Ongoing Cyber Espionages
Mohnish Singh
Information security|SOC2 ISO 27001:2022|DPSS PCI|XDR|incident response|vulnerability management|SIEM SME|Big-blue|Big-4
Cyber espionage, or cyber spying, is a type of?cyber attack in which attackers attempts to access and exfiltrate sensitive, classified data, intellectual property (IP) and potential trade secrets for economic gain, competitive advantage or political reasons.
Cyber criminals and state actors are continuously evolving and innovating tactics to infiltrate into systems-> gain privileges' access, disable controls and exfiltrate critical business data, from magnets of threat to using undetectable infrastructure this article will cover information on the current trends, and techniques active in the wild.
Cyber Espionages have been increasing and recently are part of media headlines globally, current espionages are not only organized cyber criminals but are state sponsored, e.g. of state sponsored espionages:
We are witnessing an all time rise in espionage campaigns, having highly motivated state actors. These state actors use novel technologies to cause mass cyber disruptions and attempts to knock down enterprises out of business
Activities seen in Cyber Espionages
Ukrainians have been under a?constant barrage of cyber attacks, uncommon piece of malware is indirectly targeting Ukraine's critical government infrastructure — aimed at a large software development company that serves various state organizations within Ukraine lead to the Disclosure of an open-source backdoor named "GoMet" that was first observed on March 28, 2022.
The malware uses reported critical CVE's CVE-2020-5902, CVE-2022-1040 as its attack vectors
Three samples of this version of the backdoor:
The samples have minor differences and are likely built from the same source code, with marginally different configuration.
Analyzing the code, its evident that the samples are not 100% match, noticibale changes are mainly strings and similar victim or compiler-dependent data, accompanying researcher comments.
Below is the?Main.Main?function as an example.
The above flow reveals another change to the GitHub versions.
If the C2 is unreachable, the sample will sleep for a random amount of time between five and 10 minutes. GO's sleep implementation uses nanoseconds. The Pseudo Code would look like the following:?time_Sleep(1000000000 * (rnd_val + 300)).
A fake Windows update scheduled tasks is created by the GoMet dropper.
The malware uses novel approach to persistence. It enumerates the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware. This potentially could avoid detection or hinder forensic analysis and hide the parent process hosting the infection
Both samples have the command and control (C2) IP address hardcoded, which is?111.90.139[.]122. Communication occurs via HTTPS on the default port (443)
Hosted in network for ISP Shinjiru Technology Kaula lumpur, malaysia
The certificate on this server was issued on April 4, 2021 as a self-signed certificate, with the?9b5e112e683a3605c9481d8f565cfb3b7e2feab7?SHA-1 fingerprint.
This campaign began in April 2021,for now there are no known domains associated with this IP address, domain associated with 111.90.139[.]122 was on Jan. 23, 2021, which is outside the known attack time frame.
One of the senarios, a blank CMD prompt process is opened, about 60 seconds before the?schtask?query is executed and then subsequently execution of?systeminfo?and?schtask?queries take place, these queries are not being chain opened by svchost or services or another process. This execution looks like:
Gomet is a backdoor designed to be stealthy and maintain additional persistent access. The threat actor take active steps to prevent detection of their tooling by obfuscating samples and utilizing novel persistence techniques. Main motive of GoMet is the potential for software supply chain compromise. The sophistication in GoMet's invention with cutting-edge tactics, techniques show the lethal nature of cyber weapons
Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways fulfilling motives of Russian state-sponsored actors or those acting in their interests
Simultaneous Attack by Ransomware gangs
Three ransomware attacks breached and encrypted files of an automotive supplier(LockBit, Hive, and ALPHV/BlackCat affiliates) within two weeks . The first two attacks happening within just two hours. This is the 1st incident off 3 ransomware gangs attacking a single organization.
Below figure suggest a development Time-line
In this attack the BlackCat ransomware has implemented advance techniques that is mentioned below
The?BlackCat?(or ALPHV) ransomware developed in Rust programming language has come prominence in 2021, the origin first?spotted?advertising its services in early December 2021 on a Russian underground forum.
The ALPHV threat group runs a ransomware-as-a-service (RaaS) program and shares ransom payments with affiliates. ALPHV uses?bulletproof-hosting?to host their web sites and a Bitcoin mixer to anonymize transactions.
Bulletproof-hosting refers to hosting services that are banned by law enforcement or regulators they mainly are shadowy networks of dark web, and the infrastructure hosted by hacking agencies
The BlackCat ransomware supports different encryption modes that majorly implement intermittent encryption.
An evaluation?study?subjecting files of varying sizes (50 MB, 500 MB, 5 GB, and 50 GB) to the BlackCat ransomware revealed that using intermittent encryption can be of significant benefit to threat actors. For example, in contrast to full encryption, encrypting files using the?Auto?file encryption mode resulted in noticeably reduced wallclock processing time starting at 5 GB file size (8.65 seconds) and a maximum reduction in wallclock processing time of 1.95 minutes at 50 GB file size.
Wallclock processing time is the total wallclock time (in seconds) that the ransomware spends on processing a file, which includes reading, encrypting, and writing file content. BlackCat includes some internal logic for maximizing encryption speed. The ransomware encrypts files using the Advanced Encryption Standard (AES) encryption algorithm if the victim’s platform implements AES hardware acceleration. If not, the ransomware falls back to the ChaCha20 algorithm that is fully implemented in software.
The functionality of gaining access to RDP, customizing encryption levels is a result to high funded research and implementation of futuristic algorithms to bypass enterprise systems and attain their coherent financial motive
Espionage Campaign Metadoor
A long-running threat actor of unknown origin has launched a campaign in Middle East and Africa targeting telcos, ISPs, and universities
Two windows based malware platforms are being used by Metador–‘metaMain’ and ‘Mafalda’. These Windows-based platforms are intended to operate entirely in-memory and never touch disk in an unencrypted fashion, easily evading native security products and standard Windows configurations. The internal versioning of Mafalda suggests that this platform has been in use for some time, and its adaptability highlights active and continuing development.
The Magnet of threats in metadoor contained a redundant layering of nearly ten (10) known threat actors of Chinese and Iranian origin
Operators use a single external IP address per victim network. That IP is utilized for command-and-control over either HTTP (metaMain, Mafalda) or raw TCP (Mafalda). In all confirmed instances, the servers were hosted on LITESERVER, a Dutch hosting provider.
Mafalda C2 servers also support raw TCP connections over port 29029.
Liteserver –?5.2.78[.]14. This IP hosts what appears to be a malicious domain,?networkselfhelp[.]com, which might have been used as a C2 for Metador intrusions.?
领英推荐
FILE NAMES cdb.ini, speech02.db,speech03.db,fcache11.db,fcache13.db,fcache11.db,fcache13.db
IPs 5.2.64[.]74 5.2.77[.]52 5.2.78[.]14
DOMAIN networkselfhelp[.]com
The Mafalda implant extends the backdoor functionalities that metaMain provides and is an actively maintained, ongoing project. We observed two variants of the Mafalda backdoor::
The newer Obfuscated Mafalda variant extends the number of supported commands from 54 to 67 and is rife with anti-analysis techniques that make analysis extremely challenging.
Mafalda prints encrypted debugger messages if the name of the host is WIN-K4C3EKBSMMI, possibly indicating the name of the computer used by the developers.
Matador indicates the elite class of threat actors continues to operate in the shadows. Developers of security products in particular should take this as an opportunity to proactively engineer their solutions towards monitoring for the most cunning, well-resourced threat actors. High-end threat actors are thriving in a market that primarily rewards compliance and superficial detections.
The threat intelligence research community, is grateful for the contributions of the research teams and service providers who willingly share their expertise and telemetry for this research.
Maggie?A novel backdoor variant "Maggie" is reported to be targeting Microsoft SQL servers. The fully functional backdoor disguises as an Extended Stored Procedure DLL, a type of extension used by Microsoft SQL servers. This variant has emerged as a brand-new malware. The backdoor has already spread to hundreds of computers and is specifically designed to attack Microsoft SQL servers.
Extended Stored Procedure DLL (“sqlmaggieAntiVirus_64.dll”) is digitally signed by DEEPSoft Co. Ltd, a company that appears to be based in South Korea.
Extended Stored Procedure files extend the?functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data. Maggie abuses this technical behavior to enable remote backdoor access with a rich set of 51 commands.
Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the affected server. To execute the backdoor on the target server, the attacker must place the ESP file in a directory that the MSSQL server can access, and needs valid credentials to load the ESP on the server.
The Maggie backdoor has the following varied capabilities:?
It has TCP redirection ability and acts as a network bridge head from the Internet to any IP address which further enables compromised MSSQL server for access. The TCP redirection functionality, allows remote attackers to connect to any IP address the infected MS-SQL server can reach.
The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie,” the researchers added.
The malware also features SOCKS5 proxy functionality to route all network packets through a proxy server, making it even stealthier if needed.
SOCKS5 proxy can route arbitrary traffic and is not restricted to http, this add the functionality for having multiple attack vectors, this also adds a layer of security to maggie, this functionality makes the request and response covert and making the hosted infrastructure undetectable
Below are the channels available to route arbitrary traffic :
Brute-forcing admin passwords happens through the commands “SqlScan” and “WinSockScan” after defining a password list file and a thread count. If successful, a hardcoded backdoor user is added to the server.
The command?list includes four “Exploit” commands, indicating that the attacker also rely on known vulnerabilities for some actions, such as adding a new user.
These exploits appear to depend on an additional DLL that is not shipped with Maggie.
MITRE ATT&CK Matrix
T1110????Brute Force
T1090????Connection Proxy
Maggie ransomware SQL files :VV61599.exe,ExtendedProcedure.DLL
File paths: C:\ProgramData\Success.dat, Success.dat, Failure.dat, AccessControl.Dat
Hashes
f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14
a375ae44c8ecb158895356d1519fe374dc99c4c6b13f826529c71fb1d47095c3
eb7b33b436d034b2992c4f40082ba48c744d546daa3b49be8564f2c509bd80e9
854bb57bbd22b64679b3574724fafd7f9de23f5f71365b1dd8757286cec87430
4311c24670172957b4b0fb7ca9898451878faeb5dcec75f7920f1f7ad339d958
d0bc30c940b525e7307eca0df85f1d97060ccd4df5761c952811673bc21bc794
URLs
hxxp://58[.]180[.]56[.]28/sql64[.]dll
hxxp://106[.]251[.]252[.]83/sql64[.]dll
hxxp://183[.]111[.]148[.]147/sql64[.]dll
hxxp://xw[.]xxuz[.]com/VV61599[.]exe
hxxp://58[.]180[.]56[.]28/vv61599[.]exe
The covered attacks are linked to ShadowSyndicate
Researchers have uncovered infrastructure connected to a threat actor known as ShadowSyndicate, believed to have deployed seven distinct ransomware families (i.e. Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play) in attacks over the past year.
An investigation found the group's single SSH fingerprint deployed since July 2022 onto 85 servers, the majority of them tagged as command and control for the Cobalt Strike pen-testing tool that doubles as a hacker favorite. ShadowSyndicate appears - with varying shades of researcher confidence - to have worked so far with seven different ransomware providers.
Hosted Domains :avdev[.]net devcloudpro[.]com egetrgertgeb[.]xyz powersupportplan[.]com asaper[.]xyz devsetgroup[.]com webtoolsmedia[.]com egetrgertgebrtgf[.]xyz asapor[.]xyz eastzonentp[.]com maximumservers[.]net msupd.wimdowupdate[.]com aserpo[.]xyz herbswallow[.]com qw.vm3dservice[.]com uranustechsolution[.]com assapaa[.]xyz ipulsecloud[.]com aerosunelectric[.]com d4ng3r.s01kaspersky[.]com asaporeg[.]xyz mysqlserver[.]org expotechsupport[.]com egetrgertgegegevgvyub[.]xyz dsvchost[.]com settingdata[.]com etgtgvtgttefeer[.]xyz cache01.micnosoftupdate[.]com qw.sortx2[.]com svchostsreg[.]com egetrgertgegege[.]xyz upd232.windowservicecentar[.]com situotech[.]com opentechcorp[.]net esoftwareupdates[.]com cmdatabase[.]com windosupdate[.]net paloaltocloud[.]online qw.sveexec[.]com