Summary of Findings
- Russian intelligence service actors are leveraging known exploits to obtain authentication credentials for U.S. and allied networks.
- Multiple suspected APT groups are exploiting Pulse Secure VPN appliances to obtain authentication credentials for affected customer networks.
- Hackers breached the software company Codecov through its Bash Uploader script to access hundreds of restricted customer networks and potentially steal credentials.
- Suspected Russian attackers are leveraging two recently published Microsoft Exchange vulnerabilities to deliver the Protemei botnet for cryptomining.
- Phishing emails impersonate the maritime industry to deliver RATs and keyloggers as part of a possible BEC campaign.
Publicly Known Exploits Yield Authentication Credentials for Further Access
Russian Foreign Intelligence Service (SVR) actors are frequently leveraging publicly known vulnerabilities to conduct widespread scanning and exploitation against U.S. and allied networks, including government-related systems[1]. These exploits are used to obtain authentication credentials for further access. The SVR continues to successfully exploit the following vulnerabilities to gain a foothold in victim devices and networks:
• CVE-2018-13379 Fortinet
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2020-4006 VMware
The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have shared mitigations against the vulnerabilities.
Pulse Secure VPN Appliance Vulnerabilities Enable Lateral Movement
Suspected APT groups have likely leveraged previously known vulnerabilities and CVE-2021-22893 to gain initial access to Pulse Secure VPN appliances[2]. FireEye is tracking two groups involved with the activity, UNC2630 and UNC2717, which used multiple tools to harvest credentials from various Pulse Secure VPN login flows. These credentials allowed the APT groups to move laterally within the affected environment. UNC2630 used legitimate, but modified, Pulse Secure binaries and scripts to maintain persistence on the compromised network.
Mandiant, which was acquired by FireEye in 2014, responded to multiple incidents at defense, government, and financial organizations globally. Ivanti, the parent company of Pulse Secure, released mitigations against a vulnerability that was exploited, as well as the Pulse Connect Secure Integrity Tool [3] to help customers determine if their systems have been affected.
Codecov Tool Breach Compromises Customer Networks
A malicious actor altered an uploader script [4] from Codecov, a maker of software auditing tools for developers, to access stored authentication credentials for hundreds of customer networks.[5] The hackers focused on other makers of software development tools, as well as customers like IBM that provide technology services. Codecov has published recommended actions for affected users on its website[5].
Prometei Botnet Exploits Microsoft Exchange Vulnerabilities to Mine Monero Cryptocurrency
Suspected Russian attackers are leveraging two Microsoft Exchange vulnerabilities, CVE-2021-27065 and CVE-2021-26858, to install the Prometei botnet for financial gain [6]. The botnet mines Monero cryptocurrency on the infected system. Prometei uses known exploits such as EternalBlue and BlueKeep to spread across networks and install the miner component on as many endpoints as possible. Targeting is very likely opportunistic, with organizations from the United States, Europe, South America and East Asia reported as being infected. The attackers appear to be explicitly avoiding countries belonging to the former Soviet bloc.
Phishing Emails Target Maritime industry in Likely BEC Campaign
EclecticIQ threat research analysts recently investigated a phishing campaign targeting the maritime industry. The activity is likely part of a wider business email compromise (BEC) campaign. The malicious actor uses spoofed emails and socially engineered subject lines and file names to deliver multiple variants of commodity remote access trojans (RATs) and the Masslogger keylogger, often used for stealing credentials. The attached files require user execution and, in some cases, exploit CVE-2017-11882 for initial execution. The campaign also leverages Agent Tesla to compromise web infrastructure for payload delivery and exfiltration of stolen data. References
- Russian SVR Targets U.S. and Allied Networks
- Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
- KB44755 - Pulse Connect Secure (PCS) Integrity Assurance
- Codecov hackers breached hundreds of restricted customer sites - sources
- Bash Uploader Security Update
- Prometei Botnet Exploiting Microsoft Exchange Vulnerabilties