Share :
2022-07-15

Weekly Cyber-Intelligence Trends and Advisory – 15 July 2022

skull

Threat Actor in Focus – North Korean Threat Actor Used Maui Ransomware to Target US Healthcare Organizations

  • Attack Type: Ransomware, Malware Implant
  • Objective: Financial Gains
  • Target Technology:
  • Target Industry: Healthcare
  • Target Geography: United States
  • Business Impact: Data Loss, Financial Loss, Regulatory Implications

A joint advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) provided information on the Maui ransomware used by North Korean state-sponsored threat actor groups as early as May 2021 to target healthcare organizations in the US. Multiple Maui ransomware incidents have been observed and responded by the FBI where attempts were made to encrypt systems responsible for electronic health records services, diagnostics services, imaging services, and intranet services. The initial access vector for these incidents remains unknown and in some of the cases services were disrupted for a prolonged period.

The Maui ransomware is a lesser-known family of ransomware and stands out from the prominent RaaS groups due to the lack of several key features. According to researchers who performed technical analysis on the Maui sample, the ransomware seems to be designed for manual execution by a remote attacker where a command-line interface is used to interact with the malware to identify files to be encrypted. It also lack the usual embedded ransom note that is leveraged by RaaS groups to provide recovery instructions, payment information, etc. The researchers also suspect that Maui has been developed privately as no public offering has been observed so far.

 

Rise in Malware/Ransomware and Phishing – Lorenz Ransomware

In comparison to other prominent ransomware gangs of current times, the victim count of the Lorenz ransomware group appears relatively lower, But the attacks are highly targeted with ransom demand ranging from USD 500,000 to USD 700,000. The Lorenz ransomware attacks were first observed in the spring of 2021, and as per the analysis from security researchers, the Lorenz ransomware code appears to resemble the old ThunderCrypt and SZ40 families.

Similar to the extortion strategy of other ransomware groups such as Conti, the Lorenz ransomware operators also first make the exfiltrated data available on their dedicated leak site (DLS) for sale to potential buyers. As the ransom payment gets delayed, the ransomware operators resort to publishing parts of the data as time goes on. Ultimately, if no ransom is paid and the data is not purchased, the data is released to the public for free for anyone to download.

At the end of June 2021, researchers released a free decryptor tool as part of the No More Ransom Project initiative that is capable of decrypting (non-corrupted) affected files in some cases and supports Microsoft Office documents, PDF files, and certain media types.

In early March 2022, researchers came across a new variant of the Lorenz ransomware which dates back to March 2, 2022. The files encrypted by this variant differ from the previous versions of Lorenz and other noticeable differences were observed by researchers. The new variant now has a simple text file ‘HELP.TXT’ as the ransom note, whereas in the previous one, it used to be an HTML document called ‘HELP_SECURITY_EVENT.html.’ Another difference is the string encryption where the strings were embedded in binary plain text. The variant spotted by researchers used a simpler algorithm where XOR encryption is performed using the single-byte key 0x6B and then Base64-encoded.

 

Latest Cyber-Attacks, Incidents, and Breaches – Poor Password Management Leads to Data Breach at Mangatoon

  • Attack Type: Data Exfiltration, Credential Compromise
  • Objective: Data Theft
  • Target Industry: IT Services, Media
  • Target Technology: Elasticsearch Database
  • Target Geography: China
  • Business Impact: Data Loss, Financial Loss, Reputation Damage

Mangatoon – a platform for the popular Manga comics has recently fallen victim to a data breach. The breach resulted in the exposure of information related to more than 23 million user accounts due to a poorly secured database. As per reports, Mangatoon does not seem to be responding to messages about the breach from researchers.


Source: Surface Web

According to researchers, the breach was a result of an Elasticsearch server with a weak password being exploited by a well-known threat actor who goes by the alias ‘pompompurin.’ While speaking to researchers the threat actor revealed “it was ES, they had credentials on it but it was just “password”, they changed the credentials after I emailed telling them but they never notified their customers and never replied.”


Source: Surface Web

The database has also been updated on the popular data breach checking service “Have I Been Pwned?” where Mangatoon users can check if their email addresses have been compromised in this breach.


Source: Surface Web

Insights:

  • The threat actor ‘pompompurin’ is a quite familiar name within the underground cybercriminals community. He is a former member of the popular RaidForums and launched a similar forum shortly after RaidFourms was seized by law enforcement. He has also been involved in multiple high-profile cyberattacks in the past.
  • According to the threat actor, the stolen Mangatoon database has not been made available to the public, however, at some point, they are probably going to leak it. After the news of the Mangatoon breach came to the surface, researchers observed other threat actors from the underground cybercriminals community requesting the database to be leaked in the forum.


Source: Underground Forums

 

Vulnerabilities and Exploits – Researcher Reveals Zero-day in Google Pixel 6, Samsung Galaxy S22, and more

  • Attack Type: Vulnerabilities & Exploits, Zero-day, Privilege Escalation
  • Target Technology: Google Pixel 6, Samsung Galaxy S22, and Other Android Phones
  • Vulnerability: Unassigned
  • Vulnerability Type: Improper Restriction of XML External Entity Reference

A security researcher Zhenpeng Lin and Ph.D. student from Northwestern University has recently discovered a zero-day vulnerability on the Google Pixel 6, and users are at risk even after they have updated their mobile devices to the latest July 2022 security update. The vulnerability with public CVE ID as of now affects the kernel in Android. It allows an attacker to gain arbitrary read/write access, root privilege, and the authority to disable SELinux which may lead to tampering with the operating system, built-in security routines manipulations, and other malicious actions on an affected device.

In a demonstration, the bug was exploited on Google Pixel 6, and other current-generation Android devices are also said to be affected including Google Pixel 6 Pro and the Samsung Galaxy S22 family. According to the researcher, the bug affects all Android devices that run on Linux kernel version 5.10.


Source: Surface Web

While Google has been informed about the issue, the precise details about the vulnerability have not been released to the public and are expected to be presented in Black Hat USA 2022. According to researchers, the attack vector is generalized, but more powerful when compared with the Dirty Pipe vulnerability in the Linux kernel that recently made headlines. The researcher also highlights that it is not a remote code execution where exploitation can take place without user interaction.