Share :
2022-07-21

Weekly Intelligence Report – 21 Jul 2022

skull

Threat Actor in Focus

Latest Transparent Tribe Campaign Targets Education Sector

  • Attack Type: Spear-phishing, Malware Implant, Potential Data Exfiltration
  • Objective: Data Theft
  • Target Technology: Email, Windows
  • Target Industry: Education
  • Target Geography: India
  • Business Impact: Data Loss, Financial Loss, Loss of intellectual Property

Summary: Researchers have been tracking an ongoing campaign operated by the Transparent Tribe APT group. The campaign targets students at various Indian educational institutions. The attack involves the use of a malicious document delivered to a potential target either as an attachment or a link to a remote location in a spear-phishing email. The malicious document contains malicious VBA macros that lead to the execution of the malware CrimsonRAT. As per the researchers, the RAT is constantly being updated and comes with a number of new capabilities.

The domains used by attackers were registered in June 2021 and named in a way that made them relevant to students and educational entities. Researchers also noticed additional media-themed domains which were found to be consistent with Transparent Tribe’s tactics observed in the past attack.

Insights:

  • Researchers highlight that the three sets of domains observed in this campaign – the malicious Transparent Tribe infrastructure, vebhost[.]com, and zainhosting[.]net/com are related. They also suggest ZainHosting – seemingly legitimate web services and hosting provider – owns and operates the malicious infrastructure. The researchers believe ZainHosting is one of the many hired infrastructure contractors that work for Transparent Tribe. These contractors are hired to prepare and stage the Transparent Tribe’s infrastructure which is then leveraged by the APT group themselves in their attacks.
  • While the Transparent Tribe has been aggressively trying to widen its attack surface within the Indian subcontinent, its focus has been on government and military officials and in past few years, pseudo-government entities have been targeted. This new campaign indicates an interest in civilians from the education sector. The shift is likely to maintain long-term access and/ or steal valuable or restricted research from top Indian research institutions that work closely with the Indian government.

 

Major Geopolitical Developments in Cybersecurity

Government Services In Albania Suffer a ‘Massive’ Cyber Attack

A ‘synchronized criminal attack from abroad’ forced the government of Albania to shut down its online services after suffering a cyberattack. The attack caused the primary servers of the National Agency for Information Society to go down.

In a press release, the Council of Ministers said “Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronized… from outside Albania.”

The government said the cyberattack began on Friday targeting government and other public online services. The attackers have not been identified yet, although the attack method leveraged by attackers is said to be identical to attacks on Belgium, Germany, Lithuania, Malta, the Netherlands, and Ukraine last year.

The authorities have assured that citizens’ data stored in government systems is safe. The former PM blamed the government for concentrating too many services on the AKSHI system without considering proper protection.

Notably, the cyberattack took place shortly after the Albanian PM ordered mandatory use of online services by the population. As a result of the breach, several government services were put offline as a preventive measure.

 

Updates on Lockbit Ransomware Operations

Around January 2020, LockBit operators first appeared on Russian-language cybercrime underground forums. In June 2021, the operators introduced version two of the LockBit RaaS, advertised as LockBit 2.0, and was reportedly bundled with StealBit – a built-in information stealing feature.

The LockBit 2.0 operators are known to implement the double extortion techniques by threatening to publish the exfiltrated data to their dark web leak site “LockBit BLOG” if ransom demands are not met. The enforcement of such tactics coerces victims into paying the ransom demands.

At the start of November 2021, the increased pressure from law enforcement agencies and the unavailability of members forced the prolific RaaS group BlackMatter to shut down its operations. However, researchers reported that existing BlackMatter affiliates are moving their victims to LockBit DLS – most likely to facilitate their extortion efforts. They observe that the BlackMatter victims are provided with URLs to new negotiation pages which belong to LockBit. With more experienced affiliates joining the LockBit ransomware group, it is going to be one of the largest and arguably the most successful ransomware groups in operation.

Researchers have recently provided a relationship between LockBit and the Russian cybercrime group Evil Corp. Notably, in 2019, the US government sanctioned the cybercriminal organization Evil Corp resulting in prohibitions on US organizations targeted by Evil Corp to comply with their ransom demands. The report states that Evil Corp is now using the LockBit ransomware variant to overcome these sanctions. This development essentially hampers LockBit’s own ransomware business since being linked to Evil Corp, impacted organizations from the US would be more reluctant to pay the ransom. A huge chunk of LockBit’s income comes from US organizations. In 2022 alone, more than 30% of its claimed victims were organizations operating in the US.

The LockBit ransomware group has recently released its LockBit 3.0 variant and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As the time goes by and the timer approaches zero, the amount of ransom also decreases, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter (rebrand of DarkSide) by stating “Large portions of the code are ripped straight from BlackMatter/Darkside.”

 

Elastix VoIP Systems Targeted in a Large-Scale Malware Campaign

  • Attack Type: Data Exfiltration, Malware Implants, Vulnerabilities & Exploits, RCE, Persistence
  • Objective: Data Theft, Payload Delivery
  • Target Industry: Multiple
  • Target Technology: Elastix, FreePBX, restapps (aka Rest Phone Apps), PBXact
  • Target Geography: Global
  • Business Impact: Data Loss, Financial Loss, Reputation Damage

Summary: Researchers have identified a massive campaign targeting Elastix VoIP telephony servers in which they observed more than 500,000 malware samples from December 2021 to March 2022. The adversaries aimed to inject a PHP web shell allowing the arbitrary command to be executed on compromised communications servers and exploit CVE-2021-45461 – a critical severity vulnerability rated 9.8 out of 10 that allows RCE.

According to researchers, the campaign is active and shares multiple similarities to an INJ3CTOR3 Operation in 2020 reported by other researchers. Further, researchers highlight that their finding may be a result of the “official announcement of a known security issue, CVE-2021-45461 Potential Rest Phone Apps RCE”.

Insights:

  • Due to the similarity with the INJ3CTOR3 operation, researchers suspect it may be a return of this campaign. In December 2021 a report titled “0 Day FreePBX Exploit?” was published on the FreePBX community and another report “K.php – a RestApps malicious script” in January 2022. According to researchers, the reports are consistent with each other and theorize that it is “indeed a resurgence of the previous campaign.” The INJ3CTOR3 report provided eight default commands titled “The attacker’s web panel.” which are identical to those listed in the aforementioned report from January 2022 in the FreePBX community forum.

 

Vulnerabilities and Exploits

Windows Zero-Day Bug Under Active Exploitation

  • Attack Type: Vulnerabilities & Exploits, Zero-day, Privilege Escalation, Code Execution
  • Target Technology: Windows (10, 11, 7, 8.1); Windows RT 8.1; Windows Server (2008, 2012, 2016, 2019, 2022)
  • Vulnerability: CVE-2022-22047 (CVSS Base Score: 7.8)
  • Vulnerability Type: Elevation of Privileges

Summary: Microsoft, as part of its July 2022 Patch Tuesday update, has rolled out 84 security patches. Among other security updates, the bundle includes patches for four vulnerabilities that are rated as Critical and a bug tracked as CVE-2022-22047 that is under active exploitation. Although the bug is listed under exploitation, Microsoft has not provided any information on how widely and where the bug is being leveraged by adversaries. The bug exposes Windows Client Server Runtime Subsystem (CSRSS) used in various Windows and Windows Server versions. According to researchers “The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target.”

Insights:

  • The Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of Known Exploited Vulnerabilities (KEV) Catalog and ordered all federal civilian agencies to have the affected systems patched by 2nd August. There is no known public proof of concept exploits available in the wild.
  • The attacker would still have to be able to execute other code on the target system in order to exploit this bug in affected systems. This can typically be achieved by specially crafted Office or Adobe documents. These types of attacks rely on macros, however, a recent change by Microsoft in the default behaviour of Office application now blocks macros in files from the internet.