At a glance.
- New ransomware group targets Russian organizations.
- Facebook takes down coordinated inauthenticity.
- Phishing campaign targets AT&T employees.
- Instagram patches serious flaw.
- Cerberus in the Google Play Store.
- Zerologon exploited in the wild.
- Microsoft on threat trends.
New ransomware group targets Russian organizations.
Group-IB describes "OldGremlin," a new Russian-speaking ransomware gang that strangely chooses to target organizations within Russia. The group has been active since at least March 2020, and uses sophisticated spearphishing attacks to gain entry to victims' networks. In one instance, the attackers convincingly posed as a real Russian journalist and scheduled an interview with a bank employee; before the interview was slated to take place, they tricked the employee into opening a link that supposedly contained the interview questions, but instead delivered a Trojan. OldGremlin deploys its own ransomware, dubbed "TinyCryptor" (also known as "Decr1pt"), as well as custom-made backdoors called "TinyPosh" and "TinyNode." The group also leverages the Cobalt Strike penetration testing software once they gain a foothold within the network.
OldGremlin's first successful attack occurred in August, targeting "a large medical company with a network of regional branches." After lurking in the company's networks for several weeks, the attackers wiped the victim's backups and, "In just a few hours on [a] weekend, they spread their ransomware TinyCryptor across hundreds of computers on the corporate network." Group-IB says "the company's regional branches were paralyzed and unable to operate." The attackers set the ransom at $50,000 worth of cryptocurrency.
OldGremlin's targeting of Russian organizations is highly unusual. Group-IB's Oleg Skulkin notes, "OldGremlin is the only Russian-speaking ransomware operator that violates the unspoken rule about not working within Russia and post-Soviet countries. They carry out multistage targeted attacks on Russian companies and banks using sophisticated tactics and techniques similar to those employed by APT groups. As with similar groups that target foreign entities, OldGremlin can be classed as part of Big Game Hunting, which brings together ransomware operators targeting large corporate networks."
In any case, BleepingComputer suspects the group "is currently operating at smaller scale to fine-tune their tools and techniques before going global."
Facebook takes down coordinated inauthenticity.
Facebook announced last week that it had taken down five networks that were conducting coordinated inauthenticity on the company's platforms. The first two operations originated in China and the Philippines, respectively. The other three networks originated in Russia and were tied to Russian intelligence services and the Internet Research Agency. Graphika, which analyzed Facebook's findings, published two separate reports on the Chinese and Russian operations.
Graphika calls the Chinese campaign "Operation Naval Gazing" due to its focus on maritime issues, particularly those related to Beijing's territorial claims in the South China Sea. The network also posted in support of President Rodrigo Duterte in the Philippines and Indonesia's President Joko Widodo. The campaign more recently began displaying limited interest in the upcoming US election, with separate accounts posting in support of President Trump and former Vice President Biden. (The researchers say the operation "did not single out either candidate for preferential treatment," and none of the US-focused pages attracted large followings.)
Graphika says the Russian networks "aimed at targets beyond Russia’s borders to the North, East, South, and West," pushing Moscow's line concerning the Arctic, Eastern Europe, Turkey, Syria, North Korea, and Japan. Unlike the Chinese operation, which limited itself to Facebook and Instagram, these Russian networks "maintained a wide range of properties across other platforms, including Twitter, YouTube, Blogspot, WordPress, Medium, Tumblr, Pinterest, Telegram, the Russian platforms VK and OK, and a range of Russian blogging platforms." While some of the assets had been active for nearly a decade, none of them were able to build large audiences. The largest Facebook group, focused on the Syrian conflict, had fewer than seven-thousand members.
Phishing campaign targets AT&T employees.
Sucuri warns that a phishing campaign is targeting AT&T employees with a nearly perfect spoof of the company's employee login page. Notably, the phishing page is designed to capture one-time password (OTP) tokens from four different vendors supported by AT&T's legitimate login process. When the user lands on the page, they're asked to either enter their own password or select which OTP option they would like to use: SecurID, SAFENet, MTIPS, or AT&T's mobile key application. SecurID and mobile key are generally used by the company's employees and contractors, SAFENet is used by AT&T business customers to access Threat Manager and AT&T Internet Protect, and MTIPS is used for government projects. Sucuri believes the attackers are distributing the link to the site via phishing emails.
Instagram patches serious flaw.
Check Point uncovered a (now-patched) buffer overflow vulnerability (CVE-2020-1895) in the iOS and Android versions of Instagram that could lead to remote code execution. The flaw stemmed from the way Instagram used the open-source JPEG encoder Mozjpeg for image parsing. An attacker could have exploited the bug by sending a specially crafted image to a victim. Instagram patched the vulnerability, so Check Point decided not to complete their proof-of-concept exploit; however, the researchers believe that "given enough effort, one of these vulnerabilities can be exploited for RCE in a zero-click attack scenario."
Cerberus in the Google Play Store.
Kaspersky last week reported seeing an increase in the use and sophistication of the Cerberus Android banking Trojan following the release of the malware's source code, and Bitdefender offers a look at recent Cerberus activity in the Google Play store as well as third-party app stores. Most of the malicious apps posed as health or fitness apps. The apps also contained some legitimate functionality, but had the ability to download malicious APKs. After tricking the user into granting accessibility permissions, "they proceed to give themselves all the needed permissions, set themselves as device admins, and even as default SMS apps. From there on, the payload application has full control over the device."
Zerologon exploited in the wild.
Microsoft warned on Wednesday that attackers are actively exploiting the Zerologon elevation-of-privilege vulnerability (CVE-2020-1472). "We have observed attacks where public exploits have been incorporated into attacker playbooks," the company said, adding, "We strongly recommend customers to immediately apply security updates for CVE-2020-1472." Several samples named after the public exploit SharpZeroLogon have been uploaded to VirusTotal over the past week. Threatpost says 0patch has issued a micropatch for Windows servers that no longer receive support, particularly Windows Server 2008 R2. Certain configurations of Samba are also affected by Zerologon, and the service released an advisory outlining mitigations.
Microsoft looks at evolving trends among the threats.
Microsoft’s Digital Defense Report concludes that attackers have markedly increased their sophistication over the past year. The sophistication seems to lie more in improved execution of such well-known techniques as target identification, indirect approach, and credential stuffing than in the deployment of exotic technical novelties. Pick the targets, go after the softer ones that enable you to get at the harder ones, and make effective use of well-known tactics, techniques, and procedures. This can be seen in the way foreign intelligence services interested in, for example, the US elections, are prospecting relatively soft targets among non-governmental organizations and think tanks. Microsoft highlights four major trends:
- Last year they blocked more than thirteen-billion “malicious and suspicious” emails. More than a billion of those carried URLs “set up for the explicit purpose of launching a phishing credential attack.”
- The most common reason they were called in for incident response between last October and this July was, unsurprisingly, ransomware.
- Nation-state espionage services have been occupied with reconnaissance, credential harvesting, malware, and VPN exploits.
- IoT threats are growing and “evolving.” The first half of this year saw a 35% increase in IoT attack volume over the same period of 2019.