Cyber Pulse: Edition 175 | 17 February 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Ukraine subject to continuous waves of hybrid warfare

The Security Service of Ukraine (SSU) revealed the country is the target of an ongoing “wave of hybrid warfare” conducted by Russia-linked malicious actors. Threat actors aim to destabilise the social contest in the country and instill fear and distrust in the country’s government.

"Ukraine is facing attempts to systemically sow panic, spread fake information and distort the real state of affairs. All this combined is nothing more than another massive wave of hybrid warfare,” states the SSU. "The SSU is seeing such manifestations of hybrid warfare in social networks, some mass media, in the spread of narratives of the aggressor state by certain politicians, etc. The SSU is not just observing these, but also actively counteracting to them."

Last week, the Ukrainian Security Service uncovered and dismantled two bot farms in Lviv that were operating a total of 18,000 fake accounts. The bots also published fake information about bomb threats at various facilities in the country.

“The Cyber Unit of the SSU Lviv Office carried out the operation together with the National Police investigators under the supervision of Halych District Prosecutor’s Office,” reported the SSU.

Recently, Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically. The experts mapped out three large clusters of the infrastructure used by the nation-state APT group used to support different phishing and malware campaigns. These clusters link to over 700 malicious domains, 215 IP addresses, and over 100 samples of malware.

Cloud service providers face threats from CoinStomp Cryptominer

A new malware family, CoinStomp, is reported to be targeting cloud services for mining cryptocurrency. Presently, this malware seems to be focused on cloud service providers in Asia. CoinStomp has multiple capabilities, including timestamping, disabling system-wide cryptographic policies, and the use of C2 communication that initiated using a /dev/tcp reverse shell. The timestamping capability manipulates the timestamps by running the touch command on Linux systems and uses a natively supported way of creating a reverse shell or C2 communication channel. Additionally, some evidence has been observed in code that referenced a Cryptojacking threat group, Xanthe. However, the evidence was not sufficient enough to confirm this claim, according to researchers.

To prevent forensic actions against itself, the malware tries to tamper with Linux server cryptographic policies. These policies are meant to stop malicious executables. Therefore, authors use the kill command to disable system-wide cryptographic policies before its activity. Moreover, any attempt by admins to undo that action further ensures that the malware achieves its goals.

In the next stage, CoinStomp makes a connection to its C2 server using a reverse shell. The script then downloads/executes additional payloads as system-wide system services with root privileges. These payloads may include binaries to create backdoors and a custom version of XMRig. The attackers are removing cryptographic policies to thwart Linux security. The use of such anti-forensic techniques further indicates that attackers are aware of incident response systems as well. These capabilities indicate the knowledge and sophistication of attackers regarding cloud security, which makes it a pertinent threat.

Microsoft Exchange Server vulnerabilities exploited for financial fraud

Unpatched servers have been used to twist corporate email threads and conduct financial theft. The combination of Squirrelwaffle, ProxyLogon, and ProxyShell against Microsoft Exchange Servers is being used to conduct financial fraud through email hijacking. Researchers from Sophos revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam. Microsoft issued emergency patches on 2 March 2021 to resolve zero-day vulnerabilities exploitable to hijack servers. The advanced persistent threat (APT) group Hafnium was actively exploiting the bugs at this time, and other APTs quickly followed suit. 

The recent case documented by Sophos combined the Microsoft Exchange Server flaws with Squirrelwaffle, a malware loader first documented last year in malicious spam campaigns. The loader is often distributed through malicious Microsoft Office documents or DocuSign content tacked on to phishing emails. If an intended victim enables macros in the weaponised documents, Squirrelwaffle then is often used to pull and execute CobaltStrike beacons via a VBS script. 

Sophos says that in the recent campaign, the loader was deployed once the Microsoft Exchange Server had been compromised. The server, belonging to an unnamed organisation, was used to "mass distribute" Squirrelwaffle to internal and external email addresses by hijacking existing email threads between employees. Over six days, the attackers tried to direct a legitimate financial transaction to a bank account they owned. The payment was on its way to being processed, and it was only due to a bank involved in the transaction realising the transfer was likely fraudulent that the victim did not fall prey to the attack. 

Unknown group hacking aerospace and defence industry for years

Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organisations across North America, Europe and the Middle East. Despite running for years, the attacks have barely evolved, broadly following the same targeting and themes in which attackers remotely control compromised machines, conduct reconnaissance on networks and steal sensitive data. 

"What's noteworthy about TA2541 is how little they've changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace and transportation, to distribute remote access trojans," said Sherrod DeGrippo, vice president of threat research and Detection at Proofpoint. 

TA2541 initially sent emails containing macro-laden Microsoft Word attachments that downloaded the Remote Access Trojan (RAT) payload, but the group has recently shifted to using Google Drive and Microsoft OneDrive URLs, which lead to an obfuscated Visual Basic Script (VBS) file. Currently, the most commonly delivered malware in TA2541 campaigns is AsyncRAT, but other popular payloads include NetWire, WSH RAT and Parallax. No matter which malware is delivered, it's used to gain remote control of infected machines and steal data, although researchers note that they still don't know what the ultimate goal of the group is, or where they are operating from. 

Google Drive now accounts for 50% of malicious document downloads

Google Drive is exploited by attackers to spread malware. In 2021, around 50% of malicious office documents were delivered using Google Drive. The data is based on Netskope’s report and covers different office documents such as Office 365, Google Docs and PDFs, among others. It further suggests that 37% of all malware downloads are malicious office documents.

Until 2020, Microsoft OneDrive was the major source of malicious office documents, with a 34% share of all malicious document downloads. However, that changed in 2021 with Google Drive taking over OneDrive. Microsoft OneDrive has the second-highest share at 19%. Sharepoint is in the third position from where 15% of victims downloaded malicious office documents. This was followed by Gmail and Box at 4% and 3%, respectively, while the rest apps combinedly stood at 9%.

Cloud services continue to witness huge number of sign-ups as more and more businesses nowadays operate from there. Cybercriminals create free accounts on cloud apps hosting services, upload malicious files and share them publicly or with selected individuals.  Then, they wait until some unsuspecting users open up the file and infect their device with enclosed malware. The use of legitimate platforms from Microsoft and Google has become very popular among cybercriminals. Thus, users who have a habit of downloading or receiving documents from unknown sources or emails should stay alert. Additionally, organisations must secure their cloud apps with user authentication and threat monitoring tools.

Microsoft Defender will soon block Windows password theft

Microsoft is enabling a Microsoft Defender Attack Surface Reduction security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process. When threat actors compromise a network, they attempt to spread laterally to other devices by stealing credentials or using exploits. One of the most common methods to steal Windows credentials is to gain admin privileges on a compromised device and then dump the memory of the Local Security Authority Server Service (LSASS) process running in Windows. This memory dump contains NTLM hashes of Windows credentials of users who had logged into the computer that can be brute forced for clear-text passwords or used in Pass-the-Hash attacks to login into other devices.

As a way to mitigate Windows credential theft without causing the conflicts introduced by Credential Guard, Microsoft will soon be enabling a Microsoft Defender Attack Surface Reduction (ASR) rule by default. The rule "Block credential stealing from the Windows local security authority subsystem" prevents processes from opening the LSASS process and dumping its memory, even if it has administrative privileges.

This new change was discovered this week by security researcher Kostas who spotted an update to Microsoft's ASR rules documentation. However, Microsoft has recently begun to choose security at the expense of convenience by removing common features used by admins and Windows users that increase attack surfaces. For example, Microsoft recently announced that they would prevent VBA macros in downloaded Office documents from being enabled within Office applications in April, killing off a popular distribution method for malware. This week, we also learned that Microsoft had begun the deprecation of the WMIC tool that threat actors commonly use to install malware and run commands.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.