At a glance.
- Threat actor uses 11 zero-days in watering hole attacks.
- SilverFish group tied to Evil Corp.
- BIG-IP vulnerabilities exploited.
- CopperStealer targets passwords saved by browsers.
Threat actor uses 11 zero-days in watering hole attacks.
Google's Project Zero has published an update on a campaign they began tracking in February of last year. The campaign targeted Windows, iOS, and Android systems, usually via watering hole attacks. The threat actor was observed using four zero-days in February 2020 and seven more in October, including:
- "1 full chain targeting fully patched Windows 10 using Google Chrome
- "2 partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser, and
- "RCE exploits for iOS 11-13 and privilege escalation exploit for iOS 13 (though the vulnerabilities were present up to iOS 14.1)"
Project Zero notes that the actors were highly skilled and the campaign would have been expensive to carry out:
"The vulnerabilities cover a fairly broad spectrum of issues - from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out."
The researchers don't offer any attribution for the attacks, although they believe there are two distinct entities working together on the campaign:
"These operational exploits also lead us to believe that while the entities between exploit servers #1 and #2 are different, they are likely working in a coordinated fashion. Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators."
SilverFish group tied to Evil Corp.
Researchers at PRODAFT have identified a threat actor dubbed "SilverFish" whose target list exhibits "a significant overlap with the companies affected by the SolarWinds attacks." PRODAFT describes SilverFish as a "highly sophisticated group of cyber criminals targeting exclusively large corporations and public institutions worldwide, with focus on the EU and US." The researchers note that some of the servers used in the attacks have also been used by the cybercriminal group "Evil Corp." The attacks affected "at least 4720 targets, including but not limited to governmental institutions, global IT providers, the aviation industry, and defense companies." The researchers observed several different teams referenced in a command-and-control server, indicating that there are multiple operators behind the activity. It's worth noting, however, that the researchers stop short of attributing SilverFish to Evil Corp. Sharing infrastructure, even sharing code, isn't sufficient to render two organizations the same. It remains to be determined if SilverFish and Evil Corp really are just the Morning Star and the Evening Star, different appearances of Venus, or whether they amount to distinct, if related, worlds.
BIG-IP vulnerabilities exploited.
Researchers at NCC Group have observed exploitation of a critical vulnerability (CVE-2021-22986) in F5's BIG-IP server appliances, Decipher reports. The vulnerability, which received a patch on March 10th, can allow an attacker to take full control of the system. NCC Group explains, "Exploitation of this vulnerability requires two steps. First, authentication has to be bypassed by leveraging the SSRF vulnerability to gain an authenticated session token. This authenticated session can then be used to interact with REST API endpoints, which would otherwise require authentication. The most useful endpoint for an attacker is the tm/util/bash endpoint, which allows an (authenticated) user to execute commands on the underlying server with root privileges. However, as the REST API is designed for remote administration, there are many endpoints which an attacker might wish to take advantage of. As part of the F5 patches, a command injection vulnerability was also patched...which could be used as an alternative way to execute arbitrary commands once authentication has been bypassed."
A public exploit for the flaw was released late last week, and users are urged to apply the patch as soon as possible.
CopperStealer targets passwords saved by browsers.
Proofpoint describes "CopperStealer," a newly discovered password stealer and downloader that targets Apple, Amazon, Bing, Facebook, Google, Instagram, PayPal, Tumblr, and Twitter. The malware is distributed via websites offering phony cracks for pirated software. The researchers think CopperStealer is a part of the SilentFade malware family:
"CopperStealer exhibits many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019. Proofpoint believes CopperStealer to be a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd and during the 2020 Virus Bulletin conference disclosed it was responsible for over $4 million in damages by 'compromising people’s Facebook accounts and then using people’s accounts to run deceptive ads.'"