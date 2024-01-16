Ransomware/Malware Activity

Python Malware Fbot Targets Cloud Services

A new malware targeting web servers and cloud services has been revealed by researchers at Sentinel Labs. This new malware, dubbed Fbot, is written in Python and has been seen targeting a variety of cloud services and other software as a service (SaaS) providers including Amazon Web Services, Office365, Sendgrid, and Twilio. Although Fbot's primary purpose appears to be hijacking these services, it also maintains secondary capabilities to gather account credentials for any number of purposes. The control panel for the malware comes with twenty-three (23) pre-installed functions for the user to choose from. These include options to try and brute force AWS access keys, add new accounts to AWS Simple Email Service with elevated privileges, and check an AWS EC2 service's configurations and allotted resources. Fbot can also determine any emails associated with PayPal accounts, run reverse IP scans while in its environment, capture credential information from Laravel files on websites, and find a list of phones numbers associated with a Twilio account. With samples date back to July 2022 with the newest samples being from January 2024, Fbot has managed to stay under the radar for quite some time, possibly due to the fact that it appears to be a more personalized tool than other similar pieces of malware like AlienFox or Greenbot and it is not being distributed on known crimeware channels or forums. CTIX analysts will continue to monitor the evolution of custom-tailored cloud targeting malware.

Threat Actor Activity

Turkish Hackers Using Mimic Ransomware to Target Microsoft SQL Servers

A group of financially motivated Turkish hackers are targeting Microsoft SQL (MSSQL) servers across the globe. The ongoing campaign, coined RE#TURGENCE, is prominently focused on targets in the United States, the European Union, and Latin America. The threat actors have been encrypting victims' files with Mimic (N3ww4v3) ransomware, using far more targeted and customized approaches for obtaining initial access. After gaining their initial access, the threat actors will typically spend about a month in a victim's system before deploying Mimic ransomware. During that period, the threat actor will spend time mapping the victim's system, disabling cyber defenses, and establishing persistence. The campaign has been analyzed to progress in one (1) of two (2) ways; the threat actor will either sell access to the compromised host they've obtained or will deploy the ultimate Mimic ransomware payload. The threat actors gain initial access via exposed MSSQL databases through brute forcing. They've also been observed deploying heavily obfuscated Cobalt Strike payloads for injection tactics and downloading the AnyDesk remote desktop application to collect credentials extracted using Mimikatz. The hackers have also been able to hack other devices on the network and compromise the domain controlled using previously stolen credentials and the Advanced Port Scanner utility to scan the local network and Windows domain. The Mimic ransomware is the final payload deployed to search for files and ultimately encrypt them if the threat actor chooses not to sell access to the compromised host. The email used in the ransom note (datenklauseo@gmail[.]com) has been used to link the threat actors to the Phobos ransomware group, and other indicators of compromise include the 'red.exe' process along with a '—IMPORTANT—NOTICE—.txt' ransom text file.

Vulnerabilities

Chinese Threat Actors Exploit Zero-day Vulnerabilities in Ivanti Products

Two (2) zero-day vulnerabilities impacting Ivanti Connect Secure (ICS) and Policy Secure (IPS) have been exploited as an attack chain to conduct remote code execution (RCE) by threat actors suspected to be affiliated with China. ICS is remote access VPN software/hardware, and IPS is a network access control (NAC) solution which only provides network access to authorized users and devices. The first flaw, tracked as CVE-2023-46805, is an authentication bypass vulnerability allowing remote unauthorized access to restricted resources. The second flaw, tracked as CVE-2023-21887 is a command injection vulnerability allowing authenticated administrator users to execute arbitrary commands. The vulnerabilities can be combined to gain unauthenticated command execution and full control over vulnerable instances of ICS and IPS over the internet, enabling attackers to craft malicious requests and execute commands without authentication. According to researchers, the observed attackers attempted to tamper with Ivanti's system monitoring tool to "steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance." This is a highly-sophisticated compromise, and the threat actors were observed conducting reconnaissance, moving laterally across the network, and the deploying a custom web shell named GLASSTOKEN for persistent access. Researchers have attributed this compromise to a threat actor tracked as UTA0178 and stated that the VPN appliances may have been compromised since December 3, 2023. At this time, the implemented patches are not sufficient to prevent exploitation, and Ivanti has provided mitigations in the interim to help harden their customers' defensive posture while Ivanti releases staggered patches throughout January 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog mandating federal agencies to apply the patches by no later than January 31, 2024. CTIX analysts recommend that any administrators or security personnel responsible for maintaining instances of ICS/IPS investigate their network for any evidence of exploitation and apply the mitigation protocols immediately to prevent future exploitation.

