Suspected Threat Actors: Shuckworm (aka Gamaredon, Armageddon)
Researchers observed that recent Shuckworm activity is delivering info-stealing malware targeting Ukrainian organizations. The current activity as on, 8 August 2022, is said to be ongoing and consistent with an activity revealed by CERT-UA (Computer Emergency Response Team for Ukraine) on July 26.
The suspicious file downloaded off a domain and publicly documented since May 2022, are associated with Shuckworm and also mention by CERT-UA’s Shuckworm activity publication on July 26.
During the attack chain, a downloaded XML file led to the execution of a PowerShell stealer. Researchers observed three versions of this same stealer being deployed on one system in an attempt to evade detection.
Multiple filenames observed in this activity were traced back by researchers to malware including Backdoor.Pterodo – a well-known Shuckworm tool, Giddome backdoor – another well-known Shuckworm tool.
The backdoor deployed on the victim’s system was observed to have capabilities including logging and uploading audio through a microphone, screenshots, keystrokes to the remote location, and downloading/executing .exe files or downloading/loading DLL files.
The threat actors also leveraged remote access tools Ammyy Admin and AnyDesk.
Approximately 1,900 Signal users’ phone numbers have been exposed in the Twilio data breach that took place at the start of this month. Twilio, a cloud communication service provider that allows users to register digital phone numbers for services such as Signal – released an incident report in the first week of this month where employee and customer accounts were compromised.
Signal released an advisory informing its users who were affected by the Twilio incident. As per the advisory, private information such as message history, contact lists, profile information, and other personal information are not affected. However, the exposed phone number of 1900 Signal user accounts are at risk of getting re-registered on a different device with one confirmed instance doing so successfully. An attacker re-registering the account on a different device would still not be able to access the private information as it only stays on the device with no copy being stored on the server. Although, this will allow an attacker to “send and receive messages from that phone number on Signal.” The signal is going to unregister all such 1900 users on all devices including the ones registered by attackers and require them to register again.
Microsoft has recently patched the high severity Windows zero-day vulnerability tracked as CVE-2022-34713 and informally known as DogWalk which has public exploit code available. The vulnerability exists due to a path traversal issue in the Windows Support Diagnostic Tool (MSDT) that when exploited allows attackers to gain RCE on affected systems. According to Microsoft, attempts to exploit this vulnerability have been detected.
As per Microsoft, a specially crafted file delivered either in a phishing email or through a web-based attack is a requirement to exploit this vulnerability.
The vulnerability had to wait almost three years to receive a patch. The vulnerability was originally reported to Microsoft by a researcher on December 22, 2019, which six months later was not considered a vulnerability by Microsoft and declined a fix stating that the attacker has “to create what amounts to a virus, convince a user to download the virus, and then run it.” Further “No security boundaries are being bypassed, the PoC does not escalate permissions in any way, or do anything the user could not do already,” Microsoft responded to the researcher.
It was only after the discovery of an actively exploited bug known as Follina (CVE-2022-30190) – another zero-day bug that affects MSDT – Microsoft re-assessed CVE-2022–34713 and found it eligible for a patch after the issue was again brought to the spotlight.