the globe in their latest campaign. The group is well known for its consistent diplomatic targeting over the years and using a variety of social lures such as semiformal government communications, embassy operations, scheduling, and invitations to embassy events. However, a new tactic being used by Cloaked Ursa actors involves targeting the diplomatic individual themselves rather than the country they operate under, using personal items such as a new vehicle as social lures. The threat actors used a stolen BMW For Sale posting as the lure and disseminated the posting to diplomats around the world. When users clicked on "more high-quality pictures", they would be sent to a Cloaked Ursa-controlled website where the malicious payload would be downloaded to the user's device via HTML smuggling. After clicking on the downloaded and masked PNG files, malicious LNK and EXE files are executed to compromise the user's system. After these executions, malicious DLLs are loaded to allow for final stage shellcode to be injected into Windows processes. Once injected into the system, the malicious code would broadcast a signal through Dropbox and Microsoft Graph API beacons to Cloaked Ursa command-and-control (C2) servers. CTIX continues to urge users to validate the integrity of all digital communications prior to downloading any documents or visiting embedded URLs to lessen the risk of threat actor compromise.

Threat Actor Activity

Microsoft and CISA Disclose Details of Chinese State-Sponsored Activity Impacting U.S. Government

A currently unnamed United States Federal Civilian Executive Branch (FCEB) agency has recently detected anomalous activity in their Microsoft 365 audit logs in mid-June of 2023 and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (AA23-193A) on July 12, 2023, sharing details of the incident. The details were also shared with Microsoft and deemed to be advanced persistent threat (APT) activity where the actors "accessed and exfiltrated unclassified Exchange Online Outlook data" from a small number of accounts within the agency. CISA detailed that the actors accessed the data by utilizing a Microsoft account consumer key to "forge tokens to impersonate consumer and enterprise users." Prior to CISA's advisory, Microsoft published a blog post that detailed an observed attack by the new China-based threat actor Storm-0558 exploiting a vulnerability in Microsoft's cloud email service to "spy on two-dozen organizations, including some government agencies," and target customer emails. Storm-0558 is known to primarily target government agencies in Western Europe and focuses on credential access, data theft, and espionage. It should be noted that Microsoft began investigating the detailed incidents after one (1) organization reported the bug and a White House National Security Council spokesperson shared that the flaw was first detected by the U.S. government. Microsoft did not disclose the organizations impacted by this activity in their report, but the details of the attack in CISA's advisory are identical to those in Microsoft's report. As more details of the attack and victims are released, CTIX analysts will continue to monitor this incident and release updates as necessary.

Vulnerabilities

Critical Bug in FortiOS and FortiProxy Products Vulnerable to RCE

Fortinet has disclosed an actively exploited critical vulnerability impacting their FortiOS and FortiProxy SSL-VPN firewall solutions. The flaw, tracked as CVE-2023-33308, is described as a stack-based buffer overflow vulnerability, which occurs when a program writes more data to a memory address than the fixed-length buffer has allocated. This results in data leaking and corrupting adjacent data on the memory stack, causing the program to behave incorrectly or crash. Attackers could exploit this vulnerability by sending maliciously crafted inputs designed to exceed the buffer, overwriting instructions, and parameters to achieve arbitrary remote code execution (RCE). This flaw received a CVSS score of 9.8/10, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an alert urging organizations utilizing affected Fortinet products to ensure they are running a secure version of the software. This vulnerability was already patched in the recent release of FortiOS 7.4, but if the products cannot be immediately patched due to the negative impact it would have on critical operations, Fortinet has provided documentation on how to mitigate the flaw by disabling HTTP/2 support on proxy mode SSL inspection profiles. The disclosure of this flaw comes less than one (1) month after another critical buffer overflow RCE vulnerability in Fortinet products, known as XORtigate, was disclosed, which affected hundreds of thousands of devices and was still being actively exploited by threat actors one (1) month after the bug was patched. Depending on how many instances of FortiOS and FortiProxy are exploited in the near future, CISA may consider adding this flaw to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies become compliant by patching before a deadline. CTIX analysts recommend that all Fortinet customers ensure that they are always up to date with the latest security patch, and an update to this summary may be published in future FLASH updates if needed.

Honorable Mention

HCA Healthcare Data Breach Affects 11 Million Patients

HCA Healthcare has one hundred eighty-two (182) hospitals and 2,200 care centers spanning the United States and the United Kingdom, effectively making them one of the largest healthcare facility owners and operators. On July 5th, 2023, a threat actor began posting samples of alleged stolen HCA Healthcare data on a leaked and stolen data forum. The post claimed that the stolen database consisted of seventeen (17) files and 27.7 million records, having patient records that spanned from 2021-2023. The threat actor didn't initially post the database for sale, posting it more so for credibility and as a way to finically pressure HCA. After the database and samples were posted, the threat actor stated that HCA had until July 10th, 2023, to meet their demands. After not hearing back, the full database was posted for sale by the threat actor. The same day, HCA confirmed that they had indeed been compromised, disclosing the data breach and estimating that it had impacted 11 million patients. HCA vocalized that "there has been no disruption to the care and services HCA Healthcare provides." The data was allegedly stolen from an "external storage location" used to format patient email messages that gave the hacker access to data including patients' full name, city, state, and ZIP code, email address, telephone number, date of birth, gender, service date and location, as well as next appointment date. It's not believed that the stolen data included any clinical information such as patients' conditions, diagnosis, or treatment, nor credit card or bank account numbers and other sensitive information. While the data stolen is on the less sensitive side, it could still be valuable to threat actors for phishing attacks, scams, and social engineering attacks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.