At a glance.
- NSA releases advisory on cloud authentication abuse.
- Second strain of malware affected SolarWinds's Orion product.
- TA505 seems to be gearing up for a new campaign.
- Al Jazeera employees targeted with Pegasus spyware.
- Major banking fraud campaign discovered.
NSA releases advisory on cloud authentication abuse.
The US National Security Agency last week released a Cybersecurity Advisory outlining two post-compromise tactics currently being used by "malicious cyber actors" to escalate privileges and gain access to an organization's cloud resources. While the agency doesn't say it outright, ZDNet notes that these tactics are being used by the actor behind the SolarWinds supply chain hack. NSA says this release "builds on the guidance shared in the cybersecurity advisory regarding VMware with state-sponsored actors exploiting CVE 2020-4006 and forging credentials to access protected files, though other nation states and cyber criminals may use this tactic, technique, and procedure (TTP) as well."
The first tactic involves compromising the "on-premises components of a federated SSO infrastructure and [stealing] the credential or private key that is used to sign Security Assertion Markup Language (SAML) token." These stolen credentials or keys are then used to "forge trusted authentication tokens to access cloud resources."
The second tactic involves using "a compromised global administrator account to assign credentials to cloud application service principals (identities for cloud applications that allow the applications to be invoked to access other cloud resources). The actors then invoke the application’s credentials for automated access to cloud resources (often email in particular) that would otherwise be difficult for the actors to access or would more easily be noticed as suspicious."
NSA offers the following advice for organizations:
"To defend against these TTPs, cloud tenants must pay careful attention to locking down tenant SSO configuration and service principal usage, as well as hardening the systems that run on-premises identity and federation services. Monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services. While these techniques apply to all cloud environments that support on-premises federated authentication, the following specific mitigations are focused on Microsoft Azure federation. Many of the techniques can be generalized to other environments."
Second strain of malware affected SolarWinds's Orion product.
Microsoft found an apparently unrelated strain of malware affecting SolarWinds's Orion software. The company describes it as "a small persistence backdoor...which is programmed to allow remote code execution through SolarWinds web application server" when installed in a certain folder. The backdoor is a malicious DLL that "provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device."
Unlike the malware used in the supply chain attack, this code isn't digitally signed by SolarWinds, indicating that these attackers didn't enjoy the same level of access as the actor behind the supply chain compromise. Reuters says it's not clear if this malware was used operationally.
CyberScoop sees the existence of this malware as demonstrating that Orion was viewed as a valuable target by multiple threat actors.
TA505 seems to be gearing up for a new campaign.
Intel 471 says a malware loader used by the cybercriminal group TA505 (also known as "Evil Corp) has been spotted in operation, which the researchers interpret as a sign that the group is about to launch a fresh malware campaign. The threat actor's Get2 loader was observed on December 14th with "new download and execute configuration parameters named 'LD' and 'ED'":
"The 'LD' parameter reflectively loads a downloaded dynamic-link library (DLL) file into the address space of the current process and calls its entry point. The 'ED' parameter copies the DLL into executable memory and invokes the entry point directly. The preexisting 'RD' parameter that was used to inject the downloaded DLL into EXCEL.EXE can now perform injection into WINWORD.EXE as well. The reconfigured loader is meant to allow the group to carry out its operations without drawing the attention of enterprise defenses. In the past, it has been used to download the SDBbot, FlawedGrace, and other malware."
Intel 471's COO Jason Passwaters stated, "TA505 can be somewhat deliberate in how they operate, more so than most of the financially-motivated groups we track. Once things start ramping up like this, rest assured they are back at it with a target list in hand."
Al Jazeera employees targeted with Pegasus spyware.
The University of Toronto's Citizen Lab reports that "government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera" in July and August of 2020. The phones were hacked using a zero-click iOS exploit chain that affected up to at least iOS 13.5.1. The researchers recommend that iPhone users upgrade to iOS 14 as soon as possible.
The Al Jazeera employees were targeted by four separate Pegasus operators. Citizen Lab attributes one of these operators to Saudi Arabia and one to the United Arab Emirates. The other two remain unknown.
Major banking fraud campaign discovered.
Researchers at IBM uncovered a large mobile banking fraud campaign that used mobile emulators to impersonate thousands of victims whose online bank accounts had been hacked via phishing or malware. The emulators allowed the attackers to transfer money out of the victims' accounts without raising undue suspicion. The researchers stress that the operation was extremely well-planned and efficient:
"This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and in many cases using those codes to complete illicit transactions. The data sources, scripts and customized applications the gang created flowed in one automated process which provided speed that allowed them to rob millions of dollars from each victimized bank within a matter of days.
"To monitor the flow of fraudulent access attempts to user accounts and receive real-time information about anything not going as planned, the attackers used hooking techniques that listened and intercepted the communication with targeted application servers during the fraud attempts. Logs from the fraudulent sessions were recorded and sent to the attackers’ remote server, alongside screen captures from the targeted application."
The researchers believe an organized criminal gang is behind this operation, and they expect to see more of this activity in the future.