At a glance.
- Thanos ransomware tries to overwrite Windows master boot record.
- Attackers are exploiting a QNAP NAS vulnerability.
- TeamTNT abuses Weave Scope to control cloud infrastructure.
- Iran-aligned cyberespionage group sells network access on the side.
- Chinese threat actor resumes targeting Tibetans.
Thanos ransomware tries to overwrite Windows master boot record.
Palo Alto Networks' Unit 42 has observed a new strain of the Thanos commodity ransomware used against "two state-run organizations in the Middle East and North Africa," with the attackers demanding $20,000 in Bitcoin.
Notably, this version has been designed with the ability to overwrite the master boot record (MBR), although this functionality failed in this case due to a simple bug in the code. Unit 42 confirmed that the MBR overwriting process works as planned when this bug is removed, and the infected machine will display a ransom note upon startup rather than booting up Windows. Fixing the bug was as simple as removing an apostrophe from the ransom note, so future versions of this component should be expected to work correctly.
Unit 42 points out that this technique is unusual for financially motivated ransomware actors: "Overwriting the MBR is a much more destructive approach to ransomware than previously used by Thanos and would require more effort for victims to recover their files even if they paid the ransom." As a result, this tactic may be counterproductive for an attacker who has already compromised a system and is hoping to convince the victim to pay the ransom rather than recovering manually.
Recorded Future's Allan Liska told CyberScoop, "The addition of overwriting the MBR is not something we have noted in other Thanos attacks, meaning these may be destructive attacks designed to look like ransomware attacks." Unit 42 says the most prominent example of malware overwriting the master boot record was Petya (and NotPetya) in 2017.
Attackers exploiting QNAP NAS vulnerability.
Researchers at Qihoo 360's Netlab report that attackers are scanning for network-attached storage devices running QNAP firmware in an attempt to exploit a previously undisclosed remote code execution vulnerability that was patched in July 2017. Firmware versions prior to 4.3.3 are vulnerable to the flaw.
The researchers say the attacker is "cautious" in exploiting the vulnerability, and the motive behind the attacks is still unclear. The attacker simply installs a reverse shell on compromised systems.
TeamTNT abuses Weave Scope to control cloud infrastructure.
Intezer says the cybercriminal group tracked as "TeamTNT" is abusing Weave Scope, a legitimate, open-source tool used for visibility, monitoring, and control of a cloud environment. The attackers install Weave Scope after gaining access to an exposed Docker port and achieving root access. The researchers explain that once Weave Scope is installed, "the attackers can see a visual map of the Docker runtime cloud environment and give shell commands without needing to deploy any malicious backdoor component. Not only is this scenario incredibly rare, to our knowledge this is the first time an attacker has downloaded legitimate software to use as an admin tool on the Linux operating system."
Iran-aligned cyberespionage group sells network access on the side.
CrowdStrike has published a report on a threat actor dubbed "Pioneer Kitten" that seems to be a contractor working for the Iranian government. The group "appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government." Pioneer Kitten is described as "highly opportunistic," and targets entities in the technology, government, defense, and healthcare verticals, primarily in North America and Israel. The operators rely almost entirely on open-source tools, and they tend to gain initial access by exploiting vulnerabilities in internet-facing remote external services.
Interestingly, CrowdStrike spotted the actor selling access to compromised networks on a criminal forum, in an apparent attempt at "revenue stream diversification." The researchers don't believe this activity is approved by the Iranian government, because the compromised networks "would be of significant intelligence value to the Iranian government," and "the commercial sale of such access would have significant negative impacts on potential intelligence collection operations."
Chinese threat actor resumes targeting Tibetans.
Proofpoint says the Chinese state-sponsored group TA413 has resumed deploying its custom malware family, "Sepulcher," against the Tibetan diaspora. The threat actor is well-known for its focus on the Tibetan community, but it shifted to targeting European governments, nonprofits, and economic organizations with COVID-19-themed lures earlier this year. At the end of July, however, Proofpoint observed the group sending phishing emails that purported to come from the Tibetan Women's Association and contained a malicious PowerPoint file referencing activism in Tibet. The researchers write, "The attachment title, decoy content, impersonated sender, and Dalai Lama Trust in India-themed C2 affirms this campaign’s focus on individuals associated with the Tibetan Leadership in Exile."
The Sepulcher malware itself is nothing special, but the researchers found it interesting to observe the APT's change in targeting during the early months of the COVID-19 pandemic. Proofpoint concludes, "Despite the recurring use of publicly disclosed email addresses, a pedestrian RAT, and the recycling of delivery methods observed over a year ago, the targeting shift between these two campaigns paint a conspicuously contemporary portrait of a rapidly evolving cyber threat landscape in 2020."