Neu Cyber Threats – 28th October 2021
Cyber criminal gang adds new tool
The criminal threat group, TA551, has added a new tool to its bag of tricks – a move that may hint at ramped up ransomware attacks ahead, according to researchers. TA551 (aka Shathak) have been mounting cyber attacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations.
In one example, seen by researchers, the messages contained password-protected Word documents. Once opened with macros enabled, the attachments lead to the download of Sliver, an open-source, cross-platform adversary simulation.
This demonstrates a significant departure from previous tactics from TA551. Typically, the end goal for TA551 has been to drop an initial-access/banking trojan, which eventually leads to ransomware attacks. Researchers added: “Typically, TA551 use commodity malware like banking trojans. They would compromise victims and broker access to eventually enable the deployment of ransomware. Now with Sliver, they don’t need to rely upon other groups for access – the threat actor is able to break in with much more flexibility, allowing them to push ransomware, steal data or move laterally through the target organisation.”
The move to installing Sliver looks to the increasing use of legitimate threat-hunting and defence tools by cyber criminals, with researchers noting a 161% increase in threat actor use of the Cobalt Strike tool between 2019 and 2020.
Researchers said: “Attackers have never had it better. Whether they need phishing toolsets, obfuscation frameworks, initial access tools, command-and-control (C2) infrastructure, credential-abuse tools or even open-source ransomware payloads, nearly all of these tools can be found for free. Most people assume malicious actors are hiding on the Dark Web, selling tools for Bitcoin to only the shadiest of black hats, but this simply isn’t true.”
Sliver is available for free online, and its capabilities include information-gathering, command-and-control (C2) functionality, token manipulation and process injection, among other features.
It appears that threat actors are using as many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting malicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive, SendGrid, and Constant Contact to host and distribute malware. This is to give them as many opportunities and chances of success. More concerningly for businesses, TA551 is known for widescale, global attacks that cast a big net.
Neuways recommends training your users to spot and report malicious communications received via email. Phishing Awareness Training features simulated attacks which can stop many real-world attacks and help identify people who are especially vulnerable. Additionally by ensuring macros are disabled, then certain payloads deployed by cyber criminals will be unable to be operated. Strong email security is also recommended. Your email security solution should analyse external and internal email, as attackers may use compromised accounts to trick users within the same organisation.
Cyber criminals create fake security firm
A group of cyber criminals known as FIN7 created a fake security firm earlier this year, before hiring genuine security researchers and tricking them into participating in ransomware attacks. The company was named Bastion Secure, with the company claiming to provide penetration testing services for companies across the world.
But according to an investigation by researchers, the company is a front for the FIN7 group, which used the Bastion Secure website as a front to post ads on Russian job portals seeking to hire cybersecurity experts for various positions. Ads on its website show that FIN7 recruited reverse engineers, system administrators and programmers.
Those who applied went through a three-phase interview process; after a researcher went through the application process in order to provide evidence.
Phase 1: The first phase included a basic interview process with a representative. After a successful interview, job applicants were told to sign a contract with a non-disclosure agreement and configure their computer by installing several virtual machines and opening ports.
Phase 2: Applicants received legitimate penetration testing security tools from the company to conduct a series of test assignments.
Phase 3: Applicants were brought in to participate in “real” assignments where they were told to conduct a penetration test against one of the firm’s customers.
Researchers said that this last step in the interviewing process did not include any form of legal documents authorising the penetration tests, as is customary in such cases, or explanation to participants. Furthermore, Bastion Secure representatives also told applicants to use specific tools that would not be detected by security software and to specifically look for backups and file storage systems once inside a company’s network.
Tools shared by Bastion Secure with the applicant were linked to malware strains like Carbanak and Lizar/Tirion, that have historically been part of FIN7’s arsenal. In addition, researchers said that tasks and operations assigned to applicants, “matched the steps taken to prepare for a ransomware attack.” The attacks installed ransomware such as Ryuk or REvil, two ransomware strains that have been tied in recent years to FIN7 attacks.
The tactic of operating a fake security firm isn’t particularly new for the FIN7 group, which did the same in the mid-2010s when they operated another fake security firm called Combi Security. At the time, FIN7 was primarily engaged in deploying point-of-sale malware, and they used Combi Security to recruit penetration testers to breach retail company networks and deploy said-PoS malware to collect card payment details from hacked networks.
Neuways advises businesses to be wary of fake IT security companies, such as the one set up by the FIN7 group. Look for recommendations, the credentials of the group and do your research, to be sure that you are not being duped by cyber criminals.
Rootkit evades detection to slip onto Windows PCs
A rootkit named FiveSys has been evaded detection and slipped unnoticed onto Windows users’ systems – courtesy of a Microsoft-issued digital signature, according to researchers.
To prevent certain malicious attacks, Microsoft introduced strict requirements for driver packages that seek to receive a WHQL (Windows Hardware Quality Labs) digital signature, and starting with Windows 10 build 1607, it is preventing kernel-mode drivers to be loaded without such a certificate. Malware developers appear to have identified a method to circumvent Microsoft’s certification and receive digital signatures for their rootkits, which allows them to target victims without raising suspicion.
In June, Microsoft admitted that attackers managed to successfully submit the Netfilter rootkit for certification through the Windows Hardware Compatibility Programme. Now, researchers warn that the FiveSys rootkit features a Microsoft-issued digital signature, suggesting that this could be a new trend, where cyber criminals manage to get malicious drivers validated and signed by Microsoft.
The rootkit re-directs Internet traffic to a custom proxy server. Additionally, using lists of digital signatures, the rootkit can be used to prevent drivers from the Netfilter and fk_undead malware families from being loaded. FiveSys includes a built-in list of 300 randomly generated domains that are stored encrypted, and are meant to prevent potential takedown attempts.
Researchers also note they have identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. FiveSys appears to be using a total of four drivers, yet the security researchers isolated only two of them.
The good news for Windows users, is that Microsoft has now revoked the signature for FiveSys, after being informed of the abuse by cyber criminals.
Ransomware gang breach tech giant
The AvosLocker ransomware gang is claiming it breached tech giant Gigabyte and leaked a sample of files stolen from the company’s network – while it is offering to sell the rest. The attack has shades of the SolarWinds incident earlier this year. The leaked files appear to contain confidential details regarding deals with third-party companies and information about employees.
Researchers said it contains the following list of sensitive information:
- Potential credit card details. Fortunately if these files contain credit-card information, the credit cards may be expired, as this folder is from 2014.
- Password and username details.
- Employee payroll details.
- HR agreements with consultants as well as full names, images and CVs.
- 10 PDF documents in a file named “passports.”
- Information on more than 1,500 job candidates, including full names, CVs, resumes and applications. There are also Zoom details with what appears to be personal information on each candidate.
- A folder named “Mailchimp” containing GSM Account Database information. This could include email addresses.
- The leak includes various data from the following well-known companies: Amazon, BestBuy, Black Magic, Blizzard, Intel and Kingston.
- A .txt file named “Tree” containing 133,352 lines of folder and file names stolen in the breach.
A number of screen captures have been shared showing files from the breach. Unless a user pays to unlock the files, it’s anybody’s guess what’s actually in them, but researchers believe that the cyber criminals involved have “focused on quality” – a departure from ransomware attackers’ typical focus on grabbing anything they can.
It is predicted that the apparent theft of contract details will be among the data which “will doubtlessly damage relationships with vendors and cause significant reputational losses for Gigabyte” – according to researchers.
Gigabyte designs and manufactures motherboards for both AMD and Intel platforms. It also produces graphics cards and notebooks in partnership with AMD and Nvidia, including Nvidia’s Turing chipsets and AMD’s Vega and Polaris chipsets. Researchers suggested that if the leak turns out to include Gigabyte’s master keys – i.e., keys that identify hardware manufacturers as the original developer – threat actors could use them to force hardware to download fake drivers, BIOS updates or more, as happened with SolarWinds.
At this point, experts have only found two .KEY files and a few .CRT files, suggesting that “this breach contains no or very little data from the security/tech departments,” according to the writeup. This episode is just the latest in a number of high-profile ransomware attacks to take place this year.
Neuways advises businesses to continually review their cyber security procedures. This ensures that there are no open holes for cyber criminals to jump into and breach a corporate network. As can be seen with Gigabyte, this could lead to a number of financially damaging incidents or reputational loss among suppliers and customers too – if your business isn’t cyber safe, then suppliers and customers will be wary of working with you.
Contact Neuways today to discover how our experts can help your business’ cyber security practices. Call 01283 753 333 or email firstname.lastname@example.org.