At a glance.
- Transparent Tribe keeps up CrimsonRAT phishing campaigns.
- COVID-19 might be the top phishing theme of all time.
- Another side-channel attack against speculative-execution processors.
- Ransomware operators prefer to trigger their malware at night.
- Turla targets Armenian websites.
Transparent Tribe keeps up CrimsonRAT phishing campaigns.
APT36 (also known as Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis) has joined the host of state-sponsored threat actors using COVID-19-themed phishing emails, according to Malwarebytes. APT36 is associated with the Pakistani government and primarily targets Indian government and defense entities. The group had been thought inactive or at least operating under the radar for the past four years, but several security firms have observed increased activity in recent months.
The group is currently sending spearphishing emails with malicious Microsoft Office documents that purport to come from the Indian government. This document appears to be a directive concerning the government's response to the coronavirus situation, and it contains malicious macros that will install the CrimsonRAT malware.
In light of the widespread coronavirus-themed phishing activity from both state-sponsored and criminal actors, Malwarebytes advises organizations to train their "employees and users to avoid opening coronavirus resources from unvetted sources."
COVID-19 might be the top phishing theme of all time.
Proofpoint emphasizes the magnitude of ongoing COVID-19-themed phishing campaigns, stating that "the cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme that our team has seen in years, if not ever." The financially motivated gang TA505 is among the groups cynically exploiting the topic. Proofpoint's researchers say the threat actor is using "a coronavirus lure as part of a downloader campaign targeting the U.S. healthcare, manufacturing, and pharmaceuticals industries." Likewise, TA564, another criminal actor, is impersonating the Public Health Agency of Canada and using coronavirus-themed lures to distribute the Ursnif banking Trojan.
Another side-channel attack against speculative-execution processors.
Researchers at Bitdefender outline a new proof-of-concept side-channel attack against Intel CPUs. The attack makes use of a Load Value Injection vulnerability (CVE-2020-0551) in the processor's Line Fill Buffers. The researchers attribute the flaw to "an indirect memory branch which requires a microcode assist being fed stale values from the MDS buffers which can be controlled by an attacker, thus leading to speculative arbitrary code execution."
The issue was first discovered by an international team of academic researchers, who published a detailed paper on the topic. Intel has released firmware patches to address the problem, and the company plans to implement hardware-level fixes in future CPUs.
Bitdefender's researchers explain that the "attack may be particularly devastating in multi-tenant and multi-workload environments which run on hardware shared between groups of workloads within an organization, or between organizations, such as public- and private-clouds. This is because, as the PoC shows, there is the potential for a lesser-privileged process under attacker control to speculatively hijack control flow in a higher-privileged process, when specific requirements are met."
Ransomware operators prefer to trigger their malware at night.
FireEye researchers describe trends in ransomware deployment strategies. They found that the three most common infection vectors are phishing, misconfigured or vulnerable Remote Desktop Protocol (RDP) services, and drive-by downloads. The phishing campaigns primarily deliver the Emotet, Trickbot, and FlawedAmmyy Trojans.
In three-quarters of these attacks, the dwell time (the length of time the attackers are present in the networks before triggering the ransomware) is at least three days, and it can be much longer. The researchers note that extended dwell time can give organizations opportunities to root out the attackers before they deploy the malware, but it can also lead to significantly more damaging attacks if the intruders remain undetected.
In 76% of ransomware attacks, the malware's encryption routine was triggered outside of working hours, either on a weekend or between 8:00 PM and 6:00 AM on weekdays. 49% of the attacks took place at night or in the early hours of the morning on a weekday. The researchers believe this can "maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours."
Turla targets Armenian websites.
ESET discovered watering hole attacks affecting four Armenian websites, two of which belong to the Armenian government. The researchers attribute the attacks to the Russia-aligned Turla group, and they believe the websites have been compromised "since at least the beginning of 2019." The sites were still compromised when ESET came across them, although it appears the attackers ceased making use of the sites in November 2019.
The researchers aren't sure how the attackers compromised the websites, but they managed to insert JavaScript code that would create an iframe that displayed a fake Adobe Flash update notification. If a user downloaded this file, it would install both "a Turla malware variant and a legitimate Adobe Flash program." These attacks were highly targeted, and the iframe was only triggered against website visitors deemed "interesting" enough by the malware's operators. ESET says the attack didn't seem to make use of any browser-based vulnerabilities, so "the compromise attempt relies only on this social engineering trick."
Before September 2019, the site would deliver a backdoor that contained substantial code overlap with Turla's Skipper backdoor. At the beginning of September, the attackers switched the malware to a NetFlash downloader that would install a new Python-based backdoor the researchers have dubbed "PyFlash." They note that this is the first known instance of Turla using a backdoor written in Python.