Weekly Intelligence Report – 21 Oct 2022

Weekly Intelligence Report – 21 Oct 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, DLL-side Loading, ACE (Arbitrary Code Execution), OS Command Injection, Data Exfiltration, Data Encryption, Code Execution, DoS (Denial-of-Service)
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – LockBit (LockBit 2.0, LockBit 3.0) | Malware – GamePlayerFramework
    • LockBit– One of the ransomware groups.
    • Please refer to the trending malware advisory for details on the following:
    • Malware – GamePlayerFramework
  • BehaviorMost of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Budworm Targets U.S. Organizations

Suspected Threat Actors: Budworm (APT27, LuckyMouse, Bronze Union, TG-3390, Emissary Panda, Group 35, ATK 15, Iron Tiger, Earth Smilodon, Zip Toke)

  • Attack Type: Malware Implants, DLL-side Loading, Vulnerabilities & Exploits, Potential Data Exfiltration
  • Objective: Espionage, Unauthorized Access, Payload Delivery, Data Theft
  • Target Technology: Log4j, Windows
  • Targeted Industry: Government, Manufacturing, Healthcare
  • Target Geography: US, Middle East, Southeast Asia
  • Business Impact: Data Loss, Loss of Intellectual Property, Potential Financial Loss

Summary:
After a long break of six years, the China-linked Budworm APT threat actor group has been recently spotted targeting a US-based entity and other international targets. Over the past six months, the Budworm espionage group launched strategic attacks on targets that include the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. state legislature.

The current toolset used in the attacks includes exploiting Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to install Webshells and leveraged Virtual Private Servers (VPS) providers Vultr and Telstra for command & control activities. They mainly used HyperBro malware, often deployed using the technique of DLL side-loading. The threat actor group also leveraged endpoint privilege management software CyberArk Viewfinity which was renamed to securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe to masquerade as a more innocuous file.

Other toolsets used by the attackers in this campaign include;

  • Cobalt Strike
  • LaZagne: A Credential dumping tool
  • IOX: A proxy and port-forwarding tool
  • Fast Reverse Proxy (FRP): A reverse proxy tool
  • Fscan: A publicly available intranet scanning tool

Insights:
As per researchers, although US organizations were a frequent target of Budworm six to eight years ago, in recent years, the threat actor group appeared to be largely focused on Asia, the Middle East, and European targets.
The threat actor group is known to target high-value targets and ambitious attacks. This is not the first time a threat actor group has been linked to attacks against US organizations. A Cybersecurity and Infrastructure Security Agency (CISA) advisory detailed multiple APT threat actor group activities that compromised Defense Industrial Base (DIB) sector organization. According to the advisory, in late March 2021, the HyperBro malware was used to compromise the DIB sector organization.

Major Geopolitical Developments in Cybersecurity

UK Top Cyber Security Official Warns of Chinese Threat

Jeremy Fleming, Director of the Government Communications Headquarters (GCHQ), the main signals intelligence agency in the United Kingdom, gave a rare talk in which he warned about the threat posed by China in its application of information technologies. Mr. Fleming focused on Chinese cyber espionage. and He has also observed that British intelligence agencies have noticed plenty of activities from their Chinese counterparts. The relationship between the two countries has been increasingly rocky, especially in the past two years and the Chinese behavior in cyberspace has contributed to an increasingly hawkish stance in the UK’s government. While Mr. Fleming downplayed the role of Chinese support in Russia’s war in Ukraine despite the proclaimed limitless partnership between Moscow and Beijing, the formal Chinese position has made Beijing few new friends in Europe and relationships between the EU, UK and China are likely to further deteriorate in the coming months, with potential fallout in the cyberspace.

Russia’s Killnet Group Attacks Bulgaria, Russian Military Targets Communication Networks in Ukraine

Killnet, a privateering group attacking governments and organizations under the wishes of the Kremlin, has claimed responsibility for a recent wave of cyber-attacks on the government of Bulgaria on its Telegram channel. The group has blamed Bulgaria for betraying Russia by supporting the Ukrainian government in its struggle to defend the country from Russian aggression. The attack paralyzed the websites of the Defense Ministry, the Interior Ministry, the Justice Ministry, the Presidential Office, and the Constitutional Court.

In an ongoing campaigns targeting governments perceived to be hostile to Russia’s interests, Killnet has so far not been able to go into a more sophisticated territory and has mostly focused on distributed denial-of-service (DDoS) operations and website defacements. This criminal enterprise formerly known mainly for its botnet-for-hire operations has only recently adopted a more nationally oriented stance probably as a result of domestic government coercion. However, the group’s criminal background and the newly found support of the Kremlin suggests that it could shortly adapt after receiving funds, personnel, as well as knowledge transfers from government agencies and pose a more serious threat in the coming months.

Despite ongoing efforts by Russian hackers, the Ukrainian government has been able to keep its internet connectivity and electrical grid running. Due to this the Russian military has recently started a campaign of indiscriminate bombing attacks on civilian infrastructure resulting in large-scale blackouts along with internet and mobile communications disruptions. Internet connectivity levels dropped 35% below normal activity and large areas were without power before the Ukrainian government was able to restore the normal function of the grid and telecommunication networks.

FBI Warned the US States and Political Parties of Chinese Activities

The FBI has been alerting state election officials as well as Democratic and Republican Party organizations that they are the subject of increasing malicious activities by the Chinese intelligence services. According to the agency, Chinese APTs have been extensively scanning networks belonging to the political parties and state-level organizations administering the election process. The FBI has not publicly commented in a detailed manner, given the potential international relations impact, however, researchers assume the activity to be part of reconnaissance and potential target development.

Rise in Malware/Ransomware and Phishing Ohmiya Corporation Impacted by LockBit Ransomware

  • Attack Type: RaaS, Data Exfiltration
  • Target Industry: Materials
  • Target Geography: Japan
  • Ransomware: LockBit
  • Objective: Financial Gains, Data Theft
  • Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Ohmiya Corporation (oomiya.co.jp) – which deals in chemicals materials for surface treatment, sewerage, semiconductor and display use as well as sells industrial machinery and electronic parts – being impacted by the LockBit ransomware group. The ransomware group claimed Ohmiya as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. The following screenshot was observed published on the dark web

Insights:

  • The LockBit ransomware group has recently released its LockBit 3.0 variant, and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As time goes by and the timer approaches zero, the amount of ransom also decreases for some of the victims, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter, (a rebrand of DarkSide) by stating “large portions of the code are ripped straight from BlackMatter/Darkside.”
  • Recently a LockBit public-facing figure announced that the ransomware group is exploring DDoS as a triple extortion tactic on top of encrypting and leaking exfiltrated data. The move comes shortly after the group’s DLS went offline due to a DDoS attack. LockBit accused their latest victim (around that time) – a prominent software company of being responsible for this attack. While this is not something new for ransomware gangs, DDoS as a triple extortion tactic has been used by other ransomware gangs to make victim meet their demand. However, a troublesome factor in play would be the recent hype around a politically motivated DDoS attack that took place a couple of months back and was spearheaded by groups like Killnet. Although tangible outcomes and effects have remained negligible for Killnet, the popularity of DDoS has risen to keep organizations hostage or coerce them to agree by threatening to launch a DDoS attack. LockBit being one of the prominent players in the ransomware ecosystem, would not only provide a new business avenue for DDoS providers within the cybercriminal underground community but also may incite other ransomware gangs to do so.