At a glance.
- Threat actor exploits new Pulse Secure vulnerability.
- Primitive Bear targets Ukraine.
- Sunburst technique analyzed.
- NAME:WRECK affects TCP/IP stacks.
- Criminals using big data.
- Lazarus Group continues stealing cryptocurrency.
- Lazarus uses BMP image files to drop malware loader.
Threat actor exploits new Pulse Secure vulnerability.
A threat actor has been exploiting a newly discovered vulnerability in Pulse Secure VPNs to target the US defense industry, according to researchers at FireEye. Pulse Secure says the vulnerability (CVE-2021-22893) "allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors." The company says a patch will be available in early May, and in the meantime has outlined mitigations.
FireEye doesn't attribute the activity to any particular threat actor, but suspects the attackers are working on behalf of the Chinese government.
Primitive Bear targets Ukraine.
Anomali describes a phishing campaign that's targeting Ukrainian government officials. The researchers attribute the campaign to the Russian cyberespionage group Primitive Bear (also known as Gamaredon) "with high confidence." The researchers conclude that the threat actor stole Ukrainian documents and used them to craft spearphishing emails before the documents had been published:
"In hindsight, the decision for Primitive Bear to use a Ukrainian and Bulgarian-themed dissertation comes at an interesting time for Russian and Bulgarian relations. This is due to the Bulgarian government arresting six of its own members who were charged with spying for the Russian government, on March 19, 2021, according to the Bulgarian prosecutors’ statement. However, Russia is known for combining cyber and real-world operations, and has been using this hybrid warfare to target Georgia in 2008 and Ukraine since at least the 2014 annexation of Crimea. Therefore, it would not be unlikely to think that Primitive Bear was using Bulgaria-themed decoys before the media knew of the events, thus making the information more relevant to Ukrainian officials who knew what was transpiring."
The domains used in the campaign had been taken down by the time Anomali discovered the campaign, so the researchers aren't sure what the final payload was.
Sunburst technique analyzed.
ExtraHop describes how the Sunburst malware used in the SolarWinds attack relied upon DNS to hide its command-and-control traffic. The researchers explain:
"Once installed, the SUNBURST Trojan hid its command-and-control (C2) activities by taking advantage of known weaknesses with enterprise domain name systems (DNS). Attackers know that, with millions of DNS requests and queries in a given day, DNS traffic and queries are difficult to log, and log management can't scale. So, they hid their DNS activities in all this noise and carefully timed queries and traffic to fly under the radar. The SUNBURST Trojan also manipulated DNS queries to identify prized systems to copy out of the organization, exploit DNS resolution issues and data link libraries (DLLs), and route outbound traffic from infected systems through seemingly trustworthy registrars and domains."
NAME:WRECK affects TCP/IP stacks.
Researchers at Forescout and JSOF uncovered nine vulnerabilities affecting DNS implementations in four popular TCP/IP stacks. The set of vulnerabilities, dubbed "NAME:WRECK," affect FreeBSD's DHCP, IPnet, NetX, and Siemens' Nucleus NET. The researchers note that, "Not all devices running Nucleus RTOS or FreeBSD are vulnerable to NAME:WRECK. However, if we conservatively assume that 1% of the more than 10 billion deployments are vulnerable, we can estimate that at least 100 million devices are impacted by NAME:WRECK." The flaws can be used to achieve remote code execution or launch a denial-of-service attack.
The researchers place particular emphasis on the FreeBSD and Nucleus NET vulnerabilities, pointing out that "FreeBSD is widely known to be used for high-performance servers in millions of IT networks, including major websites such as Netflix and Yahoo. FreeBSD is also the basis for other well-known open-source projects. Nucleus NET has been used for decades in several critical OT and IoT devices."
FreeBSD, Nucleus NET, and NetX have recently been patched, and vendors that use these stacks should update their devices.
Criminals using big data.
Intel 471 outlines how the Chinese cybercriminal underground is making use of big data to turn a profit. The criminals sell stolen data to scammers and other types of threat actors, as well as to marketing companies. For example, one threat actor sold "real-time data for casino gaming, lottery, and stocks." The data were allegedly harvested from two leading Chinese mobile network providers. Intel 471 has observed "a clear division of labor, responsibilities, and a delineated chain of command" among the groups that steal and monetize the data.
The researchers note that "Chinese authorities reportedly adopted measures to crack down on the illegal big data trade and tighten regulations governing personal data and privacy. A series of regulatory measures regarding internet privacy protection and the security of personal information reportedly was introduced by the Cyberspace Administration of China in addition to the large-scale crackdown."
Lazarus Group continues stealing cryptocurrency.
Group-IB says North Korea's Lazarus Group is using a newly discovered JavaScript sniffer dubbed "BTC Changer" designed to steal cryptocurrency:
"Group-IB researchers discovered that, in late February 2020, Lazarus started using a modified version of the malicious JavaScript script that was initially used during the clientToken= campaign all the while using the same infrastructure. The new version had the same names of functions, but bank card harvesting was replaced with cryptocurrency skimming and they started targeting companies who accepted payments in BTC. The new version of the malicious JavaScript, which Group-IB researchers named Lazarus BTC Changer, was designed to switch the destination payment address to the attackers' BTC address."
Decipher quotes Group-IB's Viktor Okorokov as saying, "The campaign marks the first time that Lazarus used malicious JavaScript sniffers to steal cryptocurrency. It’s definitely something that deserves attention as the technique has all the potential to grow in scale and sophistication, given the gang’s continued hunt for cryptocurrency."
Lazarus uses BMP image files to drop malware loader.
The Lazarus Group is also using BMP image files to deliver a Trojan, according to researchers at Malwarebytes. The files are initially delivered via phishing documents with malicious macros. The researchers explain, "Since the BMP file format is an uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content."