At a glance.
- TA505's work schedule.
- Mustang Panda continues targeting the Vatican and diplomatic entities.
- Trickbot works to rebuild.
- Qbot begins deploying Egregor ransomware.
- Ghosts in virtual meetings.
- AWS error messages can be abused to leak IAM information.
TA505's work schedule.
Fox-IT offers a detailed look at operations by TA505 (also known as "Evil Corp"), the criminal threat actor behind the Dridex Trojan and various strains of ransomware. The researchers found that the group usually works between 6:00 AM UTC and 10:00 PM UTC on Mondays, Wednesdays, and Thursdays, with some activity on Tuesdays, Fridays, and Sundays. The actors also appear to take a long vacation for the holiday season, with most activity ceasing between late-December and mid-January.
The researchers conclude, "Their working schedule manifests a well-organized and well-structured group with high motivation, working in a criminal enterprise full days starting early and finishing late at night when needed. The hourly timing information does suggest that the actors are in Eastern Europe and mostly working along a fairly set schedule, with a reasonable possibility that the group resides in Ukraine as the only majority Russian speaking country observing daylight savings time."
Mustang Panda continues targeting the Vatican and diplomatic entities.
Researchers at Proofpoint say the Chinese APT Mustang Panda (also known as RedDelta and "TA416") has resumed targeting "entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar." In addition, the threat actor is targeting diplomatic entities in Africa. The group has made changes to its toolset in order to evade detection, but the changes aren't significant enough to leave doubt about who is behind the attacks:
"Specifically, researchers identified a new Golang variant of TA416's PlugX malware loader and identified consistent usage of PlugX malware in targeted campaigns. As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection. While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution of malware components independent from the infection chain more challenging for researchers. This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers."
The phishing lures in this case impersonated journalists from the Union of Catholic Asia News, and referenced the recently renewed provisional agreement between the Holy See and Beijing.
Trickbot works to rebuild.
Bitdefender describes how the Trickbot gang is working to rebuild its infrastructure following its recent "kneecapping" by US Cyber Command and Microsoft. New updates for the malware are digitally signed using bcrypt, which the researchers believe is meant to prevent future efforts to cripple the botnet by pushing phony updates. The actors have also included a backup command-and-control server that can be contacted if no other server responds. Bitdefender concludes that the actors seem to be focused on resiliency as they rebuild.
Qbot begins deploying Egregor ransomware.
Group-IB says the operators of the Qbot (Qakbot) Trojan have ceased deploying the ProLock ransomware in favor of Egregor, a new strain of ransomware that surfaced in September 2020 and is believed to be the successor of Maze. Group-IB's Oleg Skulkin explained, "Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot's Big Game Hunting operations. At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates."
Ghosts in virtual meetings.
IBM researchers uncovered three (now patched) vulnerabilities in Cisco’s widely used Webex videoconferencing service. (IBM says it's a major user of Webex itself, which is why it looked into the code). The researchers found that someone could join a meeting as a "ghost," unseen among the participants, but with "full access to audio, video, chat and screen-sharing capabilities." The ghost could remain in the form of an audio connection even after being detected and kicked out. And the ghost could collect information on meeting attendees—"full names, email addresses, and IP addresses"—without even being admitted to the conference. The researchers note that "[t]he IP address was especially troublesome in work-from-home scenarios because it revealed the ISP and geolocation and exposed employee’s consumer-grade home network, which often has weaker security protections than found within the enterprise perimeter."
Cisco has patched the vulnerability, and users should apply the fix.
AWS error messages can be abused to leak IAM information.
Researchers at Palo Alto Networks' Unit 42 identified twenty-two APIs across sixteen AWS services that are susceptible to leaking AWS Identity and Access Management (IAM) rosters via error messages. The affected services include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS). While the issue doesn't expose the AWS environment itself, an attacker could exploit this feature to glean valuable information about which accounts they should target to gain access:
"A malicious actor may obtain the roster of an account, learn the organization’s internal structure and launch targeted attacks against individuals. In a recent Red Team exercise, Unit 42 researchers compromised a customer’s cloud account with thousands of workloads using a misconfigured IAM role identified by this technique. The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys. Resource-based policies usually include a Principal field that specifies the identities (users or roles) allowed to access the resource. If the policy contains a nonexistent identity, the API call that creates or updates the policy will fail with an error message. This convenient feature, however, can be abused to check whether an identity exists in an AWS account. Adversaries can repeatedly invoke these APIs with different principals to enumerate the users and roles in a targeted account. Furthermore, the targeted account can’t observe the enumeration because the API logs and error messages only appear in the attacker’s account where the resource policies are manipulated."
To mitigate this issue, Unit 42 offers the following recommendations:
- "Remove inactive users and roles to reduce the attack surface.
- "Add random strings to usernames and role names to make them more difficult to guess.
- "Log in with identity provider and federation, so that no additional users are created in the AWS account.
- "Log and monitor all the identity authentication activities.
- "Enable two-factor authentication (2FA) for every user and IAM role."