Weekly Intelligence Report – 17 Sep 2022

Published On : 2022-09-17
Share :
Weekly Intelligence Report – 17 Sep 2022

Threat Actor in Focus – Lazarus and the Tale of Three RATs

  • Attack Type: Vulnerabilities and Exploits, Malware Implants, Potential Data Exfiltration, Defence Evasion, Persistence, Reconnaissance, Lateral Movement, Credential Harvesting, Path Filter Bypass, Cross-Site Scripting (XSS)
  • Objective: Espionage, Payload Delivery, Unauthorized Access, Data Theft
  • Target Technology: VMWare Horizon
  • Targeted Industry: Energy
  • Target Geography: United States, Canada, Japan, and Others
  • Business Impact: Financial Loss, Data Loss, Reputational Damage, Loss of Intellectual Property

Summary:

Between February and July 2022, researchers observed malicious activity linked to the North Korean state-sponsored threat actor – Lazarus Group. In this campaign attack vectors involved exploiting VMWare products’ vulnerabilities to gain initial footholds into corporate networks, which was followed by known custom malware implants from VSingle and YamaBot malware families and also lead to the discovery of a previously unknown implant dubbed MagicRAT.
The same campaign had also been partially disclosed by other researchers previously in April and May 2022. In the recently observed activity, energy organizations especially from Canada, the U.S., and Japan appear to be the primary target, and the goal is suspected to be maintaining long-term access for espionage for the North Korean government.
The initial vector was identified to be exploiting Log4j on vulnerable VMware Horizon servers. The campaign spanned several attacks on multiple victims. However, two instances have been highlighted by researchers which largely represent the playbook employed by Lazarus Group. In some of the cases, the attacker also used additional tools including Mimikatz, procdump, SOCKS proxy/ 3proxy.

Insights:

  • According to researchers, this activity syncs well with previous intrusions attributed to Lazarus Groups that targeted critical infrastructure and energy organizations to establish long-term access to exfiltrate intellectual property to meet the objective of the North Korean government.
  • In addition, the same initial vector, URL patterns, and subsequent hands-on-keyboard activity have been described by other researchers as well. There is also an overlap in IOCs between the current campaign and a campaign reported this year by other researchers.
  • During their observations, researchers saw several mistyped commands via the reverse shell on infected machines which indicates the commands were supplied by an operator manually.

Major Geopolitical Developments in Cybersecurity

U.S. Sanctions on Iran Over a Cyber-attack on Albania, Diplomatic Ties Cut

Albania, a member of NATO, was a victim of malign cyber activity first in July 2022. The attackers calling on Telegram themselves “HomeLand Justice”, most probably sponsored and/or directed from Iran, were probably reacting to a planned and later canceled conference held in Tirana, Albania. The conference was supposed to be attended by members of Mujahedeen-e-Khalq (MEK), an opposition Iranian group advocating the overthrow of the Iranian government and dismantling of the ruling regime.

The Prime Minister of Albania, Edi Rama, representing the center-left Socialist Party, stated that state-backed aggressors: “threatened to paralyze public services, delete systems, and steal state data, steal electronic communications within the government system and fuel insecurity and chaos in the country.”

Albania in answer expelled Iranian diplomats and embassy staff to leave within 24 hours on 7th September. Albania is therefore the first known state ever severing ties with a country over a cyber-attack. On the 8th of September, the police systems of Albania were attacked again, with the attack taking offline the Total Information Management System (TIMS), by now fully restored. TIMS is designed to enhance capabilities in criminal investigation, border control, criminal intelligence, and case management.

U.S. Ministry of Treasury imposed sanctions on the Ministry of Intelligence of the Islamic Republic of Iran (MOIS alias VAJA / VEVAK) and Minister Esmail Khatib in an answer to the attack. “The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace,” said National Security Council spokesperson Adrienne Watson. According to the US Ministry of Treasury, MOIS has orchestrated cyber-operations against unfriendly governments and private corporations since 2007. The news of the U.S. sanctions came as it is been revealed that Iran is stalling the nuclear policy talks with the EU and the United States.

The US Mid-term Elections Threatened by APTs

As the United States is preparing for the upcoming midterm elections, taking place on November 8th, concerns about cyber-security are on the rise. A US-based cyber-threat detecting company is “highly confident” that DDoS attacks, ransomware, and other subversive activity such as phishing campaigns will emerge during the elections, although not specifically targeting or influencing voting machines. Researchers predict that attempts to influence the U.S. election are almost certain.

The cyber-threat company has tracked activity emerging from “usual suspects” threat actors from Russia, China, Iran, and North Korea predominantly. Experts expect various advanced persistent threat (APT) groups such as APT41, APT31, APT29, or APT42 to continue and intensify their activities.
The Cybersecurity and Infrastructure Security Agency (CISA) Director has also stated concerns about Russian interference in the midterm elections as well as a threat of a disinformation campaign. The head of election security at the CISA has also warned about insufficient workforce and “inside threats” from local and state adversaries.

Vulnerabilities and Exploits – Java Open-Source Projects Suffering from Path Filter Bypass Vulnerabilities

  • Attack Type: Vulnerabilities & Exploits, Path Filter Bypass, XSS
  • Target Technology: Apache Shiro, dotCMS
  • Target Geography: Global
  • Vulnerability: CVE-2021-41303 (CVSS Score:9.8), CVE-2022-35740
  • Vulnerability Type: Authentication Bypass
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary:

While performing a code review of some of the popular Java open-source projects, researchers found some interesting bypass flaws in two open-source projects, namely Apache Shiro and dotCMS. The identified vulnerabilities are as follows:

  • CVE-2021-41303 : Apache Shiro Authentication Bypass when using Spring Boot
  • CVE-2022-35740 : dotCMS XSSPreventionWebInterceptor Bypass using Matrix Parameter

For both vulnerabilities, researchers discovered path filter bypass methods that lead to the above issues.

In the case of authentication bypass vulnerability for Apache Shiro when using Spring Boot, the flaw exists due to Apache Shiro and Spring Boot parsing the URL Path differently which allowed researchers to access protected content. In the case of dotCMS XSSPreventionWebInterceptor Bypass using Matrix Parameter, to overcome the path filter mechanism researchers performed a bypass on PATH instead of Origin/Referer header. Researchers found the bypass using matrix parameters instead of query parameters which can be accepted anywhere in the path.

Insights:

  • The path filter mechanisms can go wrong very easily. It requires considerable effort to implement a comprehensive filter mechanism that cannot be abused maliciously. Based on the above two findings, and other numerous reports from various researchers show how trivial it can be to escape a path filter.
  • Another important lesson, especially for developers, is that they must fully understand a framework before opting to use it for their products. They must carry out rigorous testing with a focus on security and extend text case scenarios to each component that integrates with the product to avoid inadvertently introducing a vulnerability.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.