Self Assessment

Weekly Cyber-Intelligence Report – 16 May 2021

Published On : 2021-05-16
Share :
Weekly Cyber-Intelligence Report – 16 May 2021

16 May 2021

Threat Actor in Focus – Roaming Mantis Evolving and Improvising its Smishing Campaign

  • Attack Type: Smishing, Data Exfiltration
  • Target Industry: Multiple
  • Target Geography: Japan
  • Target Technology: Android
  • Ransomware / Malware: SmsSpy
  • Objective: Espionage, Maintain Persistence
  • Business Impact: Data Loss, Operational Disruption, Data Leak

The Roaming Mantis smishing campaign known to target Asian android users is now leveraging new malware called SmsSpy to target Japanese users. Researchers highlight how the operators lure victims by carrying out a smishing attack using fake domains resembling a logistics company and impersonating bitcoin operators. The new malware with its two variants infects the device depending on the Android OS version being used. On Android 10 or earlier – a fake Google Play app is downloaded; and on android 9 or earlier – a fake Chrome App will be downloaded. Apart from stealing phone numbers and SMS messages from the infected devices, the malware sends Android OS version, phone number, device model, internet connection type, and unique device ID as part of the handshake process of the command & control (C2) server.

The threat actors have reportedly used different mobile malware such as MoqHao, SpyAgent, and FakeSpy to target Android users in Asian countries in the past.

The threat actor starting with a simple DNS hijacking technique for distribution have improved upon their attack methods and are known to have enhanced anti-researcher tactics to avoid tracking. The groups while largely focused on Asian countries also reported having expanded their operations in the European region. The newly identified malware in the current campaign is observed to be using a modified infrastructure and payloads.

Major Geopolitical Developments in Cybersecurity

US Intelligence Agencies Warn About 5G Network Weaknesses

The analysis paper released by US law enforcement agencies highlights three threat vectors that could pose major cybersecurity risks for 5G networks, potentially making them a lucrative target for cybercriminals and nation-state adversaries to exploit valuable intelligence.

While the transition to 5G presents a wealth of opportunities and capabilities, it also introduces new vulnerabilities and threats. The following threat vectors identified represent an initial list of threats across the various 5G domains:

  1. As new 5G policies and standards are released, there remains the potential for threats that impact the end-user.
  2. Supply chain threat scenario: Compromised counterfeit components could enable a malicious threat actor to impact the confidentiality, integrity, or availability of data that travels through the devices and to move laterally to other more sensitive parts of the network.
  3. Weaknesses in the 5G architecture, which could be used to execute a variety of attacks, chief among them – the need to support 4G legacy communications infrastructure, improper 5G slice management, and many more.

5G is projected to use more components than the previous generation of wireless networks providing an increased attack surface to malicious threat actors. Being an important technological advancement, 5G is expected to introduce digital and business revolution thereby presenting new threat vectors. This is going to attract new cybercriminals due to exposure of new connected devices, industries and services, and sensitive assets.

US President Signs an Executive Order on Improving the Nation’s Cybersecurity

The industry has welcomed this EO as a step in the right direction to curb cyber threats. The key pillars of the EO rest on information sharing among public and private sectors, the need to develop a zero-trust framework, and strengthening software and cloud products which are increasingly adopted by government and businesses alike. The  wide-ranging order includes the following:

  • Threat Information Sharing Between Government and the Private Sector
  • Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
  • Improve Software Supply Chain Security
  • Establish a Cybersecurity Safety Review Board
  • Create a Standard Playbook for Responding to Cyber Incidents
  • Improve Detection of Cybersecurity Incidents on Federal Government Networks
  • Improve Investigative and Remediation Capabilities.

Rise in Malware/Ransomware Attacks

New Android Malware “Teabot” Targeting Banks in Italy, Spain, Germany, Belgium, and the Netherlands

Researchers have disclosed a new Android trojan that hijacks users’ credentials and SMS messages to facilitate fraudulent activities against banks across Europe. Once successfully installed, the Trojan allows threat actors to obtain a live stream of the device screen and interact with it via its Accessibility Services. According to researchers, when the malicious app ‘TeaTV’ is downloaded on the device, the malware – dubbed “Teabot” – gets installed as an Android Service, which is an application component that can perform long-running operations in the background.  Post-installation will request Android permissions to observe users’ actions, retrieve window content, and perform arbitrary gestures. According to researchers, Teabot represents a shift in mobile malware – from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints.

Ransomware Gangs Have Leaked Data of 2103 Organizations so Far

  • Attack Type: Ransomware, Data Leak
  • Target Industry: Multiple
  • Target Geography: Global
  • Business Impact: Data Loss, Financial Loss, Reputational Damage

Researchers highlight that since 2019, the ransomware operators – which includes 34 different ransomware gangs – have leaked solen data of approximately 2103 organizations. The top five operators in term of the number of leaks that are active include:

  • Conti (338 leaks)
  • Sodinokibi/REvil (222 leaks)
  • DoppelPaymer (200 leaks)
  • Avaddon (123 leaks)
  • Pysa (103 leaks).

The two notable operators that have more leaks than some of those in the top five include Maze (266 leaks) and Egregor (206 leaks). Few of the ransomware gangs listed below are no longer in operation, such as NetWalker, Sekhmet, Egregor, Maze, Team Snatch, or rebranded to a new name, such as NEMTY and AKO.

The complete list of tracked 34 ransomware operators includes Team Snatch, MAZE, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, DarkSide, CL0P, Avaddon, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, RansomEXX, Everest, Ragnarok, BABUK LOCKER, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and XING LOCKER.

Ransomware is designed for direct revenue generation. Since the inception of modern ransomware attacks where operators adopted the simple tactic of encrypting as many victims as possible before demanding a ransom has evolved many folds. The ransomware operators have used cold-calling, threats to C-level executive in charge of approving the ransom, threats to notify business partner and journalists about the breach, threats to notify regulatory bodies, threats to notify threats to launch DDoS attacks, leveraging victim’s client to put pressure, threats to leak the data.

Most recently the DarkSide ransomware gang added a new tactic in practice by leveraging the negative effect of a publicly disclosed cyber-attack on the stock market to extort ransom from victims.

Vulnerabilities and Exploits

Critical Authentication-Bypass Vulnerability in Pega Infinity

  • Target Geography: Global
  • Target Technology: Pega Infinity 8.2.1 to 8.5.2
  • Vulnerabilities: CVE-2021-27651 (CVSS Base Score: 9.8)
  • Vulnerability Type: Authentication Bypass, Remote Code Execution
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

A team of security researchers has identified a critical authentication bypass vulnerability in Pega Infinity enterprise software platform in versions 8.2.1 to 8.5.2. The vulnerability was identified in Pega Infinity’s password reset system via a bug bounty program. An attacker could leverage the vulnerability to fully compromise the Pega instance, through administrator-only remote code execution. This could include modifying dynamic pages or templating. The Pega instances are largely public-facing and at the time of reporting the vulnerability, some of the customers included the FBI, US Air Force, Apple, American Express, and others. A hotfix has been released and users were advised to update their installations.

The incidents highlight the importance of running responsible disclosure programs (loosely referred to as bug bounty) for an organization. Independent security researchers can help businesses identify potential critical weaknesses in enterprise applications/ infrastructure. Such programs are alternative ways to detect software and configuration errors that may have been overlooked by the developer and security team.

To take complete advantage of a responsible disclosure program organizations must ensure an active response to the researchers and take timely steps to address issues highlighted by them.

 

Write to [email protected] if you’d like more insights