Weekly Intelligence Report – 05 Aug 2022

Weekly Intelligence Report – 05 Aug 2022

<h3>Threat Actor in Focus – Charming Kitten APT Adds New TTPs</h3>
<ul>
<li><strong>Attack Type:</strong> Malware Implant, Data Exfiltration, Remote Template Injection</li>
<li><strong>Objective:</strong> Data Theft, Payload Delivery</li>
<li><strong>Target Technology:</strong> Email, Telegram Accounts, Microsoft Word, Windows</li>
<li><strong>Target Geography:</strong> Iran</li>
<li><strong>Business Impact:</strong> Data Loss, Financial Loss</li>
</ul>

Taking advantage of mistakes made in Operational security (OPSEC) by Iran-based threat actor group, Charming Kitten, has led researchers to the discovery of multiple new tools. These tools were used by Charming Kitten in late 2021 and one of the tools was used to exfiltrate data from targeted Telegram accounts. By analyzing an open directory exposed on the server, the researcher found seven sets of victim data where six of which were the output of the Telegram ‘grabber’ tool and one suspected to be PINEFLOWER malware, also attributed to Yellow Garuda. From the filenames of the archive found on the server, researcher deduce that the activity had taken place between 7th September and 11th October 2021 and some of the targets were associates of each other.

Based on a previously leaked organizational chart related to Iran’s Islamic Revolutionary Guard Corps (IRGC) researchers assess that the threat actor group is likely an associate of IRGC.

In addition, the threat actor group was also found leveraging macro-enabled Word document templates to propagate malware from March 2022. This is a new tactic not associated with Charming Kitten previously. In these documents, a variety of lures were observed where the themes ranged from nuclear energy and weapons related to Turkey, U.S. shipping ports, and Iran’s relationship with the Taliban. When enabled, these malicious macros dropped the PowerShell backdoor known as CharmPower.

According to researchers, Charming Kitten has continued to improve upon its arsenal over the past year. With the use of macro-enabled template files, the threat actor group has made efforts to stage various parts of the infection chain remotely, disrupting analysis attempts of defenders. They also continued to make mistakes in their OPSEC, exposed tools, and leveraged open server for their attacks.

<h3>Latest Cyber-Attacks, Incidents, and Breaches – Microsoft Email Services Targeted in Large-Scale AiTM Attack</h3>
<ul>
<li><strong>Attack Type:</strong> Phishing, Adversary-in-the-Middle (AiTM), Business Email Compromise (BEC)</li>
<li><strong>Objective:</strong> Data Theft, Unauthorized Access</li>
<li><strong>Target Industry:</strong> FinTech, Lending, Finance, Insurance, Accounting, Energy, and Federal Credit Union</li>
<li><strong>Target Technology:</strong> Microsoft’s Email Services</li>
<li><strong>Target Geography:</strong> United States, United Kingdom, New Zealand, and Australia.</li>
<li><strong>Business Impact:</strong> Data Loss, Financial Loss</li>
</ul>

Researchers have recently discovered a new strain of a large-scale phishing campaign, which uses AiTM techniques alongside various evasion tactics. In June 2022, researchers observed increased use of advanced phishing kits and identified several newly registered domains used in a credential-stealing phishing campaign. According to researchers, enterprise users of Microsoft’s email services are the primary targets of this phishing campaign.

The attack starts by sending a phishing email to potential victims containing a malicious link. The campaign is said to be active and attackers are registering new phishing domains almost every day.

Some of the cases observed by researchers reveal, that attackers compromised the business email accounts of executives and leveraged such email accounts to further send phishing emails as part of the same campaign.

Attackers used custom proxy-based phishing kits that are capable of bypassing multi-factor authentication (MFA). Various cloaking, browser fingerprinting techniques, and numerous URL redirection methods were also leveraged by attackers to bypass URL analysis by security solutions. They also abused legitimate online code editing services such as CodeSandbox and Glitch.

As per researchers, this campaign stands out from commonly observed phishing attacks. Attackers used the AiTM attack technique that can bypass MFA security controls. The attacker also employed multiple evasion techniques during various phases of the attack to overcome conventional email security and network security solutions.

Microsoft reported a similar large-scale phishing campaign last month that also used a similar AiTM attack technique.

These incidents highlight that BEC continues to be a top concerning threat to the organization. A recent report from the FBI revealed losses from BEC and Email Account Compromise (EAC) have surpassed USD 43 billion globally including incidents from June 2016 and December 2021. The attackers are constantly updating their TTPs to bypass security measures. Further, the use of advanced phishing kits and clever evasion techniques allows attackers to not fool traditional but also advanced security solutions.

<h3>Vulnerabilities and Exploits – VMware Critical Authentication Bypass Bug</h3>
<ul>
<li><strong>Attack Type:</strong> Vulnerabilities &amp; Exploits, Authentication Bypass, RCE, Privilege Escalation</li>
<li><strong>Target Technology:</strong> VMware Workspace ONE Access, Identity Manager, and vRealize Automation</li>
<li><strong>Vulnerability:</strong> CVE-2022-31656 (CVSS Base Score: 9.8)</li>
<li><strong>Vulnerability Type:</strong> Authentication Bypass</li>
<li><strong>Impact:</strong> Confidentiality (High), Integrity (High), Availability (High)</li>
</ul>

Warning administrator, VMware is urging to patch a critical authentication bypass security flaw that affects domain users in multiple of its products. the flow enables an authenticated attacker to gain admin privileges. The bug was reported by a researcher who also found out that it impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Researchers from VMware urge defenders to take steps to patch or mitigate these issues in on-premises deployments, and implement emergency changes under the ITIL methodologies for change management.

Environments of every organization are different, tolerance to risk, security controls, and approach to mitigate risks also differ from organization to organization. However, given the critical severity of this vulnerability, the advisory strongly recommends immediate action.

A temporary workaround has also been made available for customers who cannot patch their systems against the CVE-2022-31656 immediately. Although, VMware also does not recommend the workaround and says applying patches to vulnerable products is the only way to address the vulnerability.