Weekly Cyber-Intelligence Trends and Advisory – 20 May 2022

Weekly Cyber-Intelligence Trends and Advisory – 20 May 2022

Threat Actor in Focus – Sidewinder APT Two-year Attack Spree Across Asia

  • Suspected Threat Actors: SideWinder
  • Attack Type: Cyber Espionage, Spear-phishing, Data Exfiltration, Vulnerabilities & Exploits, Persistence, Malware Implant
  • Objective: Espionage, Unauthorized Access, Potential Data Theft
  • Target Technology: Email, Windows, Android
  • Target Industry: Military, Law enforcement, Foreign Affairs, Defense, Aviation, IT, and Legal Institutions, Government
  • Target Geography: South Asia, Central Asia
  • Business Impact: Data Loss

 

Summary:

During the Black Hat Asia conference, a security researcher detailed a two-year-long campaign conducted by an advanced persistent threat gang known as SideWinder which they have been tracking since 2017. The APT group has conducted approximately 1,000 raids and leveraged complex and increasingly sophisticated attack methods including multiple layers of malware, additional obfuscation, and memory-resident malware that leaves researchers little evidence to work on.

The main initial access vector of this threat actor group consists of spear-phishing emails with malware-laced attachments that are targeted toward a curated list of targets. The group does not leverage Zero-days exploits, but instead makes use of known Windows or Android vulnerabilities.
While the initial research showed SideWinder being linked to India, however, over the years the attribution of this threat actor has become a challenge.

 

Insights:

The researcher highlighted that SideWinder APT stands apart from other APT groups due to its large toolset that includes many different malware families, various new spear-phishing documents, and a very large infrastructure. In addition, SideWinder showcases dogged persistence and a high volume of activity.

The group has also been found to be switching gears if the first attack attempt fails to infiltrate the victim. They remain careful and innovative while approaching targets and ensure that they gain a foothold. In such an instance, the threat actor group sent out a spearphishing email that had a malicious payload, although no email content. After a short while, another spearphishing email containing an apology letter for the previous email was sent, however this time a different malicious payload was inside the document. All this was done to ensure that they got a foothold into the victim’s environment.

 

Major Geopolitical Developments in Cybersecurity – Killnet Hackers Announce Cyberattacks on Countries Opposing Putin’s War

A group of pro-Russian hackers who go by the name “Killnet”, have announced that they “declare war” and intend to launch global cyberattacks against 10 countries including the UK – for standing up to Vladimir Putin’s war in Ukraine.

The other countries mentioned as a target by the Russian-linked groups include the US, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine.

The development comes after Killnet’s failed cyberattack against the Eurovision online voting system during the Eurovision Song Contest which was claimed to be disrupted by the Italian police. However, Killnet’s announcement on Monday referred to it as false and called them the “deceitful police of Italy”. In the same announcement, the Italian police were also featured in the target list in addition to 10 other countries mentioned above.

Killnet also claimed responsibility for the seemingly offline website of the cyber arm of the Italian police.

 

Latest Cyber-Attacks, Incidents, and Breaches – Bugs Chained to Takeover Facebook Accounts That Used Gmail

  • Attack Type: Account Takeover, XSS, CSRF
  • Objective: Unauthorized Access
  • Target Technology: Facebook Accounts
  • Target Industry: Social Media
  • Target Geography: Global
  • Business Impact: Data Loss, Reputational Damage

 

Summary:

A security researcher has recently disclosed multiple bugs that he chained together to take over Facebook accounts linked to a Gmail account. The researcher who reported the issue to Facebook detailed each issue and steps to take over the account in his report which includes:

  • Sandboxed CAPTCHA – The first issue was found in Facebook’s extra security mechanism called “Checkpoint” which uses Google CAPTCHA presented in an iFrame hosted on a sandboxed domain (fbsbx.com). The “referrer” part in the URL for iFrame can be replaced with the “next” parameter by an attacker allowing them to send the URL including the login parameters to the sandbox domain.
  • XSS – For testing purposes, Facebook makes it possible to upload custom HTML files that can be uploaded to their sandbox domain fbsbx.com.
  • SOP (Same Origin Policy) – Since the same domain is in use for the Google CAPTCHA and where XSS is possible. This setup allows attackers to bypass the controls of the same origin policy since the target site and the custom script are on the same domain.
  • CSRF – In the report, the researcher used undisclosed CRSF attacks to log the target user out and later log them back in through the Checkpoint.
  • Next, an OAuth Access Token string is intercepted by targeting a third-party OAuth provider like Gmail.

 

Insights:

The issue was reported to Facebook and reportedly has been fixed in February. Although the issue is the result of multiple bugs, the major bugs in the researcher’s report are intended by design. This includes the XSS bug in the Facebook sandbox domain and another bug that enables sharing of sensitive information with this sandbox domain.

As per the researcher, the exploitation was carried out only for Facebook users who signed up using a Gmail account which has an OAuth mechanism to authenticate users to Facebook. However, the researcher highlights that it was possible to target all Facebook users.

 

Vulnerabilities and Exploits – Researchers Warn of Hackers Targeting Zyxel Vulnerability

  • Attack Type: Vulnerabilities & Exploits, RCE, OS Command Injection
  • Target Technology: Zyxel Firewalls
  • Vulnerability: CVE-2022-30525 (CVSS base score: 9.8)
  • Vulnerability Type: Command Injection

 

Summary:

Several researchers including NSA are warning about the widespread critical vulnerability that affects Zyxel firewall product line models that are being exploited by hackers. Starting on May 13, one of the researchers reported seeing exploitation attempts. The vulnerability is a type of OS command injection vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series. An attacker successfully able to exploit vulnerable systems affected by this vulnerability could modify specific files and then execute some OS commands on a vulnerable device.

Insights:

After the disclosure, Zyxel patched the vulnerability in April, however, there were reports by various researchers of it being exploited in the wild. Researchers have seen approximately 20,800 Zyxel firewall models exposed over the internet that may be potentially affected by this vulnerability. The majority of such affected models reside in Europe – France (4.5K) and Italy (4.4K).
The researcher who originally discovered and notified the issue to Zyxel had a fair amount of criticism on how the vulnerability was handled by the vendor. Without publishing an associated CVE, Zyxel patched the issue despite the researcher proposing a coordinated disclosure. The release of the patch is more or less similar to releasing details of the vulnerability and it is fairly trivial for attackers to reverse the patch and learn about the precise exploitation details.