ICS: Multiple Hitachi Energy RTU500 Vulnerabilities
April 29, 2024An Emerging Ducktail Infostealer – Active IOCs
April 29, 2024ICS: Multiple Hitachi Energy RTU500 Vulnerabilities
April 29, 2024An Emerging Ducktail Infostealer – Active IOCs
April 29, 2024Severity
High
Analysis Summary
The use of a Microsoft Office vulnerability that dates back almost seven years to launch Cobalt Strike on compromised devices has been uncovered by cybersecurity experts as part of a targeted operation against Ukraine.
According to the researchers, the attack chain began at the end of 2023 and used a PowerPoint slideshow file ("signal-2023-12-20-160512.ppsx") as its starting point. The filename suggests that the presentation may have been shared over the Signal instant messaging service. Nevertheless, although the Computer Emergency Response Team of Ukraine (CERT-UA) has discovered two distinct campaigns that have previously utilized the messaging app as a malware delivery vector, there is no concrete proof that the PPSX file was disseminated in this way.
The agency recently revealed that the UAC-0184 group is increasingly using messaging and dating platforms to target the Ukrainian armed forces to distribute malware such as XWorm, Remcos RAT, and HijackLoader (also known as GHOSTPULSE and SHADOWLADDER), as well as open-source tools like sigtop and tusc that allow for the exfiltration of computer data.
The PPSX (PowerPoint slideshow) file looks to be an outdated U.S. Army mine clearing blade (MCB) instruction handbook for tanks. A remote relationship to an external OLE object is included in the PPSX file. By tricking a victim into opening a maliciously created file, an attacker might execute arbitrary commands and load a remote script stored on a malicious domain. This exploit takes advantage of CVE-2017-8570 (CVSS score: 7.8), a remote code execution vulnerability in Microsoft Office that has since been fixed.
The extensively obfuscated script then initiates a JavaScript-containing HTML file, which in turn drops a next-stage payload that impersonates the Cisco AnyConnect VPN client and establishes persistence on the host via the Windows Registry. The payload consists of a dynamic-link library (DLL) that, in the end, injects a legitimate pen-testing tool, a hacked Cobalt Strike Beacon, into system memory where it waits for additional instructions from a command-and-control (C2) server. In addition, the DLL has characteristics to determine whether it is running in a virtual system and avoid being picked up by antivirus programs.
Researchers stated that they were unable to rule out the potential of a red teaming exercise or connect the attacks to a particular threat actor or organization. The precise objective of the intrusion is likewise unknown. The lure's military-themed content suggested that military members were its intended target. Nevertheless, the domain names are concealed as well-known photography and obscure generative art websites. It's a little unclear why an attacker would employ these expressly to deceive military people given their lack of relevance.
The revelation coincides with CERT-UA's revelation that roughly twenty Ukrainian providers of energy, water, and heating have come under attack by UAC-0133, a Russian state-sponsored group. UAC-0133 is a sub-cluster within Sandworm (also known as APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is in charge of the majority of the disruptive and destructive operations against the nation.
Malware such as Kapeka (also known as ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variation BIASBOAT, along with GOSSIPFLOW and LOADGRIP, were used in the attacks, which attempted to disrupt vital activities. LOADGRIP is an ELF binary written in C that is used to load BIASBOAT on hacked Linux systems, whereas GOSSIPFLOW is a Golang-based SOCKS5 proxy.
The highly adaptable and prolific threat group, Sandworm, is associated with Unit 74455 of the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). The opponent is also associated with three hack-and-leak hacktivist personas, including XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek. It has been known to be active since at least 2009. The worldwide reach of APT44 operations reflects the diverse national interests and goals of Russia. Activity patterns over time suggest that APT44 is assigned various strategic priorities and that the Kremlin views it as an adaptable tool of power that can meet both current and future needs for intelligence.
Impact
- Data Exfiltration
- Code Execution
- Security Bypass
- Operational Disruption
Indicators of Compromise
Domain Name
- weavesilk.space
- petapixel.fun
MD5
- 3e557153e316243959128c1bdc9c6b1c
- d2e6f4f5dea0777ce4e0c41a36083ac4
- af3bae4cd76221a61c7b62787bd430a3
SHA-256
- b0b762106c22e44f7acaa3177baabd64ea28990d16672e1f902b53f49b2027c4
- 0bc0e9410f4a9703ff0b5af7ec9383a1cc929572ade09fbd2c69ed2ae1486939
- 976f57442452cd54cada011c565ada0c01f5b1460e31ee6cea330d210d3e8f50
SHA1
- 60d9e79930602ef126b7112f9ebd20c3198bceaf
- 19a08ba4d5b573154391dd5ef7994ebe117aa023
- 4d4433d59861ac64af974658c06f38a49d25c74e
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Use strong, unique passwords for sensitive accounts. Regularly change passwords for all accounts.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders
- Improve communication with customers by providing timely and transparent updates about data breaches, including what information was compromised and the steps being taken to mitigate the impact.
- Ensure that all vendors and third-party partners adhere to stringent security protocols and regularly assess their cybersecurity practices to minimize the risk of data breaches originating from external sources.
- Provide affected customers with comprehensive support, including credit monitoring services, identity theft detection, and resolution assistance, to help mitigate the potential consequences of the breach.