At a glance.
- Cyberespionage campaign targets Israeli entities.
- Ransomware operators exploit PrintNightmare vulnerability.
- Critical vulnerability affects IoT devices.
Cyberespionage campaign targets Israeli entities.
Researchers at ClearSky have observed an Iranian cyberespionage campaign by Siamesekitten (also known as Lyceum or Hexane) against Israeli organizations. The attackers use bogus job offers to entice victims into downloading malware:
"At the beginning of May 2021, we detected the first attack by Siamesekitten on an IT company in Israel. Siamesekitten is an Iranian APT group active in the Middle east and in Africa that is active in launching supply chain attacks. To this end Siamesekitten established a large infrastructure that enabled them to impersonate the company and their HR personnel. We believe that this infrastructure was built to lure IT experts and penetrate their computers to gain access to the company’s clients.
"In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called 'Shark' and it replaced the old version of their malware called 'Milan.'"
Ransomware operators exploit PrintNightmare vulnerability.
CrowdStrike and Cisco Talos warn that ransomware actors continue to exploit PrintNightmare (CVE-2021-34527), a remote code execution vulnerability affecting the Windows Print Spooler service. CrowdStrike says Magniber, a ransomware strain that surfaced in 2017 and exclusively targets victims in South Korea, is attempting to exploit the flaw:
"Analyzing the behavior of the malicious ransomware sample reveals the same Magniber behavior observed in the past by CrowdStrike security researchers: exploiting a vulnerability, dropping an obfuscated DLL loader, injecting the loader into a process and then unpacking the cored DLL loader that performs local file traversal and encryption — which is on par with the known Magniber modus operandi."
And Cisco Talos says that Vice Society, a new ransomware gang, appears to have begun using PrintNightmare to facilitate targeted attacks against its victims:
"Vice Society is a relatively new player in the ransomware space. They emerged in mid-2021 and have been observed launching big-game hunting and double-extortion attacks, primarily targeting small or midsize victims. This group also has notably targeted public school districts and other educational institutions. As they are a new actor in this space, Vice Society's TTPs are difficult to quantify. However, based on incident response observations, they are quick to leverage new vulnerabilities for lateral movement and persistence on a victim's network. They also attempt to be innovative on end-point detection response bypasses."
The researchers note that Vice Society also steals data for extortion, stating, "In this attack, we observed the adversary attempting to exfiltrate sensitive information over SMB (TCP/445) directly from a compromised domain controller. This was likely chosen as a way to bypass egress filtering that may have been in place at the perimeter of the victim environment."
Critical vulnerability affects IoT devices.
FireEye's Mandiant and the US Cybersecurity and Infrastructure Security Agency (CISA) have jointly disclosed a critical vulnerability affecting IoT products that run the ThroughTek Kalay network, which amounts to tens of millions of devices. The vulnerability can enable attackers to access IoT devices and possibly allow for remote code execution:
"At the time of writing this blog post, ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on their platform. ThroughTek's clients include IoT camera manufacturers, smart baby monitors, and Digital Video Recorder ('DVR') products. Unlike the vulnerability published by researchers from Nozomi Networks in May 2021 (also in coordination with CISA), this latest vulnerability allows attackers to communicate with devices remotely. As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution."
Mandiant and ThroughTek offer the following guidance:
- "If the implemented SDK is below version 3.1.10, upgrade the library to version 18.104.22.168 or version 22.214.171.124 and enable the Authkey and Datagram Transport Layer Security ('DTLS') features provided by the Kalay platform."
- "If the implemented SDK is version 3.1.10 and above, enable Authkey and DTLS."
- "Review security controls in place on APIs or other services that return Kalay unique identifiers ('UIDs')."