At a glance.
- Iranian threat actor exposes operations on misconfigured server.
- The Molerats resurface with a malicious Android app.
- More ransomware gains OT-specific targeting capabilities.
- Emotet operators launch new phishing campaigns.
- Zoom fixes vanity URL issue.
- ThiefQuest's developers act quickly.
Iranian threat actor exposes operations on misconfigured server.
IBM's X-Force has uncovered information about the operations of ITG18, a threat group the researchers say overlaps with the Iranian threat actors Charming Kitten and Phosphorus. X-Force found a misconfigured server exposed online that contained more than forty gigabytes of data relating to ITG18's operations. The data included nearly five hours of desktop screen recordings (apparently used as training videos) showing the operators "searching through and exfiltrating data from various compromised accounts of a member of U.S. Navy and a personnel officer with nearly two decades of service in Hellenic Navy." These videos provided X-Force researchers with a detailed look at how ITG18 moves within systems and exfiltrates various types of data.
The attackers were observed adding compromised accounts to the legitimate email collaboration suite Zimbra, which allowed the operators "to monitor and manage various compromised email accounts simultaneously." They also attempted to validate credentials against any accounts belonging to the targets, including seemingly trivial accounts like video games and pizza delivery services. Interestingly, the ITG18 operators were dissuaded by multifactor authentication (MFA), and in the cases observed by IBM the attackers simply moved on when they validated credentials for an account protected by MFA.
The Molerats resurface with malicious Android app.
ESET describes new activity associated with the Molerats (also known as the "Gaza Hackers"), a threat actor that conducts espionage primarily against targets in the Middle East. The group is using a malicious Android app called "Welcome Chat," which purports to be a secure messaging app marketed to Arabic-speaking users. Welcome Chat functions as advertised, but operates as spyware in the background. The app requests extensive permissions, but ESET notes that users may think these permissions are normal for a messaging app. In addition to harvesting users' information, the attackers also inadvertently left the data publicly exposed on the Internet.
ESET thinks the attackers built the app from scratch rather than trojanizing a legitimate app, since they haven't been able to locate any version of the app without the espionage component. The app is largely built from open-source code taken from GitHub, and the researchers note that it's fairly simple to create an Android app. They link the operation to the Molerats based on the use of the same command-and-control server seen in two previous operations identified by Palo Alto Networks and Fortinet.
More ransomware gains OT-specific targeting capabilities.
FireEye says at least six ransomware families—DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE (also known as "Snake" or "Ekans")—are using the same process kill list consisting of more than 1,000 processes, including "a couple dozen processes related to OT executables—mainly from General Electric Proficy, a suite used for historians and human-machine interfaces (HMIs)." This kill list was observed and described by Dragos and others earlier this year, and raised concerns that attackers were increasingly incorporating OT-specific capabilities into their toolsets.
Notably, however, FireEye has discovered an entirely separate process kill list being used by the CLOP ransomware that targets more than 1,425 processes, at least 150 of which are related to OT software suites. FireEye stresses that stopping these processes "may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision." Some of the targeted products include Siemens's SIMATIC WinCC SCADA system, Beckhoff's TwinCAT process control and automation software, and National Instrument's Data Acquisition Software.
FireEye expects to see cybercriminals continue to follow nation-state actors into OT environments. The researchers conclude, "This recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems."
Emotet operators launch new phishing campaigns.
Malwarebytes warns that Emotet's botnets began sending out malspam on Friday, July 17th, following a five-month hiatus. The commodity banking Trojan is being delivered via phishing links or Word documents with malicious macros. In keeping with past Emotet campaigns, these phishing emails are often sent as replies to existing email threads.
Zoom fixes vanity URL issue.
Check Point disclosed a vulnerability in Zoom that could have enabled attackers to exploit the platform's "vanity URLs" to launch convincing phishing attacks and draw victims into fake Zoom meetings. Vanity URLs are customized meeting invitation links that often include an organization's name. Check Point found that, "Prior to Zoom’s fix, an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim. In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization."
ThiefQuest's developers act quickly.
Trend Micro has published a report on the macOS malware "ThiefQuest," noting that the malware's developers are very active and are adding new capabilities to the malware every few days. As a result, the researchers believe ThiefQuest's deficiencies could be ironed out abruptly, and they advise the security industry to keep a close eye on the malware.