Summary of Findings
- Cisco revealed a high-severity vulnerability in its Security Manager that introduced high risk to a large number of security systems.
- APT activity is targeting COVID-19 and financial supply chains.
- Malware with extended capabilities increases attack efficacy, allowing threat actors to maintain a smaller footprint against enterprise security while increasing attack efficacy.
- Commodity malware with the potential to target broad victim sets obfuscates attribution as it is traded by different threat actors.
High-severity flaw in Cisco Security Manager creates risk to large number of security systems
Florian Hauser from security firm Code White reported a critical bug in Cisco Security Manager 4.21 and earlier. These versions of Security Manager contain a path-traversal vulnerability that could allow an unauthenticated attacker to exfiltrate files from security devices. A Proof of concept (PoC) was released on GitHub (https://hackademicus.nl/expert-publicly-discloses-poc-code-for-critical-rce-issues-in-cisco-security-manager/). A fix is tentatively planned for the future 4.22 release.
APT group targets global provider of vaccine cold storage transport
An APT group has very likely attacked a global provider for vaccine cold storage transport. The attack represents a high risk of disruption to the global cold chain for vaccine distribution. The APT group impersonated an executive at Haier Biomedical (China), a qualified member of the Cold Chain Equipment Optimization Platform (CCEOP) program that is purported to be the world’s only complete cold chain provider. The APT group sent spear-phishing emails to multiple organizations believed to supply material support for transportation needs to Haier. The attack appears to have been designed to harvest credentials that could be used for further penetration of the supply chain and the parties involved. Possible motivations include gaining a competitive edge for control of the supply chain to prioritize delivery to a certain region, or using data from the attacks to set up spear-phishing into government contractor networks to launch a global espionage operation in targeted nations in the future.
Supply chain attack impacts South Korea’s financial sector
The Lazarus APT is reported to have exploited the financial sector supply chain of South Korea . The attack exploited specific servers used to provide authentication software to end users for access to their personal financial accounts. Victims were redirected to Trojanized packages from legitimate banking infrastructure, demonstrating how supply chain attacks can affect an entire vertical. Both end user accounts and bank infrastructure were affected by a single point of failure in server software configuration, which managed to avoid detection for approximately four months.
APT groups extend global reach with custom malware and complex infection stages to steal targeted proprietary information
Signed malware was introduced to government organizations within the Southeast Asia region for espionage purposes. Bitdefender has attributed the activity to China.
Three different backdoor families have been detailed as part of the operation; Chinoxy, FunnyDream, and PCShare. EclecticIQ analysts note that similar malware variants of Chinoxy Backdoor with very similar TTPs have targeted Kyrgyzstan interests. They contain further links to “royal road” malware used for targeting Vietnam. Chinoxy has also been observed communicating with Russian infrastructure. Analysis of the above TTPs, with their strong similarities to the malware in the Bitdefender report and their geopolitical patterning of victims, supports the Bitdefender attribution with medium confidence.
APT groups target think tanks, possibly to build intelligence on foreign policy
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed continued targeting of U.S. think tanks by at least one APT group. It is possible that the additional remote work infrastructure (VPNs, etc.) used for social distancing during the pandemic has created a larger attack surface through which such espionage attacks could be initiated. Multiple delivery phase TTPs were reportedly used. No further activity in the Kill Chain Phases (KCP) has been reported.
APT10 operations may indicate targeted interest in Japanese trade
Symantec discovered a new, complex, and sophisticated APT campaign against Japanese companies in multiple industry sectors and geographies.
This global espionage campaign, likely operated by APT 10 (Cicada), used custom malware and native system tooling to operate multi-staged infiltration of targets. Symantec reported that the global victims showed a pattern of links to Japan or Japanese companies. The campaign reportedly ended in October 2020.
Ransomware syndicates using Big Game Hunting TTPs pose largest risk of infection
Ransomware syndicates promote attacks against many different organizations. Fox IT reported the Russia-based TA505 APT has been operating the Clop ransomware leak site since at least June 2020. The group is relatively sophisticated and successful among ransomware syndicates. It poses a high risk to a broad range of corporations through the use of Big Game Hunting TTPs.
PYSA/Mespinoza Ransomware is a new ransomware family that is notable because operators employ thorough lateral movement, turning off backups and shadow copies before encrypting the majority of the network. Threat actors may brute force RDP connections supporting remote working mandated by the pandemic.
New mobile spyware threatens the privacy of citizens within multiple nations that consume NSO products
Specialized spyware from the surveillance firm Circles is designed to exploit the SS7 network and gain unauthorized access to mobile phones. The malware is able to inject a backdoor into mobile phones, likely via an underlying weakness in the SS7 protocol.
The Circles malware is different from Pegasus malware, but is affiliated with the threat actor organization (NSO Group) that develops it. Pegasus malware can be delivered via a zero-click vector that pushes a series of specially crafted packets directly to mobile phones.
Malware developed with extended capabilities allows threat actors to maintain a smaller footprint against enterprise security, increasing attack efficacy
“Chaes” malware targeted customers of the largest e-commerce company in Brazil, MercadoLivre. This malware is notable for multiple delivery vectors and TTPs focused on browser data monitoring, credential theft, and screen capture. Cybereason reported new versions of Chaes, indicating its authors are improving the malware and adding features. It is very likely that high-profile attacks with this malware will increase.
The MooBot botnet has demonstrated zero-day capabilities for delivery and multi-layer encryption to remain persistent in attacks with tailored vulnerabilities. The current zero-day vulnerability concerns Unix CCTV DVR devices. The malware family has historically used other zero-day exploits.
Blackrota malware uses multiple obfuscation techniques to hide from detection and analysis, giving threat actors more time to complete their objectives. Bytes are encoded and XOR’d and dynamically decoded only at runtime. A further randomized substitution cypher was observed within the code to hinder analysis.
Commodity malware with potential to target broad victim sets will make variant attribution very difficult
Signed samples of the Bandook remote access Trojan are possibly being sold to third parties including APTs and cybercriminals. Malware traded among threat actors in different tiers makes attribution much more difficult within a particular malware family or macro TTP.
Broad targeting of multiple popular browsers by the Jupyter backdoor is very likely to encourage its use in many different types of future attacks. The commodity malware enables threat actors with less skill to direct more-effective attacks and may obfuscate APT activity within less-sophisticated TTPs. The common browser hooks ensure that the malware can be applied to broad sets of victims.
This blog is part of an ongoing series of biweekly intelligence updates from EclecticIQ. It replaces the weekly pandemic blog you used to receive from us. In each blog, we cover the latest cybersecurity news, industry trends, and current and emerging threats based on our experts’ interpretation of data and other source materials. Since the COVID-19 pandemic is ongoing, updates on this situation might be included as well.