Share :
2021-11-14

Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 14 Nov 2021

skull

Threat Actor in Focus

Ukraine Discloses Identity of Gamaredon Members, Links it to Russia’s FSB

Suspected Threat Actors: Gamaredon (aka Gamaredon Group, Armageddon)

  • Attack Type: Spearphishing, Malware Implant, Persistence, Defence Evasion, Data Exfiltration, Lateral Movement, Vulnerability & Exploits (CVE-2018-20250, CVE 2017-0199), Misinformation
  • Objective: Unauthorized Access, Data Theft, Espionage
  • Target Geography: Ukraine
  • Target Industry: Government
  • Target Technology: Email, Windows, Microsoft Office, WinRAR
  • Business Impact: Data Loss, Loss of Intellectual Property, Financial Loss, Potential Operational Disruption

The Ukrainian Security Service (SSU) has recently disclosed the real identities of five members of the Gamaredon APT group – allegedly involved in cyberattacks against its government agencies – and linked to the Crimean branch of the Russian Federal Security Service (FSB). As per the officials, Gamaredon operating from the city of Sevastopol, Crimea, however, acted on orders from the FSB Center for Information Security (aka Center 18) in Moscow – a known FSB’s cyber operations hub. According to SSU, the threat actor group has carried approximately 5,000 cyberattacks against Ukrainian entities, targeting critical infrastructure (power plants, water facilities), harvesting classified information from government agencies, conducting misinformation campaigns, and disrupting IT systems. The five individuals have been described as “officers of the ‘Crimean’ FSB, as well as traitors who sided with the enemy during the occupation of the peninsula in 2014.”

Insights

Researchers highlight those previous reports from multiple cyber-security researchers have linked the Gamaredon to a suspected Russian government entity, the SSU reports marks the first time that the Gamaredon group has been linked to the FSB.

Reports from earlier this year containing new evidence described the Russia-linked threat actor Gamaredon as a hacker-for-hire group that offers its services to other APT actor groups. The group is considered to be highly active and has been exposed several times, however, it continues to operate and collaborate with other threat actor groups.

The TTPs employed by Gamaredon are commonly observed in the cyber crimeware world. The SSU report also reveals the group lacks complexity in terms of architecture and implementation, the tools leveraged are not sophisticated but proven to be quite effective.

 

Latest Cyber-Attacks, Incidents, and Breaches

Indian Central Securities Depository CDSL Exposed Sensitive Data

  • Attack Type: Vulnerabilities & Exploits, Data Leakage
  • Objective: Unauthorized Access, Data Theft
  • Target Industry: Financial Services, Government
  • Target Geography: India
  • Target Technology: API
  • Business Impact: Data Loss, Financial Loss, Regulatory Implications

The researchers once again found CDSL (Central Depository Services Limited) exposing sensitive personal and financial data of approximately 43.9 million investors that were previously reported by the same researchers. The exposed data was of individuals who did their market securities KYC. CDSL’s CVL (CDSL Ventures Limited) is one of the top KYC registration agencies. The exposure was due to an authorization vulnerability in one of the public CDSL’s KYC API. The exposed data is said to have included full name, PAN, gender, marital status, father/spouse’s full name, Date of Birth, nationality, residential address, permanent address, contact number(s), email address, occupation details, and sensitive financial details.

Timeline

  • 19-Oct-2021: Researchers reported initial vulnerability exposing 43.9 million investor details
  • 26-Oct-2021: Vulnerability is patched
  • 28-Oct-2021: Researchers publicly disclosed details about the vulnerability
  • 30-Oct-2021: Researchers reported a new vulnerability exposing the same 43.9 million investor details
  • 01-Nov-2021: Vulnerability is patched

Insights

As per the researchers, the nature of data exposed is extremely sensitive and therefore valuable to attackers who can leverage this type of data for a range of malicious activities against individuals and organizations. The exposed data is virtually a treasure trove for cybercriminals and aid in phishing, Business Email Compromise (BEC), extortion calls, and a range of online scams such as income tax refund scams.

Researchers also suspect the data may also be used to influence the Indian share market by spreading misinformation. Armed with exposed investor details, it would be fairly easier for malicious actors to disrupt and manipulate the share markets

The incidents highlight the importance of securing critical information. Organizations are susceptible to cyber-attacks targeting their critical data. Organizations should take appropriate security measures to protect such data as it is one of the major gold mines for hackers if they get access to them. The attackers are likely to re-purpose the data, sell to potential competitors for financial gains, and may utilize the exfiltrated data to perform tailored attacks targeting affected users for further exploitation.

 

Vulnerabilities and Exploits

BrakTooth Bluetooth Vulnerabilities: Exploit Code, PoC Released

  • Attack Type: Vulnerabilities & Exploit, Denial of Service (DoS), Arbitrary Code Execution
  • Target Technology: Bluetooth, System-on-Chip (SoC) Boards
  • Vulnerabilities: Multiple
  • Vulnerability Type: Code Execution

At the start of September, researchers revealed details of about a set of 16 vulnerabilities collectively called BrakTooth that impact the Bluetooth software stack that ships with SoC boards from several popular vendors. These vulnerabilities have also released both the test kit and full exploit code. As per researchers, the flaw affects approximately 1,400 chipsets used in billions of devices such as smartphones, personal computers, toys, internet-of-things (IoT) devices, and industrial equipment – that rely on Bluetooth Classic (BT). Initially, a group of 16 vulnerabilities was disclosed which now counts up to 22. The PoC has been made available on GitHub and requires an off-the-shelf ESP32 board, custom Link Manager Protocol (LMP) firmware and a computer to run the PoC tool.

Insights

Since the disclosure of these vulnerabilities, subsequent research revealed additional vulnerable devices for example iPhones, Macbooks, Microsoft Surface laptops, Dell desktop PCs and laptops, Sony and Oppo smartphones, audio devices from Walmart, and Panasonic among other devices. While some of the vulnerabilities were patched, however, the researchers highlight it is highly probable that many other products (beyond the 1400 entries initially observed) are affected by BrakTooth. This includes including BT system-on-chips (SoCs), BT modules, or additional BT end products.

 

CYFIRMA Research

About DC RAT

DC RAT is a new commodity remote access trojan (RAT) seen in the wild since 2019. The RAT is spread via a Word Document that contains a malicious VBA script. The RAT is written in C#. The functionalities of this RAT are:

  • Remote shell
  • Remote desktop
  • Remote camera
  • Registry Editor
  • File management
  • Process management
  • Netstat
  • Remote recording
  • Process notification
  • Send file
  • Inject file
  • Download and Execute
  • Send notification
  • Chat
  • Open website
  • Modify wallpaper
  • Keylogger
  • File lookup
  • DDOS
  • Ransomware
  • Disable Windows Defender
  • Disable UAC
  • Password recovery
  • Open CD
  • Lock screen
  • Client shutdown/restart/upgrade/uninstall
  • System shutdown/restart/logout
  • Bypass Uac
  • Get computer information
  • Thumbnails
  • Auto task
  • Mutex
  • Process protection
  • Block client
  • Install with schtasks

Blacklisted URL: hxxp://79[.]174.13.83/mobileboot/loglogMathsystem/core/recordframehtop/searcherlimitbootphp/antisupportprodprogram/record/gamesql.php

Risk Score: 10

Confidence Level: High

Associated Malware: DCRAT (Dark Crystal RAT)

Function: DCRAT C&C

ITW Associations: Multiple

Associated Hash (MD5): a34646571ad75adc271ad82ed1c7b17f

File Name: DCRatBuild.exe

Associated Hash Analysis

File name: DCRatBuild.exe

MD5: a34646571ad75adc271ad82ed1c7b17f

SHA1: e7a3a315663615467dad88461d400fa948952353

SHA256: eefa40668ca7dbe2ba10f46451549055273d9764b75446360e8a962038b7c014

Static Analysis Information:

  • EXE:
  • MachineType: Intel 80386, for MS Windows
  • PEType:              PE32
  • EntryPoint: 0x41ec40
  • Subsystem: Windows GUI
  • TRiD:
  • .exe | WinRAR Self Extracting archive
  • .exe | Windows Control Panel Item
  • .exe  | Win64 Executable
  • .exe  |   Win32 Executable
  • Imports:

Kernel32.dll

gdiplus.dll

Behaviour Analysis Information:

DCRatBuild.exe

– Uses Task Scheduler to run other applications (Malicious)

– Connects to CnC server (Malicious)

– DCRAT was detected (Malicious)

Reads the computer name (Suspicious)

Checks supported languages (Suspicious)

– Executable content was dropped or overwritten (Suspicious)

– Creates files in the user directory (Suspicious)

Writes files like Keylogger logs (Suspicious)

Network Analysis Information: 

MITRE ATT&CK Techniques: