Weekly Intelligence Trends and Advisory – 20 Jun 2021

Grief Ransomware and SolarMarker, SystemBC and SteamHide Malware Observed

The Grief ransomware has recently entered the multi-billion-dollar ransomware market alongside another new ransomware player, Prometheus. Grief is a lesser-known ransomware group and has already claimed to have stolen data from at least five organizations.

 

Researchers observed SolarMarker malware spreading by prompting victims to download malicious PDF documents and steals data. The SolarMarker authors used SEO poisoning, also known as search poisoning to surface in search engine results and infect more victims with the malware. Different researchers in February and April also reported SolarMarker activity using the same technique. While in the past activities Google Sites was used to host malicious documents, in recent campaigns, attackers shifted to using Amazon Web Services.

 

The malware SystemBC has been observed initializing Ransomware as a Service (RaaS) attacks such as Ryuk and Egregor. SystemBC was also known to be used as part of the attack chain of DarkSide ransomware attack against Colonial Pipeline. The malware has gained popularity among Ransomware-as-a-Service (RaaS) affiliates due to its TOR capability. As observed in the latest variation of the malware, the malicious payload is smaller in size and does not contain the TOR client functionality. Instead, the RAT relies on communication through hard-coded addresses over IPv4 TCP traffic on non-standard ports.

 

Researchers discovered the new malware SteamHide, leveraging Steam profile images to avoid detection. The techniques of hiding malware in an image file’s metadata is not something new, however, using the widely popular gaming platform is unique. The SteamHide serves payloads for malware downloaders. The Steam platform merely serves as a vehicle on which the malicious files are hosted. The heavy lifting of downloading, unpacking, and executing a malicious payload fetched by the loader is handled by an external component.

DDoS Attacks Increase 341% Amid Pandemic

Attack Type: DDoS, RDDoS

Target Industry: Multiple

Target Geography: Global

Business Impact: Operational Disruption, Financial Loss

 

A recent research report suggests that there have been a 341% year-over-year increase in distributed denial-of-service (DDoS) attacks. With the pandemic escalating around the world, the year 2020 saw an explosion in online gaming, dependence on the internet, and the global workforce quickly shifted to remote work which was an attractive target for attackers. This increased reliance gave attackers fresh impetus to use DDoS to target organizations and networks, putting an enormous strain on telcos, ISPs (Internet Service Providers), and CSPs (Communications Service Providers). The motive behind these DDoS attacks varies and includes financial gains, political and economic benefits, revenge, and cyberwarfare. The large-scale DDoS attacks tend to be the result of a collective effort with specific agenda in mind.

 

There was also an increase in extortion and ransom DDoS (RDDoS) attacks against a wide range of industries. Apart from the traditional DDoS attack, researchers observed abnormal traffic patterns dubbed “invisible killers” which included small-sized, short attacks. These types of attacks were often overlooked by ISPs since their occurrence was almost on a daily basis and did not result in detrimental service degradation to the customer or ISP. Overall DDoS attacks are becoming more complex than ever as attackers opt for a more deceptive and sophisticated approach.

In upcoming years, it is expected that DDoS attacks will result in severe outages for organizations as well as CSPs that rely on threshold and signature-based detection. Since these types of detection are only geared towards detecting obvious static attack traffic patterns, new attack strategies have been able to bypass such detections.

 

Application attacks are expected to double and the effectiveness of authentication-based mitigation for DDoS attacks will be further tested. Enterprises are more likely to see advanced Layer 7 attacks tailored to bypass authentication-based mitigation. While such mitigation can adequately defend against well-known attacks such as Hulk, Slowloris, Slow Read – it does not fare well with other applications, namely application programming interfaces (API) and mobile apps.

 

Due to the recent rise in RDDoS, it is also expected that high-profit online businesses such as professional delivery services, video communications platforms, game makers, and telehealth services will be impacted. The driving factors that may influence RDDoS type of attacks include accessibility and popularity of cryptocurrencies and readily available DDoS-for-hire services. Additionally, ransom-based attacks have demonstrated success for attackers.

Andariel Evolves to Target South Korea with Ransomware

Suspected Threat Actors: Andariel group – a sub-group of Lazarus

Attack Type: Ransomware, Malware Implant, Data Encryption

Target Industry: Manufacturing, Home Network Service, Media, Construction

Target Geography: South Korea

Target Technology: Microsoft Word Document, PDF Document

Ransomware / Malware: Unknown Customer Ransomware, PEBBLEDASH (aka Manuscrypt)

Objective: Financial Gains Unauthorized Access

Business Impact: Data Loss, Financial Loss, Operational Disruption

 

In April 2021, researchers observed a suspicious Word document with a Korean file name and decoy leveraging a novel infection scheme and an unfamiliar payload. Another researcher reported the same series of attacks that they had attributed to the Lazarus group. Further analysis of the campaign reported this month concluded Andariel group – a sub-group of Lazarus, behind these attacks. Apart from code similarity in the second-stage payload in this campaign and previous malware from the Andariel group, researchers also found a characteristic where Windows commands and their options used in this campaign were almost identical to previous Andariel activity. The threat actor is suspected to spread the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. In addition to the final backdoor, researchers discovered one of the victims getting infected with custom ransomware.

 

Researchers highlight that the suspicious Word document contained an unfamiliar macro and used novel techniques to implant the next payload. The two infection methods discovered in these attacks where each payload has its own loader for execution in memory and the final stage payload was only delivered to selected victims.

 

The reporting in April month by researchers attributed this campaign to Lazarus group based on several similarities to past Lazarus operations. The current month’s report draws a different attribution based on the custom string decryption routine seen in the second stage payload – a routine known to be used by Andariel malware for a long time.

 

In addition, they observed an indicator in post-exploitation of victim machines. Researchers stress that each APT actor displays a different command-line signature when working interactively via an installed backdoor. As a result, the same Windows command options were observed in both cases. Further, the researchers highlighted that Windows commands used by the Lazarus group are known to differ from Andariel.

The Andariel group has continued to focus on targets in South Korea, but their tools and techniques have evolved considerably. The end goal of the Andariel group appears to spread and infect victims with ransomware through this attack. By leveraging ransomware, the group has underlined its place as a financially motivated state-sponsored actor.

Unpatched Bugs Found in Provisioning Platform Used with Cisco UC

Target Geography: Global

Target Technology: Akkadian Provisioning Manager

Vulnerabilities: CVE-2021-31579 (CVSS Base Score: 8.2), CVE-2021-31580 (CVSS Base Score: 7.9), CVE-2021-31581 (CVSS Base Score: 7.9), CVE-2021-31582 (CVSS Base Score: 7.9)

Vulnerability Type: Remote Code Execution

Impact: Confidentiality (High), Integrity (High), Availability (High)

 

Researchers disclosed a trio of high-severity security vulnerabilities that can be chained together to enable remote code execution (RCE) with elevated privileges in the Akkadian Provisioning Manager, used as a third-party provisioning tool within Cisco Unified Communications (Cisco UC) environments. The vulnerabilities that remain unpatched are all present in Akkadian Provisioning Manager version 4.50.18 as follows.

 

CVE-2021-31579: Use of Hard-Coded Credentials.

CVE-2021-31580 and CVE-2021-31581: Improper Neutralization of Special Elements Used in An OS Command Using exec and vi Commands, respectively.

CVE-2021-31582: Exposure of Sensitive Information to an Unauthorized Actor.

 

Researchers highlight that combining CVE-2021-31579 and either CVE-2021-31580 or CVE-2021-31581 will allow an otherwise unauthorized attacker complete, root-level shell access to the affected devices which can open the door for a range of Linux-based malware. The CVE-2021-31582 on the other hand allows an authenticated attacker (including via CVE-2021-31579) to alter or delete the contents of the local MariaDB database, or, in some cases, recover LDAP BIND credentials in use in the host organization.

 

Due to the first issue, organizations must limit access to the SSH port to trusted users and should not expose over the internet. It should also be noted that, in the absence of a fix, system operators who have access to the Akkadian Appliance Manager, effectively have root shell access to the device due to the second and third issues.

 

Attackers are always looking for such high severity vulnerabilities in popular products used across corporate networks. The year has already seen some of the major attacks on large organizations by threat actors targeting various vulnerable software. This included exploiting Pulse Secure VPN, a code execution flaw in the BIG-IP, exploitation of Fortinet VPN, the zero-day flaw in SonicWall devices, and Microsoft Exchange.

Don't forget to share this post!

Share on facebook
Share on twitter
Share on linkedin

Related Articles

Disclosed earlier this week the zero-day flaw that exists in iOS and macOS platforms – being actively exploited in the wild – can allow attackers to take over an affected device.

Hello, and welcome to this episode of Glass Class. Today, I'll be talking about Cloud Security Posture Management, also known as CSPM. CSPM is the continuous compliance checking of cloud platform accounts.

A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere.