Key Intelligence Signals:
Suspected Threat Actors: UNC4191
Summary:
In recent observations revealed a new threat actor named UNC4191 running a cyber espionage campaign against the Philippines’ public and private entities. The target organizations are spread across the US, Europe, and APJ. However, their primary target is Southeast Asia. Most of the specific systems targeted were found to be physically established in the Philippines.
Initially, the threat actor infected via USB devices. The malware self-replicates by infecting new removable drives that are plugged into an infected machine, allowing the malicious payloads to spread to additional systems and with a job to collect data. The overall combination of more than two malware come into play. The first of the three malware files are responsible for side-loading a malicious file that impersonates a legitimate dynamic link library (DLL) and launching an encrypted file. The second phase of the attack involves Darkdew, an encrypted DLL payload that can infect removable drives to enable self-propagation. Finally, Bluehaze executes to achieve system persistence.
A successful breach led to the installation of a renamed NCAT binary and the execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor.
The operation led by UNC4191 reveals China’s interest in maintaining access to public and private entities and gathering intelligence from cyber espionage.
Insights:
The campaign started late in 2021, however, the campaign recently came under the radar of security researchers.
The threat actor leveraged legitimately signed binaries to side-load malware, including three new families: MISTCLOAK, DARKDEW, and BLUEHAZE. Upon Successful compromise, the BLUEHAZE deploys NCAT to create a reverse shell to a hardcoded C2.
According to a new defense strategy released by the US Department of Defense (DoD), this November, Defense agencies have five years to convert their networks to architectures that continually check to make sure no one’s accessing confidential data, the so-called zero trust principle. This shift is the main theme of the Pentagon’s new five-year plan to harden its cyber defenses against potential attacks. In the preface of the document, DoD posts that American adversaries are “in our networks, exfiltrating our data, and exploiting the Department’s users”. The strategy and roadmap expect DoD to start piloting zero trust principles with cloud computing, to begin a long-term journey of trustworthiness. However, some research criticizes the Pentagon’s reliance on private companies in the field of cloud computing, which might be vulnerable to cyber espionage.
At least one key EU port with a LNG terminal crucial for energy imports has recently reported Russian cyber-reconnaissance activity. According to Dutch media, Russian military intelligence-linked groups Xenotime and Kamacite have probably engaged in reconnaissance of liquid natural gas terminals in the Netherlands. Both actors have a history of attacking the energy industry and critical infrastructure. CYFIRMA has been warning about the increasing likelihood of attacks on these two sectors and most researchers are now in consensus that LNG terminals are a prime target and a massive cyber-attack against critical infrastructure in Europe, it’s only a question of time and severity/modus operandi. Dutch media report that signals of preparation activity have been spotted in the systems of Gasunie’s LNG terminal in Rotterdam’s port of Eemshaven. The Netherlands is a major hydrocarbon energy hub in Europe and hosts one of the most important commodities exchanges in the world.
Power Plant Services LLC Impacted by BianLian Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective CYFIRMA observed Power Plant Services LLC – offers customers an extensive range of parts manufacturing, which extends into Pulp & Paper, Refineries, and Steel Mill industries along with core markets of Power Generation, Utilities, and related industrial sectors – being impacted by the BianLian ransomware group. The ransomware group claimed Power Plant Services LLC (www[.]ppsvcs[.]com) as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. As per the claims, files and documents relating to business and personal data have been exfiltrated.
Insights:
BianLian ransomware operators usually leverage email spam, malicious attachments, fake downloads, and drive-by downloads as initial infection vectors and use double extortion in their attacks to extort the ransom.
This ransomware was written in the “Go” programming language, which has recently been popular among threat actors due to its cross-platform functionalities and the fact that it makes reverse engineering more difficult.
BianLian ransomware separates the file content into 10 bytes chunks for encryption. First, it reads 10 bytes from the original file, then encrypts the bytes and writes the encrypted data into the target file. Dividing the data into small chunks is a method to evade detection by security products.
It has targeted the following industries: professional services, manufacturing, healthcare, energy, media, banks, and education. BianLian ransomware is targeting businesses all over the world. However, 75% of victim organizations are from the United States, the United Kingdom, and Australia.