Weekly Intelligence Trends and Advisory – 11 July 2021

Published On : 2021-07-11
Share :
Weekly Intelligence Trends and Advisory – 11 July 2021

Kubernetes Clusters Exploited to Perform Brute Force Attacks  

  • Suspected Threat Actors: Fancy Bear
  • Attack Type: Brute Force, Password Spray, (IP Address) Obfuscation, Vulnerabilities and Exploits (CVE 2020-0688, CVE 2020-17144)
  • Ransomware / Malware: reGeorg Web Shell
  • Objective: Unauthorized Access, Malware Implant, Defense Evasion, Data Theft
  • Target Industry: Government, Military, Political Consultants & Parties, Defense Contractors, Energy, Logistics, Think Tanks, Higher Education Institutions, Law firms, Media
  • Target Geography: Global
  • Target Technology: Office 365, Cloud Services, Service Providers, On-premises Email Servers
  • Business Impact: Data Loss, Operational Disruption

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications, and has been gaining popularity in recent times.  In a survey in 2019, 84 percent of enterprises surveyed indicated they were running containers in production. The hyperscalers cloud providers have managed Kubernetes offerings for their cloud customers and the adoption rate is expected to increase. The security consideration for Kubernetes needs to be further enhanced as threat actors are exploiting its vulnerabilities to carry out various campaigns.

Joint Cybersecurity Advisory has been released by cybersecurity agencies including the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) warning about an ongoing global campaign using brute force. The campaign has been attributed to the Russian government, in particular, linked to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 also tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team by various researchers. As per the advisory, brute-force access attempts have been used against hundreds of organizations around the globe. The campaign appeared to have started in mid-2019 leveraging a Kubernetes cluster to conduct “widespread, distributed and anonymized brute force access attempts”. While a significant portion of this activity is targeted at organizations using Microsoft Office 365 cloud services, 85th GTsSS also targeted other service providers and on-premises email servers using a variety of different protocols.

The advisory highlights the activity is almost certainly still ongoing. The brute force activity allows 85th GTsSS actors to access protected data and identify valid credentials which may be used for a variety of purposes. In addition to identifying account credentials, the brute force attacks were combined with the exploitation of publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144 for remote code execution and securing further access to target networks. Once the access is gained, the threat actors moved laterally through the network deploying reGeorg web shell for persistence, harvesting credentials, and stealing files.

The threat actors leveraged different combinations of defense evasion techniques in an attempt to disguise some components of their operations, however, many detection opportunities remain viable to identify the malicious activity. To obfuscate their attacks and achieve some degree of anonymity, the Kubernetes cluster carried out brute force authentication attempts via TOR and commercial VPN services including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. However, between November 2020 and March 2021, authentication attempts were delivered directly to targets from nodes in the Kubernetes cluster.

Last month, researchers disclosed a campaign involving a new malware dubbed SkinnyBoy linked to APT28 targeting foreign ministries, embassies, and military and defense.

It should also be noted that threats to the Olympic events are not without precedent and are still looming on the upcoming Olympic event in Tokyo – with Russia being seen as one of the biggest threat actors. Further, members of GRU were indicted by the Department of Justice in connection with past attacks on Olympic games event including the malicious activity against organizations involved in the 2020 Olympic and Paralympic Games.

Experts also speculate that the move of calling out Russia by the US intelligence may be a good reminder to keep the threat actors on the radar and part of an approach to add friction to their activities.

Malware Masquerades as Privacy Tool

  • Attack Type: Malware Implant, Impersonation
  • Target Industry:
  • Target Geography: Global
  • Target Technology: Privacy Tools
  • Malware: Smoke Loader, Raccoon Stealer, RedLine
  • Business Impact: Data Loss, Operational Disruption

Researchers discovered a new threat enticing users to download malware by masquerading as a “Privacy Tools” promoted as a zip-like utility that can encrypt user data ensuring security. The attacker created a professional-looking fake website that contains detailed descriptions of the alleged service including step-by-step instructions to download and use the privacy tools. Researchers identified the initial payload as Smoke Loader. The malware subsequently installs data-stealing malware including Raccoon Stealer and RedLine. The activity has not yet been attributed to any particular threat actor group. The researcher noted one of the IP addresses in the campaign associated with OpenNIC – that offers a non-national alternative to traditional top-level domain registries such as ICANN. The researcher also identified multiple other privacy-themed domains and command-and-control IP addresses registered with the same email address and registrar as the fake website delivering Smoke Loader in this campaign.

While the tact of using a privacy-themed lure to infect users is ironic, it also showcases the predatory nature of threat actors. It is also suspected that the campaign may be effective as threat actors have taken a considerable amount of time and effort to design the legitimate-looking privacy tool.

Due to the recent regulatory development concerning personal data, fear of surveillance, privacy awareness in public has risen as a result more users are concerned about their privacy and are likely to fall prey.

Based on the indicators, it is also suspected that the threat actor has previously conducted similar campaigns using privacy themes to distribute Smoke Loader and follow-on malware.

It is anticipated that such type activities are likely to continue to distribute malware. Unlike corporate users who may have corporate privacy and security services already installed on their systems, members of the public are at heightened risk.

New Malware and Ransomware

A relatively new data leak “marketplace” was reportedly identified in June. The Marketo operators gained notoriety for promoting their site by contacting security researchers and journalists as well as emailing competitors of breach victims to pressure and extort money. The operators were seen listing new data leaks during the observation period.

A sample of the Mirai variant dubbed as mirai_ptea was observed by researchers propagating through a new vulnerability targeting KGUARD DVR. It was later deduced to be a new DDoS botnet. The vulnerability allows attackers to remotely execute system commands without authentication and had been identified in approximately 3,000 online devices.

Researchers witnessed a new ransomware strain dubbed Diavol. The ransomware is suspected to be linked to the Wizard Spider threat actor group due to similarities with Conti ransomware, though it has some notable differences as well.

Researchers disclosed a new detail on the Indexsinas SMB worm, also dubbed NSABuffMiner, in an attack campaign believed to active since 2019. Targeting SMB servers vulnerable to EternalBlue (MS17-010), the attackers were observed to be leveraging Equation Group exploit kit which includes the DoublePulsar backdoor. The victim organizations are from the healthcare, hospitality, education, and telecommunications sectors.

“PrintNightmare” is New Windows Security Flaw

  • Target Geography: Global
  • Target Technology: Windows Server (Version: 2012 R2, 2012, 2008 R2 Service Pack 1, 2008 Service Pack 2, 2016, version 20H2, version 2004, version 1909, 2019), Windows (Versions: RT 8.1, 8.1, 7, 10 Version 1607, 10, 10 Version 20H2, 10 Version 2004, 10 Version 21H1, 10 Version 1909, 10 Version 1809)
  • Vulnerabilities: CVE-2021-32527 (CVSS Base Score: 8.8)
  • Vulnerability Type: Remote Code Execution (RCE)
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Microsoft has recently confirmed a new vulnerability tracked as CVE-2021-32527 that affects the Windows Print Spooler service in multiple versions of Windows and Windows Server. The vulnerability leading to RCE exists when the Windows Print Spooler service improperly performs privileged file operations. Upon successful exploitation of this vulnerability, an attacker can attain SYSTEM privileges and run arbitrary code. An attacker then will be able to install programs, view, change, or delete data, or create new accounts with full user rights.

This new vulnerability comes days after another vulnerability CVE-2021-1675, which was patched at the start of last month. The latter vulnerability was originally misdiagnosed as a low-risk privilege escalation issue. Multiple security researchers reported that demo exploit code provides a code execution path on patched systems, suggesting the severity of the issue was misdiagnosed. Around the same time, the Black Hat conference also announced the acceptance of a presentation by researchers on the details of the vulnerability who promptly released proof-of-concept (PoC) code including a full technical write-up that showcased remote code execution. However, the demo exploit code was removed by researchers after it was actively shared on public forums.

Microsoft has yet not publicly commented on the PoC or the researcher’s speculation that the fix is ineffective. The company has made it clear that despite the similarity, the new vulnerability is different including a different attack vector.

In addition, given the criticality of the issue, CISA (Cybersecurity and Infrastructure Security Agency) urges administrators to disable the Windows Print Spooler service in Domain Controllers for systems that do not require the print function.