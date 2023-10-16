Malware Activity
BianLian Threat Group Claims to have Exfiltrated Data During September Air Canada Cyberattack
BianLian, a ransomware group that has been active since June 2022 and commonly targets critical infrastructure organizations throughout the United States and Australia, has claimed to have exfiltrated 210 gigabytes (GB) of data following the recent Air Canada cyberattack. Air Canada is Canada's largest airline who disclosed a data breach in mid-September 2023 and stated that "an unauthorized group briefly obtained limited access to the internal Air Canada system related to limited personal information of some employees and certain records." The airline also confirmed in their statement that no customer information was accessed during the cyberattack. BianLian, however, is alleging that it exfiltrated the following information from Air Canada: personal information of employees, data regarding vendors and suppliers, confidential documents, SQL backups, archives from company databases, and technical and operational information spanning from 2008 to 2023, which includes details about the company's technical and security challenges. The threat group has also shared screenshots of potentially stolen data on their dark web data leak website. Air Canada has responded to these claims by stating they are aware of the extortion threats, but the airline did not confirm BianLian's claims of being behind the September cyberattack. Air Canada has yet to release details of when the attack was detected, when its network was breached, and how many individuals were impacted by the incident. CTIX analysts will continue to monitor the cyber incident surrounding Air Canada and provide updates when available.
Threat Actor Activity
ToddyCat Hackers Using "Disposable" Malware to Target Asian Governments and Telecom Giants
A new campaign coined "Stayin' Alive" has been discovered, appearing to originate from the Chinese espionage actor known as ToddyCat. The campaign has been ongoing since 2021 and targets include government and telecom organizations located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan, with the main objective of deploying basic backdoors and loaders for the delivery of next-stage malware. Researchers have tied the threat actor to a wide variation of custom tools believed to be disposable which helps them evade detection and prevent linking attacks together. While there is no clear code overlap with any other known toolsets used by other actors, the utilization of the same set of infrastructure is what researchers are focusing on to link this campaign to ToddyCat, who have been running cyber assaults against government and military agencies in Europe and Asia dating back to at least December 2020. Stayin' Alive attacks begin with spear-phishing emails that urge recipients to open a malicious ZIP file attachment containing a legitimate executable but exploits CVE-2022-23748, a vulnerability in Audinate's Dante Discovery software, to preform DLL side-loading and download "CurKeep" malware. CurKeep is a backdoor designed to send information about the compromised host to a remote server, execute commands sent by the server, and write server responses to files on the system. The threat actor has also been observed using a passive implant named "StylerServ" that listens on five (5) different ports (60810, 60811, 60812, 60813, and 60814) to accept a remote connection and receive an encrypted configuration file. The key takeaway is that the use of disposable loaders and downloaders has become more common even among sophisticated actors making detection and attribution more difficult, so even though the Stayin' Alive campaign and ToddyCat threat actors both utilize the same infrastructure and pursue similar sets of targets, conclusively linking them together is being made more difficult. Indicators of compromise (IOCs) can be viewed in the report linked below.
Vulnerabilities
Threat Actors Exploit HTTP/2 Protocol to Deliver Largest DDoS Attack in History
A critical zero-day vulnerability in the HTTP/2 protocol was exploited by threat actors in August 2023 to deliver the largest distributed denial-of-service (DDoS) attack in history. According to the service providers Amazon Web Services, Google Cloud, and Cloudflare, at scale this attack was approximately eight (8) times greater than the size of the previous record for DDoS attacks. The vulnerability, tracked as CVE-2023-44487, is the result of a HTTP/2 Rapid Reset, which allows network analysts (or hackers) to quickly send and cancel HTTP requests in rapid succession, "thereby circumventing the server's concurrent stream maximum and overloading the server without reaching its configured threshold." The threat actors sent hundreds of thousands of HTTP/2 streams and rapidly canceled them at scale, ultimately overwhelming websites and taking them offline. Multiple companies have released software updates to mitigate the exploitation of this feature. The United States Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations who provide HTTP/2 services should apply patches when available and consider configuration changes and other mitigations discussed in the CISA advisory linked below. CTIX analysts will continue to monitor the outcome of this exploitation as more companies mitigate the threat and will provide an update if applicable.
