Self Assessment

Weekly Intelligence Report – 19 Aug 2022

Published On : 2022-08-19
Share :
Weekly Intelligence Report – 19 Aug 2022

Threat Actor in Focus – Russian Linked Shuckworm Continues to Maintain Focus on Ukraine

Suspected Threat Actors: Shuckworm (aka Gamaredon, Armageddon)

  • Attack Type: Malware Implant, Data Exfiltration, Potential Espionage, Spoofing, Potential Impersonation
  • Objective: Data Theft, Payload Delivery
  • Target Technology: Email, Windows
  • Target Geography: Ukraine
  • Business Impact: Data Loss, Financial Loss

Summary:
Researchers observed that recent Shuckworm activity is delivering info-stealing malware targeting Ukrainian organizations. The current activity as on, 8 August 2022, is said to be ongoing and consistent with an activity revealed by CERT-UA (Computer Emergency Response Team for Ukraine) on July 26.

The suspicious file downloaded off a domain and publicly documented since May 2022, are associated with Shuckworm and also mention by CERT-UA’s Shuckworm activity publication on July 26.

During the attack chain, a downloaded XML file led to the execution of a PowerShell stealer. Researchers observed three versions of this same stealer being deployed on one system in an attempt to evade detection.

Multiple filenames observed in this activity were traced back by researchers to malware including Backdoor.Pterodo – a well-known Shuckworm tool, Giddome backdoor – another well-known Shuckworm tool.

The backdoor deployed on the victim’s system was observed to have capabilities including logging and uploading audio through a microphone, screenshots, keystrokes to the remote location, and downloading/executing .exe files or downloading/loading DLL files.

The threat actors also leveraged remote access tools Ammyy Admin and AnyDesk.

Insights:

  • The Shuckworm threat actor group is considered to be a Russian-linked state-sponsored group that often carries out espionage operations. The activity of this threat actor group has almost exclusively been focused on Ukrainian targets since its appearance in 2014.
  • The current activity and previously reported public activities draw a pattern in its operations, especially the filename nomenclature they follow for files leveraged in its attacks.
  • Researchers assess that Shuckworm is a not so tactically sophisticated threat actor group, but they overcome this limitation by being focused and relentlessly persistent. In addition, despite being publicly documented, they remain undeterred and continue to carry out their activities.
  • As the Russian invasion of Ukraine reaches half year mark and given Shuckworm’s traits and long-time focus on Ukraine, their activities are unlikely to come to a halt.

Latest Cyber-Attacks, Incidents, and Breaches – Signal Users’ Phone Numbers Exposed in Twilio Breach

  • Attack Type: Data Breach, Social Engineering, Smishing, Impersonation
  • Objective: Data Theft, Unauthorized Access
  • Target Technology: Instant Messaging
  • Target Industry: IT Services
  • Target Geography: Global
  • Business Impact: Data Loss, Financial Loss

Summary:
Approximately 1,900 Signal users’ phone numbers have been exposed in the Twilio data breach that took place at the start of this month. Twilio, a cloud communication service provider that allows users to register digital phone numbers for services such as Signal – released an incident report in the first week of this month where employee and customer accounts were compromised.

Signal released an advisory informing its users who were affected by the Twilio incident. As per the advisory, private information such as message history, contact lists, profile information, and other personal information are not affected. However, the exposed phone number of 1900 Signal user accounts are at risk of getting re-registered on a different device with one confirmed instance doing so successfully. An attacker re-registering the account on a different device would still not be able to access the private information as it only stays on the device with no copy being stored on the server. Although, this will allow an attacker to “send and receive messages from that phone number on Signal.” The signal is going to unregister all such 1900 users on all devices including the ones registered by attackers and require them to register again.

Insights:

  • Last week in its incident report, Twilio revealed that its employees were targeted in a text-based phishing attack. Purporting to be from Twilio’s IT department, these messages were themed around the “password expiry” and contained an attacker-controlled URL.
  • Twilio also points out that similar other (undisclosed) companies have also been subject to similar attacks.
  • While no specific threat actor group/s have been linked to the attack, Twilio’s investigation leads them to believe that the threat actor/s behind this attack is “well-organized, sophisticated and methodical in their actions.”

Vulnerabilities and Exploits – DogWalk Has been Exploited – Microsoft

  • Attack Type: Vulnerabilities & Exploits, RCE, Phishing, Web-based Attack, Path Traversal, Potential Insider Threat
  • Target Technology: Windows 10, Windows 11, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server version 20H2 (Server Core Installation)
  • Vulnerability: CVE-2022-34713 (CVSS Base Score: 7.8)
  • Vulnerability Type: Path Traversal
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary:
Microsoft has recently patched the high severity Windows zero-day vulnerability tracked as CVE-2022-34713 and informally known as DogWalk which has public exploit code available. The vulnerability exists due to a path traversal issue in the Windows Support Diagnostic Tool (MSDT) that when exploited allows attackers to gain RCE on affected systems. According to Microsoft, attempts to exploit this vulnerability have been detected.

As per Microsoft, a specially crafted file delivered either in a phishing email or through a web-based attack is a requirement to exploit this vulnerability.

The vulnerability had to wait almost three years to receive a patch. The vulnerability was originally reported to Microsoft by a researcher on December 22, 2019, which six months later was not considered a vulnerability by Microsoft and declined a fix stating that the attacker has “to create what amounts to a virus, convince a user to download the virus, and then run it.” Further “No security boundaries are being bypassed, the PoC does not escalate permissions in any way, or do anything the user could not do already,” Microsoft responded to the researcher.

It was only after the discovery of an actively exploited bug known as Follina (CVE-2022-30190) – another zero-day bug that affects MSDT – Microsoft re-assessed CVE-2022–34713 and found it eligible for a patch after the issue was again brought to the spotlight.