Welcome to the Daily Threat Briefing for April 3, 2024. Today's briefing explores three stories: The latest tactics of Earth Freybug APT Group, A report on the newest series of targeted Phishing emails by Intel471, and a high-level report on Sophos' findings for the latter half of 2023
Executive Summary
1?? Earth Freybug's Espionage Tactics: The Unveiling of UNAPIMON
?? Actionable Takeaway: Organizations should strengthen their defences by enforcing strong password policies, limiting administrative privileges, and applying the latest patches. Those creating software should adhere to secure coding practices to protect against DLL hijacking and API unhooking attacks.
2?? The Rising Tide of Phishing: "The Com" Takes Center Stage
?? Actionable Takeaway: To counteract these threats, businesses must prioritize the refinement of security controls, educate employees on the dangers of smishing, and implement Multi-Factor Authentication (MFA) while recognizing its limits. Training beyond phishing and smishing helps employees better report incidents and spot common indicators of compromise.
3?? Sophos' Active Adversary Report: A Glimpse into 2024's Cyber Threats
?? Actionable Takeaway: Firms are urged to adopt comprehensive backup and recovery strategies, secure remote access, and conduct regular security awareness training to defend against ransomware and data extortion.
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
On April 02, 2024, a technical report was released detailing a cyberespionage attack attributed to Earth Freybug. The report focused on espionage and financially motivated activities. Earth Freybug actors used dynamic-link library (DLL) hijacking and application programming interface (API) unhooking techniques via a malware named UNAPIMON to prevent child processes from being monitored.
- Earth Freybug has been active since at least 2012. It targets various sectors across countries using LOLBins and custom malware.
- The attack flow involved a vmtoolsd.exe process creating a remote scheduled task with schtasks.exe to launch a pre-deployed cc.bat for reconnaissance and subsequent deployment of a backdoor.
- The first cc.bat batch file executed commands to gather system information, storing it in %System%\res.txt.
- A second cc.bat used DLL side-loading to leverage the SessionEnv service for malicious purposes, executing %System%\TSMSISrv.DLL to drop and load a file named Windows%_{5 to 9 random alphabetic characters}.dll and inject it into a cmd.exe process, turning it into a backdoor.
- UNAPIMON employed defence evasion techniques, notably by hooking and unhooking API functions, which made child processes undetectable by sandboxing systems.
Insights and Analysis
UNAPIMON's primary purpose is to unhook critical API functions in child processes, making malicious activities undetectable in monitored environments.
- The simplicity and originality of UNAPIMON, which uses off-the-shelf technologies like Microsoft Detours for malicious purposes, highlight its developers' creativity and technical prowess.
- This attack highlights the importance of the human element in cybersecurity, such as the necessity for solid password policies and the limitation of administrative privileges to mitigate the risk of such sophisticated attacks.
- Secure coding practices are crucial in preventing exploitation, as seen in this attack, in which legitimate applications were exploited via vulnerabilities.
- This report includes technical Indicators of Compromise (IoCs), providing valuable information for detecting and preventing similar attacks in the future.
Targeted Phishing Linked to 'The Com' Surges
On April 2, 2024, Intel 471 released a technical report on a significant surge in phishing attacks throughout early 2024, mainly via SMS, aimed at compromising login credentials for identity and access management (IAM) systems, cloud resources, or single sign-on (SSO)-enabled systems. These attacks, often called smishing, were linked to a collective known as "The Com," involving young actors from Canada, the U.S., and the U.K. engaged in various cybercriminal activities. This group was noted for its involvement in high-profile breaches, with tactics evolving to include ransomware affiliations, particularly with the ALPHV, aka BlackCat group.
- From January 1 to February 10, 2024, Intel 471 identified 35 new phishing sites related to these campaigns. These sites utilized resources such as a specific Okta Sign-In Widget JavaScript file to create convincing phishing pages.
- The phishing pages meticulously mimicked legitimate login pages, even to request victims' Okta verification codes, showcasing a deep understanding of their targets' I.T. infrastructure.
- These campaigns heavily utilized VPS infrastructure from providers like Vultr and Namecheap. Phishing domains employed naming conventions closely related to the impersonated organizations, mainly focusing on H.R. and SSO systems.
- Analysis indicated that telecommunications was the most targeted sector, followed by technology, insurance, I.T. consulting, and retail. These campaigns targeted at least 20 companies.
Insights and Analysis
The surge in smishing attacks highlights the sophistication and adaptability of "The Com" in executing phishing campaigns. This reveals the technical depth of these operations and the human element of cybersecurity vulnerabilities.
- The consistent refinement and testing of security controls emphasize the persistent threat of social engineering, emphasizing the importance of ongoing employee vigilance and education.
- The choice to impersonate H.R. and SSO systems when employees likely expect legitimate communications suggests a calculated approach to exploiting human psychology and the routine operations within targeted organizations.
- The reliance on VPS infrastructure for hosting phishing infrastructure points to the ease with which threat actors can leverage legitimate services for malicious purposes, raising questions about service providers' responsibilities in combatting cybercrime.
- Secure code practices, particularly in developing and deploying authentication systems, emerge as crucial in mitigating the effectiveness of such phishing attacks.
- This highlights the need for robust security measures, including implementing Multi-Factor Authentication (MFA), albeit with an understanding of its limitations.
- This report is technical with Indicators of Compromise (IoCs), providing actionable intelligence for organizations to detect and respond to these threats effectively.
It's Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024
On April 3, 2024, Sophos released a technical report detailing findings from their X-Ops Incident Response team's analysis of security crises around the globe in 2023, using data from over 150 cases. The report reveals insights into the current state of cyber threats, emphasizing the persistence of ransomware attacks and highlighting notable shifts in attack types and targets.
- Ransomware remained the dominant attack type in 2023, with 70% of the cases investigated resulting from ransomware attacks.
- Organizations with fewer than 1000 employees constituted 88% of the dataset, with a significant portion (55%) having 250 employees or fewer.
- The manufacturing sector was most likely to request Sophos I.R. services, followed by information technology, retail, and services sectors.
- Network breaches ranked second in attack types, with evidence suggesting that many were unsuccessful ransomware attempts.
- The data on extortion and exfiltration attacks showed notable changes, with extortion attacks doubling and exfiltration attacks halving from the previous year.
- LockBit was identified as the most prolific ransomware brand in 2023, followed by emerging brands like Akira.
- The report discusses the primary initial access methods and root causes of breaches, highlighting compromised credentials and exploited vulnerabilities as leading issues.
- It addresses the role of external remote services and valid accounts in facilitating attacks and stresses the importance of multi-factor authentication (MFA) and secure remote access practices.
Insights and Analysis
Ransomware's persistence as the top cyber threat in 2023 indicates that despite known defence strategies, organizations struggle to implement effective measures.
- The significant impact of ransomware stresses the necessity for robust backup and recovery strategies to minimize data loss and operational downtime.
- The dataset's predominance of smaller organizations highlights the need for tailored cybersecurity solutions that address these entities' unique challenges and resource constraints.
- The shift towards data extortion suggests that attackers continuously adapt their tactics to exploit vulnerabilities, emphasizing the importance of data protection and incident response plans.
- The prevalence of compromised credentials as a root cause of attacks highlights the human element in cybersecurity, reinforcing the need for comprehensive security awareness training and stringent access controls.
- Secure coding practices and regular vulnerability assessments are critical in reducing the attack surface and protecting against exploits, especially given the report's findings on exploited vulnerabilities.
- This report is high-level, with no direct indicators of compromise (IoCs)
Welcome to Device Threat Insights and Analysis, where I present three key stories that captured my attention as a threat intelligence professional. Please note that these reports are not affiliated with any organization, and my insights should be considered opinions or a starting point for navigating the vast sea of public reporting. Before taking action, conduct a thorough impact analysis specific to your business needs. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.
References:
