Weekly Intelligence Report – 30 Sep 2022

Weekly Intelligence Report – 30 Sep 2022

Threat Actor in Focus – APT41 Cyberattack on Healthcare and Pharmaceuticals Continues

  • Attack Type: Malware Implants, Data Exfiltration, Vulnerabilities & Exploits
  • Objective: Espionage, Payload Delivery, Unauthorized Access, Data Theft
  • Target Technology: Unified Extensible Firmware Interface (UEFI), Web Application, Log4j,
  • Targeted Industry: Healthcare, Pharmaceuticals
  • Target Geography: US, Asia
  • Business Impact: Financial Loss, Data Loss, Reputational Damage, Loss of Intellectual Property

A recent report from Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) highlights the Chinese state-sponsored threat group APT41 continues to pose a danger to the healthcare sector. The report disclosed the following:

  • Use of MoonBounce – a Unified Extensible Firmware Interface (UEFI) firmware Implant in 2021.
  • Two zero-day attacks were used to exploit the web-based Animal Health Reporting Diagnostic System (USAHERDS) application between May 2021 and February 2022 where at least six US state governments were compromised. The list of victims is said to be unknown and investigations are still ongoing. The attackers used zero-day CVE-2021-44207 and Log4j exploits.
  • Ongoing espionage operations targeting government organizations in Asia with additional targets in organizations from the aerospace, defense firms, telecom, and IT industry. As per the report, the operations are ongoing and involve the use of info-stealing implants.
  • The long-running threat actor group APT41 has been active since 2012 and targets organizations operating in healthcare, high-tech, media, pharmaceuticals, retail, software companies’ telecoms, travel services, education, video games, and virtual currencies industry. The threat actor group frequently uses attack methods such as spear phishing, water holes, supply chain attacks, and malware implants. In particular, malware including BLACK COFFEE, China Chopper, Gh0st Rat, PlugX, ShadowPad, and tools Cobalt Strike, and Mimikatz have been leveraged by APT41 in their attacks.

Major Geopolitical Developments in Cybersecurity

Explosions Hit Two Russia-EU Gas Pipelines

European countries are on high alert after leaks of gas started to break out of both branches of the Nord Stream natural gas pipelines in the Baltic Sea. The North Stream 1 (NS1), which runs from Russia to Germany for 1,200km under the Baltic, previously provided around a quarter of total EU yearly imports of Russian natural gas. The NS1 pipeline has been defunct since summer, when Russia cited technical difficulties in maintenance as reasons for the gas delivery stoppage, which was dismissed by experts as a thinly veiled excuse for the usage of the energy flows to Europe as a political weapon, exerting pressure on the EU. The NS2 pipeline was scheduled to become operational earlier this year but the process was halted by the German government due to Russian aggression in Ukraine. While neither pipeline was delivering gas at the moment the leaks were discovered, it was still full of gas for operational reasons.

Western authorities blamed the leak on Russian sabotage and the internet was rife with speculation about cyber-attacks causing the leak, comparing the situation to a 1982 Soviet gas pipeline explosion, reportedly caused by a CIA-planted trojan in a pipeline-control software the Soviets stole in Canada. However, Danish and Swedish authorities revealed that according to seismological readings, a series of explosions of the Danish island of Bornholm preceded the leaks. The pipeline is 40mm of steel enveloped in a thick concrete mantle and experts are ruling out the possibility of natural leaks or accidents in the freshly laid pipeline, especially given the circumstances of undersea explosions in the vicinity and the synchronization with the Baltic Pipe inauguration, scheduled just days after the attack. The Baltic pipeline is now linking Norway and Poland (and by extension countries in Central Europe) and experts read the explosion as a potential warning to EU energy infrastructure.

Russia has followed the gas leaks by social media information operation campaigns blaming the sabotage on the USA and then Ukraine, which is hardly possible no least because Russia stole the last seaworthy Ukrainian submarine in 2014. The campaign has suffered from the recent dismantling of a large Russian network by Meta that was spoofing Western media on its platforms in precisely this kind of operation; CYFIRMA reported on the news earlier this week.

The experts are now warning of the possibility of further Russian attacks on European infrastructure, be it other pipelines and gas terminals and installations, undersea internet cables, or the power grid and energy industry as prime targets. Russian cyberattacks on Western critical national infrastructure have not reached anywhere near their maximum potential and the aforementioned industries should be at maximum vigilance in the coming months.

Cyber Fallout of Iran Unrest

The largest anti-government protests in Iran since 2009 continue and are gathering momentum, having spread to as many as 80 municipalities. The protest began after the death of a young woman Mahsa Amini (22) who died in the custody of the morality police who detained her on charges of violating Islamic headwear regulations. Many of the protests have been led by women, and some smaller cities in Kurdish provinces are allegedly outside of effective government control with the military on the way to crack down on the protesters.

The Iranian government is escalating a crackdown on the protest and police are using live fire to contain the crowds, reportedly resulting in the deaths of dozens of people. The government has also arrested numerous prominent activists and journalists while imposing severe restrictions on internet connectivity. The authorities orchestrated outages of mobile networks in entire regions and disrupted social media apps like WhatsApp and Instagram, two western communication tools not banned in Iran before the protests erupted.

Anonymous hacktivist collective has been targeting Iranian government websites, mainly in the form of DDoS attacks causing the unavailability of some sites. In a gesture intended to offer support to Iran’s dissidents, the US Treasury Department relaxed sanctions in ways intending to ease access of Iranian people to the internet and Western media. Based on previous behavior analysts predict that this is likely to lead to a surge in Iranian cyber-attacks on the US and American allies in the region, mainly on the media, financial, and energy industries but not limited to those.

Latest Cyber-Attacks, Incidents, and Breaches – Mobile Adware on Installed 13 Million Times

  • Attack Type: Malware Implants, Rogue Mobile Apps, Impersonation
  • Objective: Unauthorized Access, Data Theft
  • Target Technology: Android, iOS
  • Target Industry: Multiple
  • Target Geography: Global
  • Business Impact: Data Loss, Financial Loss, Reputational Damage

Researchers have recently discovered 75 mobile apps on Google Play and an additional 10 on Apple App Store used to carry out ad fraud. Collectively reaching13 million installations, these apps presented users with both visible and hidden advertisements, in addition to impersonating other legitimate apps to generate more revenue.
The researchers have dubbed this fraud campaign “Scylla” and believe that this is the third wave of an operation first observed in August 2019 and dubbed “Poseidon”. The second wave was called ‘Charybdis’ and observed at the end of 2020.
The findings have been communicated to Google and Apple and the apps have been removed from their respective app stores. Some of the most downloaded apps are listed below:

  • iOS apps:
    • Loot the Castle – com.loot.rcastle.fight.battle (id1602634568)
    • Run Bridge – com.run.bridge.race (id1584737005)
    • Shinning Gun – com.shinning.gun.ios (id1588037078)
    • Racing Legend 3D – com.racing.legend.like (id1589579456)
    • Rope Runner – com.rope.runner.family (id1614987707)
    • Wood Sculptor – com.wood.sculptor.cutter (id1603211466)
    • Fire-Wall – com.fire.wall.poptit (id1540542924)
    • Ninja Critical Hit – wger.ninjacriticalhit.ios (id1514055403)
    • Tony Runs – com.TonyRuns.game
  • Android apps (1+ million downloads)
    • Super Hero-Save the world! – com.asuper.man.playmilk
    • Spot 10 Differences – com.different.ten.spotgames
    • Find 5 Differences – com.find.five.subtle.differences.spot.new
    • Dinosaur Legend – com.huluwagames.dinosaur.legend.play
    • One Line Drawing – com.one.line.drawing.stroke.yuxi
    • Shoot Master – com.shooter.master.bullet.puzzle.huahong
    • Talent Trap – NEW – com.talent.trap.stop.all

Insights:

  • These types of malicious apps are not considered a severe threat; however, their operators may use them for more dangerous activities such as inciting users to install additional malware that can exfiltrate various types of information from victims’ devices.
  • Since such adware type of malicious mobile apps is not as sophisticated, Android users are protected from such threats unless the Google Play Protect security features is disabled by the user. The feature examines apps and devices for harmful behavior by running safety checks before an app is downloaded from Play Store.

Vulnerabilities and Exploits – Command Injection Bug in Java Template Framework Pebble

  • Attack Type: Command Injection
  • Target Technology: Pebble Templates
  • Vulnerability: CVE-2022-37767 (CVSS Score: 9.8)
  • Vulnerability Type: Incorrect Authorization
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Pebble Templates, was found vulnerable to a critical severity bug that could allow attackers to bypass its security mechanisms and conduct command injection attacks against host servers. Similar to the Python Jinja Template Engine, the Pebble Templates is a Java templating engine inspired by Twig. It offers ease of use, internationalization capabilities, and security features including auto-escaping and a block-list method access validator to prevent command execution attacks.

However, researchers have found that by using carefully crafted code and template files Pebble’s command execution defense can be bypassed. In a proof of concept (PoC), the researcher using a Pebble template loaded an XML file from the web and instantiated a Java class that supports running system commands on the server.

Insights:

  • Disclosure of the bug has revved up discussion on GitHub among developers. Since a CVE has been assigned, security alerts are being triggered in corporate environments that use the affected version of Pebble.
  • Since it is a community-driven project a fix may not be easy. While the developers are working on the fix, it remains unclear when the fix will be available. Although the maintainers have provided some workaround in the meantime.
  • To successfully exploit the bug, the attacker should be able to upload a malicious Pebble template to the server. This means a defensive measure of hardening security checks on user-provided content and restricting template uploads would help in preventing the exploitation of this bug.