Suspected Threat Actors: Nobelium
The Nobelium group, linked to Russia’s spy agency, is looking to use resellers as a path to infiltrate their valuable downstream customers – and it’s working.
According to the researcher’s analysis, Nobelium isn’t exploiting a vulnerability or, as was the case with SolarWinds, trojanizing, legitimate code. As an alternative, it’s infiltrating reseller networks using tried-and-true tactics like phishing and credential-stuffing, as well as API abuse and token theft, to gather legitimate account credentials and privileged access to reseller networks.
This campaign is merely a subset of a larger wave of Nobelium activities, which points to significantly ramped-up efforts by Russia to establish a persistent anchor for its spy activities.
Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems. This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establishes a mechanism for surveillant – now or in the future – targets of interest to the Russian government.
Researchers have found a relatively new ransomware operation that appears to be inspired by franchise business models. While investigating the XingLocker ransomware group, the operators were seen using the RaaS in form of a “supplier”. By rebranding the ransomware before deployment of actual parent RaaS instead of just distributing the ransomware under the original parent name. Researchers observed the XingLocker ransomware family in itself a re-branded version of the Mount Locker.
Separate research published in March 2021 already showcased linkage between the Mount Locker and another ransomware group called AstroLocker. Extending upon previous work, researchers were able to infer that the XingLocker team is yet another Mount Locker franchise. The XingLocker ransomware group used different onion addresses for each victim, however, Instead of setting up multiple servers, the XingLocker ransomware group leveraged multiple addresses pointing to the same server.
By analyzing HTTP requests made to this server, researchers uncovered directories that held data from organizations victimized by another group — AstroLocker Team. They believe that the new “franchise” RaaS model involves XingLocker, AstroLocker, and Mount Locker with the main RaaS being the Mount Locker and allowing affiliates to license the ransomware under their name and brand.
While this new mechanics of share infrastructure may not be considered sophisticated, it holds importance as ransomware groups are constantly looking for new ways to make their affiliate programs and RaaS operations profitable.
From a defender’s standpoint, this form of shared infrastructure and code may present complexity in investigation and effective detections. It is further going to grossly complicate things as it is uncommon to find one ransomware sample being detected as another or observe two different onion addresses point to the same onion service but used by different ransomware groups altogether. Therefore, it becomes extremely important for defenders to be aware of these factors when dealing with ransomware.
This new style of ransomware operations appears to provide more flexibility and recognition to the affiliates. However, it also means less brand recognition for the specific ransomware resulting in victims being less inclined to comply with the ransom demand.
Researchers have uncovered critical vulnerability affecting a popular open-source community forum and mailing list management platform. The flaw, CVE-2021-41163 an RCE vulnerability could allow attackers access to invoke OS commands with whatever rights the web app runs on. The implications of a CVE-2021-41163 exploit and the ease of leveraging it (sending an unauthenticated POST), so patching it should be treated as an emergency.
OSINT search has returned 8,641 Discourse deployments, many of which could still be exposed to RCE exploitation potential. However, all SaaS instances have been patched since last week.
Researchers advised those who can’t update to the latest version is advised to block requests with a path starting with ‘/webhooks/aws’ at an upstream proxy.
Hancitor (AKA CHanitor, Tordal) is a rather popular macro-based malware dropper distributed via malicious Office documents that is particularly difficult to detect not only because it is distributed via a link to Google Docs, but also because it has multiple mechanisms for recognizing whether it can be run on the infected endpoint (for example, check if it was previously run in the same environment).
Hancitor has until now been used to distribute various payloads, including FickerStealer or Cobalt Strike.
Since the beginning of 2021, there have been additional campaigns (still ongoing) distributing malware via fake DocuSign emails to attract new victims. In a recent case (and it’s not the only one) victims receive a fake DocuSign email delivering an invoice (yes, money is always a good reason to open a malicious link).
DocuSign templates are a common model for Hancitor. Specifically, the link within the email points to a Google Docs document that prompts the user to download a malicious .DOCX file. Once executed, the malicious document downloads the payload.
As noted earlier, the technique of leveraging a legitimate cloud service for redirection is not new and has been used in recent campaigns with Box, Sharepoint, Google Drive, and Dropbox to distribute malware or serve phishing pages.