Weekly Intelligence Report – 14 Oct 2022

Weekly Intelligence Report – 14 Oct 2022

Threat Actor in Focus – Mustang Panda Target Myanmarese Users by Abusing Legitimate Apps

Suspected Threat Actors: Mustang Panda

  • Attack Type: Malware Implants, Impersonations, Potential Phishing, DLL-side Loading
  • Objective: Unauthorized Access, Payload Delivery, Potential Data Theft Target Technology: Email
  • Targeted Industry: Media
  • Target Geography: Myanmar
  • Business Impact: Data Loss, Potential Financial Loss

Summary:
Researchers have recently found a campaign by the China-based APT group Mustang Panda that leverages the PlugX malware family to target Myanmar-based users. While analyzing the samples, within the embedded configuration the researchers found C2 domains that impersonated Myanmar news outlets. This is not the first time a campaign targeting Myanmar has impersonated its news outlets or used the PlugX malware. Based on TTPs and other supporting evidence including previous activities, the researchers assess that the China-based threat group known as Mustang Panda is behind this campaign.

In late May this year, researchers identified unusual network traffic to the domain www[.]myanmarnewsonline[.]org which appeared similar to a Myanmar news website.

The files communicating with the domain had a low detection ratio on VirusTotal and followed a naming convention that made them look like legitimate utilities relating to Hewlett-Packard (HP) printers. The files contained a legitimate signed utility from HP, alongside a DLL loader and a DAT – an encrypted PlugX payload.

In June, a separate researcher on Twitter shared another such file, linked to the sub-domain of the above-mentioned domain images[.]myanmarnewsonline[.]org which was found associated with PlugX and the Mustang Panda APT group.

Insights:
The Mustang Panda APT threat actor group has a long history of using the PlugX malware and its target includes nations throughout the South-East Asian region. The same threat actor group has carried out a campaign targeting Myanmar government entities using custom lures and compromised the website of the office of Myanmar’s President.

Major Geopolitical Developments in Cybersecurity

Russian Group Attacks US State Governments

Killnet, a Russian hacktivist group suspected by researchers to act on the behest of the Kremlin, has brought down some of the US state government services. The states that have been targeted in this campaign include Kentucky, Colorado. and Mississippi. One of the services disrupted in the attack was Kentucky’s Board of Elections. However, according to preliminary reports the attacks does not seem to have developed above a nuisance level and no sensitive data have likely been compromised.

While some services were rendered unavailable by a DdoS attack, other websites were defaced in low-grade vandalism attacks, with pictures of the Statue of Liberty in front of a scene of an atomic bombing, embellished with vulgar threats towards NATO.

Killnet, the group that took responsibility for the attack has also recently attacked the websites of several major US airports including Atlanta, Chicago, Los Angeles, New York, Phoenix, and St Louis. These attacks took the form of a simple DDoS attack, knocking the websites temporarily offline and causing inconvenience. These attacks have only affected the public-facing websites of the airports, which supply flight and services information thereby hindering the core airport functions.

Since the start of the war waged by Russia in Ukraine, Killnet has also claimed responsibility for similar cyberattacks against government and corporate websites in the Baltic countries (mainly Lithuania and Estonia), Romania or Japan.

The World’s Largest Insurance Marketplace Investigates Suspected Cyberattack

The Lloyd’s of London, the biggest insurance marketplace in the world believes its networks have been possibly targeted by a cyberattack after an unusual activity was detected. Researchers have not been able to provide any attribution yet, but the company is among the prominent supporter of sanctions against Russia during the present war. It is also a major hub for insurance in maritime shipping, which Ukraine needs for its grain exports. From a geopolitical point of view, this would make Lloyd’s a prime target for Russian APTs. As of October 10, no sensitive data leakage has been confirmed.

NSA, FBI & CISA Warn about Chinese State-actors levering Common Vulnerabilities and Exposures

The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors. According to the statement, Chinese state-backed hackers have been actively targeting U.S. and allied networks as well as companies across a large set of industries, mainly in information technology including telecommunications providers, defense industry, energy, and other critical infrastructure organizations, to steal intellectual property and develop access into sensitive networks. The list of vulnerable CVEs includes security holes in Apache Log4j, Microsoft Exchange, Hikvision Webserver and Apache HTTP Server. CYFIRMA has provided an early warning on these vulnerabilities to its clients in the past.

Rise in Malware/Ransomware and Phishing

Matrix Networks Impacted by LockBit Ransomware

  • Attack Type: Ransomware, Data Exfiltration
  • Target Industry: IT Services
  • Target Geography: India
  • Ransomware: LockBit
  • Objective: Financial Gains, Data Theft, Data Encryption
  • Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Matrix Networks (mtrx.com) – a company dealing in support business technology solutions – being impacted by the LockBit ransomware group. The ransomware group claimed Matrix Networks as one of their victims by disclosing the update on their dedicated leak site on 12 October 2022 at 04:09 UTC. It is suspected that a large amount of business- critical and sensitive data has been exfiltrated. At the time of CTI’s observation, the ransomware group provided a deadline of 19 October 2022 04:09:41 UTC, and a ransom of USD 35000 has been demanded.

Insights:

  • The LockBit ransomware group has recently released its LockBit 3.0 variant, and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As time goes by and the timer approaches zero, the amount of ransom also decreases for some of the victims, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter, (a rebrand of DarkSide) by stating “large portions of the code are ripped straight from BlackMatter/Darkside.”
  • Recently a LockBit public-facing figure announced that the ransomware group is exploring DDoS as a triple extortion tactic on top of encrypting and leaking exfiltrated data. The move comes shortly after the group’s DLS went offline due to a DDoS attack. LockBit accused their latest victim (around that time) – a prominent software company of being responsible for this attack. While this is not something new for ransomware gangs, DDoS as a triple extortion tactic has been used by other ransomware gangs to make victim meet their demand. However, a troublesome factor in play would be the recent hype around a politically motivated DDoS attack that took place a couple of months back and was spearheaded by groups like Killnet. Although tangible outcomes and effects have remained negligible for Killnet, the popularity of DDoS has risen to keep organizations hostage or coerce them to agree by threatening to launch a DDoS attack. LockBit being one of the prominent players in the ransomware ecosystem, would not only provide a new business avenue for DDoS providers within the cybercriminal underground community but also may incite other ransomware gangs to do so.