newspaper-fold Blog

Cobalt Strike Leak, Oracle Vulnerability & Maze Shutdown

November 26, 2020

Biweekly Cyber Threat Intelligence Blog week 48 replacing the weekly Pandemic Intelligence blog

This blog is the first in an ongoing series of biweekly intelligence updates from EclecticIQ. This blog will be replacing the weekly pandemic blog you used to receive from us. In this new biweekly intelligence update we’ll be covering the latest cybersecurity news, industry trends, and current and emerging threats based on our experts’ interpretation of data and other source materials. Since the COVID-19 pandemic isn’t over, pandemic updates might be included in the biweekly Intelligence Update as well.

Summary of Findings from November 1 - 15

  • EclecticIQ saw no evidence of significant attacks on U.S. voting infrastructure on Election Day, despite earlier indications from multiple threat actors.
  • Maze ransomware operators reportedly shut down as part of a probable transition to a new ransomware family.
  • A severe vulnerability affecting Oracle’s Solaris operating system allows unauthenticated attackers to take over affected devices.
  • Custom tactics, techniques, and procedures (TTPs) reported for multiple APT groups extend their dwell time and improve their ability to capture sensitive data.
  • Leaked source code for version 4 of Cobalt Strike threat emulation software will enable new malware attacks, with ransomware posing the greatest risk.

The United States experienced information interference throughout the election cycle, but no reported infrastructure attacks on Election Day.

Although there were no observed cyberattacks on voting infrastructure on the day of the U.S. presidential election, reporting in the run-up to Election Day highlighted several important threats. A majority of attacks reported during the months prior to Nov. 3 used spearphishing messages to lure victims to credential compromise portals. These earlier attacks were operated by many different types of threat actors. They included APT activity from Iran, which was also a reported threat to the elections earlier in the year. Reported Iran-linked operations were aimed at swaying public opinion through social media and attempting to steal credentials for networks operated by Democratic-leaning election organizations.

Additionally, more than 50 U.S. intelligence officials signed a letter claiming that widely disseminated political disinformation regarding the Democratic presidential candidate’s son, Hunter Biden, was attributable to Russian activity.

Maze ransomware shuts down: operators may transition to a new ransomware family.

After announcing the shutdown of its operations on November 1, the Maze team may possibly readjust and rebrand to introduce a new ransomware family. However, ransomware threats will remain prevalent because of the near certainty that Maze affiliates will shift to other ransomware-as-a-service offerings like Re-Evil, Dharma, and Conti. Our analysts have low confidence that a heightened focus by governments and security vendors forced Maze to announce the end of its operations.

In 2019, Maze was the first ransomware family to employ double extortion, a tactic adopted by most ransomware groups in 2020. EclecticIQ research shows that Maze has been the top ransomware throughout 2020, impacting more victims than other ransomware families.

A public proof-of-concept exploit for an Oracle Solaris vulnerability is expected to instigate exploitation attempts by threat actors.

The CVE-2020-14871 vulnerability is assigned a CVSS severity score of 10.0 (critical) by NIST. It is affecting Oracle Solaris versions 10 and 11. Exploitation allows an unauthenticated attacker with network access over multiple protocols to take over a target Oracle system. The attack is easy for threat actors to identify and exploit from the server response. This vulnerability may have initially been uncovered as a zero-day sold on dark web markets to APT group UNC1945.

APT groups employ custom malware over a broader range of targets to extend dwell time.

Three recently reported APT groups make use of custom malware that extend dwell time improving their ability to capture sensitive or proprietary information. Their targets span global industries and organizations.
  1. APT group UNC1945, first reported in November 2020, is notable for combining native tooling with custom malware for their operations, which are possibly aimed at credential compromise and monetization of the resulting access. The group has used multiple high-profile vulnerabilities to compromise targeted networks. They bring in custom malware and tooling to remain stealthy and exfiltrate information.
  2. APT group Costa Ricto engages in global mercenary operations. Mercenary groups act as proxies for targeted operations and obfuscate attribution. The malware used by this group indicates they are well funded and farther advanced than others observed previously. Analysis of activity indicates their TTPs are under continuous development and are rapidly expanding.
  3. An unidentified APT group uses a variety of delivery vectors to spearphish employees in the defense industry. The operators introduce a custom implant with specialized monitoring capabilities, over multiple stages, and obfuscate their actions at multiple points in the Kill-Chain. The implant, dubbed Tourisma, is designed to steal proprietary data and upload it to command and control infrastructure.

Leaked source code from Cobalt Strike version 4 will likely increase malware attacks.

Cobalt Strike is a legitimate penetration testing tool that has been co-opted by threat actors to push a variety of malware and enable more-advanced TTPs. The recent leak of Cobalt Strike source code will very likely boost malware attacks—in particular, ransomware attacks that have public proof-of-concept pairing with Cobalt Strike TTPs to establish a foothold on the network .


3 more posts you might like