Weekly Cyber-Intelligence Trends and Advisory – 02 June 2022

Weekly Cyber-Intelligence Trends and Advisory – 02 June 2022

Threat Actor in Focus – Gamaredon Conducts DDoS with Open-source Trojan

  • Attack Type: DDoS
  • Objective: Resource Exhaustion
  • Target Technology: Internet-facing Assets
  • Target Industry: Unknown
  • Target Geography: Global
  • Business Impact: Operational Disruption, Data Loss, Financial Loss

Researchers suspect that the Russian APT Gamaredon threat actor group could fuel a new wave of DDoS attacks. They found that this group has open-sourced the code of a DDoS Trojan program called “LOIC ” to carry out DDoS attacks. During monitoring Gamaredon’s activity researchers also found multiple attack chains including – phishing emails, remote template injection, malicious scripts with self-extracting programs, Wiper payloads, and registry modification for scheduled tasks among others. The malicious code distributed by the APT group includes hardcoded IP addresses and ports for the targets.

The malware samples observed by researchers seem to have been compiled in early March this year – shortly after the Russian invasion of Ukraine had taken place. After the military conflict, a new trend of disruptive attacks is gaining momentum including wiper attacks and DDoS. Ukraine is already facing the brunt of these DDoS attacks; however, they are not the only ones. Recently, the Italian Computer Security Incident Response Team also alerted about the potential risk of DDoS attacks against its national entities.

 

Major Geopolitical Developments in Cybersecurity – The Quad to Strengthen Cybersecurity in Software, Supply Chains

The Quad nations Australia, the United States, India, and Japan have committed to several initiatives in cybersecurity concerning software, supply chain, and user data during the recent meeting in Tokyo.

The countries’ leaders including US President – Joe Biden, Australian Prime Minister – Anthony Albanese, Indian Prime Minister – Narendra Modi, and Japanese Prime Minister – Fumio Kishida stated in a joint statement, “their renewed commitment to deepening cooperation in addressing some pressing challenges currently facing the Indo-Pacific region.” This includes issues such as the ongoing COVID-19 pandemic, climate change, infrastructure, peace and stability (due to the Ukraine invasion), and cybersecurity.

The White House said, “In an increasingly digital world with sophisticated cyber threats we recognize an urgent need to take a collective approach to enhance cybersecurity. To achieve the Quad Leaders’ vision of a free and open Indo-Pacific, they committed to bolstering defences of critical infrastructure by sharing threat information, identifying and evaluating risks in digital supply chains, and among other cybersecurity initiatives that will have benefits to all users.

The Quad also aims to form a Quad Cybersecurity Partnership. The group will also initiate “capacity building programs” for the region and launch a Quad Cybersecurity Day to “help individual internet users across our nations, the Indo-Pacific region, and beyond to better protect themselves from cyber threats.”

 

Hive Ransomware Group – Recent Observations

  • The Hive ransomware was first observed in June 2021 and suspected of running as affiliate-based ransomware similar to the majority of the ransomware groups at current times. The ransomware group employs a wide array of tactics, techniques, and procedures (TTPs) in their attacks. They leverage multiple methods to compromise an organization’s networks, which include phishing emails with malicious attachments to gain a foothold into the network and exploit Remote Desktop Protocol (RDP) for lateral movement.
  • It uses a double-extortion strategy for attacks. The attackers threaten to publish the exfiltrated data (victim data) if victims are not ready to pay the ransom.
  • The ransomware operators implemented a new IPfuscation (obfuscation) technique to conceal the Cobalt strike beacon payload. The payload was disguised as an array of ASCII IPv4 addresses in the malware executable binary. Code obfuscation is a technique that helps threat actors hide the malicious code from security analysts or security software to evade detection.
  • The Hive ransomware operators changed its VMware ESXi Linux encryptor to the Rust programming language to make it more difficult for security researchers to eavesdrop on victims’ ransom conversations. This feature is implemented from the BlackCat ransomware operation.

Latest Cyber-Attacks, Incidents, and Breaches – Agency Warns of Widespread Credential Leak on Russian Hacker Forums

  • Attack Type: Credential Abuse, Unauthorized Access, Spear-Phishing, Ransomware
  • Target Technology: VPN, Network Devices
  • Target Industry: Education
  • Target Geography: United States
  • Business Impact: Data Loss

According to a new alert from the FBI, the Russian hacker forums are full of network credentials and virtual private network access of employees from US educational institutions. The agency said these credentials are being advertised widely across hacker forums. Just in May 2021, the FBI found approximately 36,000 email and password combinations for accounts related to domains ending with .edu in public instant messaging platforms used by cybercriminals. The agency suggests most of these credentials are likely acquired by the prevalent attacks on US colleges and universities over the past few years including spear-phishing, ransomware, and other types of cyberattacks. As of January 2022, network credentials for sale or public access have been offered in Russian hacker forums for various US-based educational institutions. The prices of these listings range from anywhere between a few to multiple thousand US dollars.

There have been numerous ransomware incidents reported this year alone where multiple education institutes have been targeted. Often the educational institutions are not entirely transparent about ransomware attacks or data exfiltration, neither they are in a position to fulfill the ransom demand when attacked. The majority of education institutions are still recovering from the COVID-19 pandemic and a ransomware attack during this time may turn out to be a final blow. CTI has already observed, one such incident where a 157-year-old Lincoln College in Illinois had to permanently close down after suffering a ransomware attack.

 

Vulnerabilities and Exploits – Two Bugs In Strapi Allow Data Exposure

  • Attack Type: Vulnerabilities & Exploits, Account Compromise, Potential Privilege Escalations
  • Target Technology: Strapi
  • Vulnerability: CVE-2022-30617 (CVSS score: 8.8), CVE-2022-30618 (CVSS score: 7.5)
  • Vulnerability Type: Improper Removal of Sensitive Information Before Storage or Transfer

In a recent patch update the popular open-source content management system (CMS) Strapi fixed two vulnerabilities that could allow attackers to access sensitive data such as email and password reset tokens. While not as well-known as its competitors which include the likes of WordPress or Joomla, Strapi is known for its “headless” capability meaning its front end and back end software run separately and it is being used by the some of the major organizations including IBM, NASA, and Walmart.

According to researchers, the vulnerability details access to sensitive information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.

The latest release of Strapi CMS accounts for approximately 40,000 weekly downloads on NPM and around 25,000 weekly downloads for its older version. Researchers have found the vulnerabilities in the admin panel and state that an account compromise is fairly easy to perform. While it is unclear how many instances are currently vulnerable but given the patch was made available in recent weeks, researchers presume it is reasonable that not everyone has upgraded yet.