Weekly Intelligence Trends and Advisory – 25 July 2021

Weekly Intelligence Trends and Advisory – 25 July 2021

Weekly Attack Type and Trends

Key Intelligence Signals

  • Attack Type: Phishing, Malware Implants, Ransomware, Vulnerabilities & Exploits, Social Engineering, Data Exfiltration, DDoS, Impersonation
  • Objective: Data Theft, Payload Delivery, Data Encryption, Financial Gains, Operational Disruption
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption
  • Conti Ransomware: One of the more prominent ransomware groups
  • Bazar Loader: A new variant of Bazar Loader Backdoor
  • MosaicLoader: A new malware dropper
  • TeaBot: A new variant of mobile banking trojan
  • Behavior: Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, and defense evasion tactics have been observed

Insights

Being called one of the most ruthless and unreliable ransomware gangs by researchers, the Conti ransomware has now completed more than a year of attacking organizations. Unlike other successful ransomware operators who are particular about their reputation, Conti is known to be unreliable after receiving the ransom. The ransomware group continues to remain the top ransomware, affecting multiple businesses in the past week.

Bazar Backdoor a highly sophisticated backdoor trojan alleged to be operated by UNC1878 has been observed deploying Cobalt Strike beacons post initial stages of infection. Bazar Loader has recently been detected using DNS channels to accomplish an indirect way for the malware to connect with the attackers.

An ongoing worldwide campaign is pushing new malware dubbed MosaicLoader advertising camouflaged as cracked software via search engine results to infect wannabe software pirates’ systems.

TeaBot is run-of-the-mill Trojan software in multiple ways. It contains the usual functions that any info stealing trojan could have: the ability to steal data, including banking details, keylogging, taking screenshots, intercepting two-factor authentication (2FA) codes, SMS interception, and connecting to a C2 to transfer information, accept commands, and link the infected device to a botnet.

Dark Web Observations

Various databases have been uploaded into the Dark Web forums. Here’s a snapshot:

1) +83.5M Phone numbers from JAPAN Clubhouse 

Clubhouse imports the contacts and phone numbers of all its users into a secret database. This allows Clubhouse to map over 3 billion phone numbers. Phone numbers starting with the Japan area code were extracted from the directories of all clubhouse users.

2) Saudia Arabia Ministry of Energy, Industry, and Mineral Resources.

EMPLOYEE_NUMBER,NATIONAL_NO,EMPLOYEE_FIRST_NAME_AR,EMPLOYEE_FATHER_NAME_AR,EMPLOYEE_GRAND_NAME_AR,EMPLOYEE_FAMILY_NAME_AR,EMPLOYEE_FIRST_NAME_EN,EMPLOYEE_FATHER_NAME_EN,EMPLOYEE_GRAND_NAME_EN, etc  have been dumped online.

 

3) Russian defense contractor, Kronshtadt, documents have been hacked

 

4) Loan data related to Chinese citizens has been compromised. The following data is now available in dark web marketplace:- Name, Loan Amount, Gender, Hometown, ID Card, Expiry Date, ID Card Issuing Authority, Registration Address, Home Address, WeChat ID, Phone Number, Education Level, Marital Status, Number of Dependent, Children, Residence, Type Name of Spouse, Spouse’s Mobile Number, Spouse Unit Name of Immediate Family, Members of Immediate Relations, Phone Number of Immediate Subordinates Address, unit name, department, position, current unit’s work start time, monthly payment new day, total monthly expenditure, total monthly income, working time, nature of the company.

 

Threat Actor in Focus

CISA and FBI: Links Leviathan with China’s MSS Hainan State Security Department

Suspected Threat Actors: Leviathan (aka APT40)

  • Attack Type: Data Exfiltration, Espionage
  • Objective: Unauthorized Access, Data Theft
  • Target Industry: Academia, Aerospace/Aviation, Biomedical, Defence Industrial Base, Education, Government, Healthcare, Manufacturing, Maritime, Research Institutes, And Transportation (Rail and Shipping)
  • Target Geography: United States and Others
  • Target Technology: Office 365, Cloud Services, Service Providers, On-premises Email Servers
  • Business Impact: Data Loss, Loss of Intellectual Property

Summary

A joint cybersecurity advisory was released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) providing information including TTPs and IOCs on the Chinese APT “Leviathan” to help cybersecurity practitioners. In a recent development, the U.S. Department of Justice unsealed an indictment against four APT40 threat actors for their computer network exploitation (CNE) via front company Hainan Xiandun Technology Development Company (Hainan Xiandun). The latter’s employees cooperated and carried out orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD) intelligence officers. The CNE activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments.

Insights

Leviathan has used a variety of tactics and techniques including a large library of custom and open-source malware – the majority of which is shared with multiple other suspected Chinese threat actor groups. The threat actor used these malware to establish initial access via user and administrator credentials, enable lateral movement once inside the network, and locate high-value assets to exfiltrate data.

While this advisory was aimed towards providing information on APT40, the U.S. Governmental agencies have released several advisories describing malicious Chinese state-sponsored activity targeting U.S. and Allied entities including critical infrastructure organizations.

Rise in Malware/Ransomware and Phishing

Actiontec Impacted by Conti Ransomware

  • Attack Type: Ransomware, Data Leak
  • Target Industry: Technology Hardware
  • Target Geography: United States
  • Ransomware: Conti Ransomware
  • Objective: Data Exfiltration, Financial Gains
  • Business Impact: Data Leak, Erosion of Intellectual Property, Financial Loss, Reputational Damage

Summary

CTI observed Actiontec Electronics, Inc. – a major wireless and broadband solutions provider – impacted by the Conti ransomware. It is suspected that the operators have exfiltrated a large amount of business-critical and sensitive data. The threat actor has published approximately 33 gigabytes of suspectedly stolen data in their data leak portal on the dark web.

The following screenshots were observed published on the dark web:

 

Insights

The data is first made available for sale to potential buyers. As the ransom payment gets delayed the ransomware operators resort to publishing parts of the data as time goes on. Ultimately, if no ransom is paid and the data is not purchased, the data is released to the public for free for anyone to download.

While most ransomware providers often put a lot of effort to establish their reputation and attempt to maintain some level of integrity likely to encourage and facilitate ransomware payments, Conti has shown atypical behavior. In recent cases, Conti did not keep up the promise after ransom payments were received from victims.

Latest Cyber-Attacks, Incidents, and Breaches

Growing Number of Attackers Using Virtual Machines

  • Attack Type: Ransomware
  • Target Industry: Multiple
  • Target Geography: Global
  • Target Technology: Virtualization
  • Business Impact: Data Loss, Operational Disruption, Financial Loss

Summary

Researchers highlight that an increasing number of ransomware groups are using virtual machines in a bid to evade detection. While encrypting files on the host computer the ransomware payload “hides” within a VM to avoid raising suspicions or triggering antivirus software.

Insights

Ransomware operators continue to refine their tactics to stay one step ahead of detection. Many ransomware groups are now heavily relying on legitimate tools to stage attacks on targeted networks. By hiding the ransomware payload in VM, it is expected that the attack may not be discovered since the ransomware payload itself is often the stage of the attack most likely to raise red flags.

The tactic also widens the scope of use of VMs to target Linux systems as well. Recently, researchers have spotted numerous Linux ELF64 versions of HelloKitty ransomware targeting ESXi servers running on Linux. The list also includes ransomware operators RansomExx/Defray, Babuk, GoGoogle, DarkSide, REvil, and Mespinoza who also have developed Linux encryptors targeting ESXi virtual machines.

Vulnerabilities and Exploits

Critical Juniper Bug Allows DoS, RCE Against Carrier Networks

  • Target Geography: Global
  • Target Technology: SBR(Steel-Belted Radius) Carrier 8.4.1, 8.5.0, 8.6.0
  • Vulnerabilities: CVE-2021-0276 (CVSS Base Score: 9.8)
  • Vulnerability Type: Stack-Based Buffer Overflow
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary

The vulnerability in Juniper Networks SBR Carrier with EAP (Extensible Authentication Protocol) authentication configured, allows an attacker to send specific packets causing the radius daemon to crash resulting in Denial of Service (DoS) or leading to remote code execution (RCE). Juniper has not highlighted any malicious exploitation of this vulnerability. The vulnerability does not have a viable workaround; however, a patch has been issued by the vendor.

Insights

The bug is just one of many that the networking giant patched this week across its carrier and enterprise product lines, including several high-severity bugs that could be exploited to carry out DoS attacks. Another security flaw leading to RCE or DoS included an Out-of-bounds read vulnerability.

The CVE-2021-0276 can be exploited by attackers by continuously sending specific packets, repeatedly crashing the RADIUS daemon which may result in a sustained DoS attack.