At a glance.
- CSC exposes subdomain hijacking vulnerabilities.
- LockBit group gearing up to target Apple products.
- Vice Society using “living off the land” techniques for exfiltration.
- Iranian threat actor exploits N-day vulnerabilities.
- APT41 misusing Google good guy tools.
CSC exposes subdomain hijacking vulnerabilities.
CSC released its “Subdomain Hijacking Vulnerabilities Report” in which it shows that over 21% of the 400,000 DNS records it queried were likely vulnerable to subdomain hijacking. Subdomain hijacking occurs when threat actors take over a subdomain and use it to host their malicious content, which could lead to further threats like phishing or hosted malware. The report also showed that 63% of the queried DNS records showed a 404 “not found” or 502 “bad gateway” error. CSC explains “DNS records housekeeping is historically one of the most frequently neglected tasks due to a long history of different owners, policies, and vendors.”
LockBit group gearing up to target Apple products.
Data Breach Today reported Monday that the LockBit ransomware group is testing a new ransomware that targets machines using Apple Silicon chips. Vx-underground first tweeted out the discovery on April 15th and a tweet from MalwareHunterTeam on the 16th explained that this is likely the first ransomware from a large group that specifically targets Apple products. It seems that this version of the ransomware is still actively being developed as Azim Khodjibaev, a Cisco Talos researcher tweeted “the encryptors were meant as a test and were never intended for deployment in live cyberattacks.” As of now it seems that the ransomware is still in development and not an active threat against Apple products. Bleeping computer adds “In response to questions from BleepingComputer, the public-facing representative of LockBit, known as LockBitSupp, said that the Mac encryptor is "actively being developed."
Vice Society using “living off the land” techniques for exfiltration.
A detailed report on Vice Society, a notorious ransomware group, was released by Unit 42 and in it they explain that Vice Society uses native programs on the infected machines to exfiltrate stolen data. Vice Society uses “living off the land tactics” to lower their detectability, specifically they seem to be using a custom built Microsoft Powershell script. Unit 42 writes “Unfortunately, the nature of PS scripting within the Windows environment makes this type of threat difficult to prevent outright.” They also provide tips and tricks to detect the script used in Vice Society attacks like implementing their “YARA rule” (found in their report) to discover the script, and enabling “Powershell Module and Script Block Logging” in Powershell as well as monitoring your networks activity for network traffic spikes.
Iranian threat actor exploits N-day vulnerabilities.
Microsoft this morning reported that the group it's hitherto tracked as Phosphorus (and will henceforth refer to as "Mint Sandstorm") has developed a specialty in weaponizing N-day vulnerabilities, that is, vulnerabilities for which a fix or mitigation is available, but which some organizations have failed to patch. It's also been known mostly for reconnaissance and cyberespionage, but that may be changing, as there are signs the group is turning its attention to critical infrastructure. "Mint Sandstorm is known to pursue targets in both the private and public sectors," Microsoft writes, "including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East. Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453." Over the past two years the group has been observed to carry out attacks against infrastructure, and Microsoft thinks that its future activities may show a continued lessening of constraint. "Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity."
(Added, 9:00 PM ET, April 23rd, 2023. Several industry experts have comments on Microsoft's Mint Sandstorm report. Iranian infrastructure battlespace preparation. Tom Kellermann, SVP of cyber strategy at Contrast Security, sees the report as a clear escalation of Iran's cyber campaigns against the US and Israel: “Geopolitical tension manifests in cyberspace. Iranian threat actors have escalated their destructive attacks against the US and Israel as tensions rise. I commend Microsoft's report as this digital darkness requires sunshine.”
Microsoft noted that Mint Sandstorm was using "low-volume" phishing attacks in some of its operations. James McQuiggan, security awareness advocate at KnowBe4, notes that threat actors have realized the value of a patient approach:
“Slow and steady wins the race. Cybercriminals are playing the long game, working to build rapport with their marks to build trust and gain access into organizations. With these highly targeted campaigns, organizations want to include these styles of attacks within their frequent training to educate their users. Conducting simulated vishing calls will strengthen the user's skepticism and avoid believing everything they see in emails and hear on phone calls.
"Sometimes it can help organizations increase their security culture with gamification on various topics, like quizzes, department competitions, and offering the carrot or rewards to those who spot the attackers. Included should be incident reporting training for all users on what they should do if they encounter a "visher" or phishing email. It's known that users can send emails, but organizations would benefit from procedures for reporting phone numbers to authorities for persistent phone calls.
"A higher level of sophistication, being patient and persistent, also requires our users to have the same level of awareness, skills and understanding of where to report these events and work to reduce the risk of data breaches by these nation-states and criminal organizations.”
Mint Sandstorm not only represents an escalation in potential effects, but an increase in technical sophistication as well. Matt Mullins, Senior Security Researcher at Cybrary wrote:
“Mint Sandstorm exhibits tell-tale marks of a more sophisticated adversary approach. Their attack process relies on timing, since they are racing against patch timing for publicly disclosed new CVEs. With this being said, there is an obvious effort to scour the internet for information on the latest PoCs, weaponizing them, and then swiftly launching campaigns to gain an initial foothold into networks. Outside of this initial access vector, the utilization of template injection in tandem with small batches of phishing emails leads to a cautious and furtive approach to initial access using traditional phishing methods.
"Once inside, they appear to execute more standard post-exploitation operational procedures: recon, credential theft and lateral movement, then escalation leading to exfiltration. None of this tradecraft is particularly advanced at this stage but merely standard and sufficient operation to maneuver in an internal network. Detection of tools like Impacket isn't anything new with a number of endpoint protections giving a specific perspective of what this activity could look like on a compromised host. Further, the exfiltration of a dumped AD database could be surmised as simply the attackers DCSync’ing or shadowing and with this vector there are robust detections available as well.
“Custom malware is always a bit harder but as the toolkits are more publicly shared, ensuring that properly updated signatures will help a great deal with this aspect. While initial payload detection is difficult at times, there are a number of ways to detect threat actors once they begin to execute on the box. There is no way to be 100% invisible! There are always tell-tale marks left and thus as defenders we must use defense in depth and have well trained analysts and threat hunters who are capable to look closer at escalated tickets.”
And, again, it's not just the zero-days organizations need to worry about. It's the prospect of the adversary getting inside their OODA loop. Zach Hanley, Chief Attack Engineer, at Horizon3.ai, commented: “Threat actors are identifying and increasingly exploiting processes, or lack of processes, in vulnerability management. They can invest in discovering 0-days, or they can abuse known, recent vulnerabilities that become public. The continuous intelligence loop of identifying emerging threats and acting on the new risks before your adversary can, will become a more critical investment that organizations will have to weigh in their overall security model. Gone are the days where an annual penetration test sufficed for reducing an organization’s risk.”)
APT41 misusing Google good guy tools.
Google reported earlier this month that its “Google’s Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive. The payload was an open source red teaming tool called “Google Command and Control” (GC2).” Google adds that “These incidents highlighted a few key threat trends by China-affiliated threat actors. First, as opposed to developing their own custom tools, Chinese APT groups are increasingly using publicly available tooling such as Cobalt Strike and other “pentest” software available for purchase or on sites like Github.”
(Added 9:15 PM ET, April 23ed, 2023. Matt Mullins, Senior Security Researcher at Cybrary, sees a departure in the threat actor's use of off-the-shelf resources:
“APT41's use of GC2 is a shift into using more novel and off-the-shelf modern open-source projects. While most of the APT pool still relies on certain tried-and-true approaches (such as using PowerShell and macros), this change up of tactics shows a willingness to change approaches with the time. The GC2 program isn't anything revolutionary to the Red Team community as the utilization of covert channels as a non-standard C2 is something that good Red Teams have been organically developing for years now.
“The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy. This approach exposes an Achilles heel to using major providers like Google and Microsoft-enterprises essentially have to whitelist all domains and subdomains associated with these companies. By doing so, any service that can be abused is a free hall pass for attackers. I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications.
“The application also uses Go, which is a Google language (for extra insult), and in a similar vein it is a known compiled language to Red Teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload!
“Times are changing and so are APT groups. As we see more research and development done by Red Teams, we will see more advanced vectors and approaches like this. Defenders need to make sure they have validated their detections, their detections are robust, and that we have security at all layers (instead of depending on one product or tool to save us). Above all else, having a good Red Team will help your Blue Team train up to defend against advanced threats like this! Investing into a good offensive security program for ANY organization will pay exponentially in the long run.”
Christopher Peacock, Principal Detection Engineer, at SCYTHE, sees this sort of development in threat tactics as entirely foreseeable: “In this day and age, free and open-source hacking software is just that, hacking software. Any interesting capability posted publicly to GitHub will inevitably be used maliciously regardless of the projects' intentions, licensing, or disclaimer.”)