Cyber Intel Brief: August 02 – 09, 2023

Midnight Blizzard Compromises Small-Business Microsoft 365 Tenants for Targeted Teams Phishing Campaign

Microsoft 365 Teams – Phishing – Passwordless – MFA Credential Theft – Cyber Espionage

According to Microsoft Threat Intelligence, Midnight Blizzard, a Russia-based threat actor attributed to the Foreign Intelligence Service of the Russian Federation (SVR), has conducted a targeted social engineering campaign using Microsoft Teams. The campaign involves compromising Microsoft 365 tenants owned by small businesses to create phishing lures, engaging users with multi factor authentication (MFA) prompts to steal credentials. We believe the threat poses a significant risk to targeted organizations and potentially the broader governmental landscape, with potential national security implications.

The likelihood that organizations were affected by Midnight Blizzard’s campaign is limited, primarily impacting 40 organizations globally, indicating a focused and deliberate approach. However, other threat actors could incorporate the techniques into their operations, targeting additional sectors. Using common platforms like Microsoft Teams and the Microsoft Authenticator app further increases the likelihood that a broad range of organizations could be susceptible to this threat. The threat actor’s objective and ability to compromise Microsoft 365 tenants owned by small businesses raise the risk for small businesses in future operations. 

The impact of Midnight Blizzard’s campaign on the affected organizations was likely considerable, with potential national security implications. The threat actors accessed sensitive resources, including email, files, and contacts. This access can lead to intellectual property theft, personal information, and confidential business data. The potential addition of a device to the organization as a managed device could further enable lateral movement within the organization, possibly leading to more extensive breaches. Overall, the threat posed by Midnight Blizzard represents a significant risk to the targeted organizations and potentially the broader governmental landscape.

Russian APT Group Significantly Alters Domain Name Structure, Prefers NameCheap Registration

BlueCharlie Cyber – Espionage – Phishing & Credential Theft – NameCheap – Let’s Encrypt

Recorded Future issued a report about BlueCharlie, previously tracked as TAG-53, a Russia-linked threat group known for its persistent phishing and credential theft campaigns. Looks like these threat actors have significantly altered their domain name structure and shifted its preference to NameCheap registration, reflecting its highly adaptive nature and ability to evade detection.

BlueCharlie represents a significant and multifaceted risk to targeted regions and sectors, including NATO nations, Ukraine, government, higher education, defense, and political sectors. The group’s alignment with Russian state interests and its strategic focus on these areas demonstrate a well-coordinated state-sponsored threat.

BlueCharlie’s persistent campaigns and the creation of fraudulent profiles demonstrate a preferred approach to gathering intelligence. The risk here is twofold: the potential loss of sensitive information and the possibility of further exploitation based on the gathered intelligence. The impact could include intellectual property theft, strategic advantage loss, and considerable national security implications.

The group’s ability to evade detection and change tactics poses a risk to organizations relying on static defense measures, as BlueCharlie’s evolving tactics can bypass traditional security controls. The impact of this risk includes potential breaches and ongoing undetected infiltration.

BlueCharlie’s calculated approach to their infrastructure and security means their activity could blend in with legitimate traffic, making detection and mitigation more complex. The impact could include a delayed response to incidents and increased exposure to breaches.

BlueCharlie’s specific targeting focus underscores a broader geopolitical risk. The group’s activities may be part of a larger state-sponsored effort to influence, disrupt, or gain an advantage over targeted nations and sectors. The impact of this risk extends beyond cybersecurity, potentially affecting diplomatic relations, national security strategies, and regional stability.

Remote Access Trojan, STRRAT, Updated, Delivered in Phishing Email PDF Attachments

STRRAT – RAT – Phishing – JavaScript – ZIP File – JAR File

Developers of the Java-based Remote Access Trojan (RAT), STRRAT, have been busy. The RAT uses a new infection technique, initiated through a spam email containing a PDF file attachment, and employs two-string obfuscators to evade detection. STRRAT can execute a range of commands once connected to its Command and Control (C&C) server, posing a significant threat to organizations. 

STRRAT now in version 1.6, has undergone modifications compared to previous variants. The class names, which were gibberish in prior variations, have been modified. The malware now utilizes two string obfuscators, “Allatori” and “Zelix KlassMaster (ZKM),” whereas the previous variants used only the “Allatori” obfuscator. The deobfuscation process involves two steps, first for “Zelix KlassMaster” and then for the “Allatori” obfuscator. 

The infection process of STRRAT 1.6 initiates through a spam email disguised to appear as if it’s from an electronics-based company. The email contains a PDF file attachment, presented as an invoice. Upon opening the PDF, a download image is displayed, which, when clicked, downloads a zip file from a URL. The downloaded zip file contains a JavaScript file containing the encrypted STRRAT payload. 

When executed, the JavaScript file decrypts the payload and drops a zip (JAR) file disguised as a “txt” file in the “\AppData\Roaming” directory. The deobfuscated JAR file contained a new version of STRRAT malware (version 1.6), which has been actively distributed since March 2023 through various infection chains. Over 70 samples of this version have been identified in the wild.

There is a moderate to high probability that organizations will be affected by the STRRAT malware, given the sophistication and continuous evolution of the threat. The malware has been actively distributed since March 2023, with over 70 samples of version 1.6 identified in the wild, suggesting an ongoing and active campaign. However, whether this is from one or multiple threat actors is unknown. 

The impact of a STRRAT infection on an organization can be severe. The malware can steal sensitive information, which could lead to significant data breaches. The stolen information could include login credentials, email data, financial data, and other sensitive personal or corporate information. This could result in financial loss, reputational damage, and potential regulatory penalties for the affected organization. Moreover, STRRAT’s level of control over an infected system can disrupt business operations and further compromise the organization’s network.

QakBot Takes a Break, Updates Infrastructure with 15 New C2s, Expected to Resume Operations in September

QakBot – New C2s – Tiered Infrastructure

Looks like the developers of Qakbot are taking their usual summer break to refine and update their infrastructure. Team Cymru identified 15 new command and control (C2) servers this year. In their report, they highlight unusual outbound communication traffic from the Tier 2 (T2) servers to a large pool of IP addresses, including Tier 1 C2 servers.

Qakbot, also known as QBot or Pinkslipbot, is a Trojan active since 2007. Primarily spread through email hijacking and social engineering tactics. Operators often use malicious email attachments, links, or embedded images to access a victim’s machine. Once Qakbot is executed on a victim’s machine, it performs various actions such as profiling the system and the network, exfiltrating emails for later use in malware distribution campaigns, and establishing backdoors for unauthorized access. 

Qakbot communicates with its command and control (C2) infrastructure through encoded messages sent via HTTPS GET and POST requests. Moreover, Oakbot can elevate infected machines to C2 servers, ensuring a continuous supply of C2s and updating its list of C2 servers as its infrastructure is identified and acted upon. This allows the operators to maintain a large and diverse pool of C2 servers, making it difficult for security solutions to block or take down the entire infrastructure.

The likelihood of organizations being affected by the QakBot threat is high, given the malware’s history and its operators showing adaptability and a willingness to target a broad range of industries. The malware’s sophisticated evasion techniques and its operators’ ongoing efforts to refine and update their infrastructure make it a persistent and pervasive threat.

The impact that organizations face from the QakBot threat is significant. If QakBot compromises an organization’s systems, the malware can steal sensitive data, including login credentials and sensitive information, leading to financial loss and reputational damage. Furthermore, QakBot’s ability to distribute other types of malware, such as ransomware, can lead to additional direct and indirect costs, including disrupting business operations and requiring significant resources to remediate. The outbound traffic from QakBot-infected machines could lead to an organization’s IP address being blacklisted, further disrupting business operations.

Threat Actors Leveraging Cloudflare Tunnel, Likely Adoption in Espionage and Ransomware Operations

Cloudflared – Data Exfiltration and Extortion – RDP/SMB – Private Network Access – Limited Artifacts

Recently, GuidePoint’s DFIR and GRIT teams responded to multiple engagements involving a relatively new, legitimate tool being used by threat actors: Cloudflare Tunnel, also known by its executable name, Cloudflared. Multiple threat actors have misused the Cloudflare Tunnel, also known as Cloudflared, to create outbound connections for malicious purposes. The tool is functionally similar to ngrok, is free, and threat actors can easily modify and immediately update tunnel configurations. 

Threat actors could establish a foothold in a victim’s machine or access an entire CIDR range through the tunnel for data exfiltration. Moreover, threat actors can use the TryCloudflare feature to carry out malicious activities without leaving any attributable artifacts. Recommendations to counter this threat include blocking related domains, blocking outbound connections to port 7844, alerting or isolating unauthorized hosts executing Cloudflared-related commands, and establishing clear policies to prevent the execution of Cloudflare without manual approval.

The probability that threat actors will incorporate Cloudflare Tunnel in their operations is high. The blog post reveals that some TAs have already started using Cloudflare Tunnel, a legitimate tool, to further their exploitation efforts against target networks. The ease of tunnel establishment and management and the ability to quickly change the configuration make it an attractive option for threat actors.

The traffic generated by the Cloudflare Tunnel makes it challenging to detect by traditional anti-virus, EDR, and other defensive processes. Threat actors can use it to access important services like SSH, RDP, SMB, and more. TAs can easily modify the tunnel configuration, enabling or disabling functionality to prevent exposure of their infrastructure. This adaptability adds complexity to the defense. Cloudflare Tunnel also supports providing access to an entire CIDR range through the tunnel, allowing an actor to interact with any device in the private network as though they were physically collocated. 

The ability of actors to cover their tracks and the lack of default logging on the tunnel server means that post-breach analysis is severely limited. The availability of a persistence mechanism and the capability to exfiltrate data enhances the threat it poses. While there are ways to monitor and detect unauthorized use of Cloudflared, such as DNS queries and non-standard port monitoring, the tool’s broad use cases and control by the tunnel administrator make defense challenging. 

Threat Actors Use EvilProxy to Send 120,000 Phishing Emails

Account Compromise – MFA Bypass – Phishing – C-Level Executives – Phishing Kit

A cloud account takeover campaign between March and June 2023, leveraging the EvilProxy phishing kit, has targeted top-level executives at over 100 global organizations. It’s believed the threat actors sent around 120,000 phishing emails to high-value individuals, including C-level executives, employing complex redirection chains and impersonating trusted services. 

EvilProxy is a phishing-as-a-service (PhaaS) toolkit that can bypass two-factor authentication (2FA) protections employed by online services. It was first mentioned in early May 2022 when the actors behind it released a demonstration video showcasing its capabilities. The toolkit is designed to generate phishing links that mimic the login pages of popular brands and services. Using a reverse proxy, EvilProxy leads targets to these cloned pages allowing the actors to intercept the traffic and harvest valid session cookies and bypassing the need for authentication credentials or 2FA tokens. The toolkit’s subscription-based pricing model offers different durations for accessing the kit.

It’s reasonable to expect high-value individuals (C-Level executives and managers) will receive phishing emails associated with this campaign in the coming months. The campaign’s spread has been impressive, with approximately 120,000 phishing emails sent to approximately 100 organizations across the globe between March and June 2023. The actors’ redirection chain was complex, and they employed automation to identify high-level targets and gain immediate access to accounts. The use of open-source kits and MFA Phishing as a Service (PhaaS) has made the process accessible to actors of varying technical skills, further increasing the likelihood of organizations being affected.

The impact of this threat on organizations is severe, particularly for those with high-level executives who may have access to sensitive data. The actors have focused on “VIP” targets, including C-level executives, CFOs, Presidents, and CEOs. The consequences include financial fraud, data exfiltration and extortion, and unauthorized access to sensitive resources within the organization’s cloud environment. The actors’ ability to study target organizations’ culture, hierarchy, and processes to prepare their campaigns further amplifies the potential impact. The threat’s sophistication makes it a potent and concerning risk, with the potential for significant financial and reputational damage.

The Latest from Ransomware Data Leak Sites

Professional, Scientific, and Technical Services – Manufacturing – Construction – Wholesale Trade – Educational Services – Ransomware

ATI analyzes the latest additions to dark web data leak sites, providing timely information for decision-makers. In the past week, ransomware threat groups added 61 victims to these sites, with 35 based in the US. The most targeted industry was Professional, Scientific, and Technical Services, with 16 victims, followed by Manufacturing, Construction, Wholesale Trade, and Educational Services. It is important to note that while these victims are listed, we cannot confirm the validity of the cybercriminals’ claims.

CISA Adds 2 CVEs to its Known Exploited Vulnerabilities Catalog

Microsoft/CVE-2023-38180 – Zyxel/CVE-2017-18368

Within the past week, CISA added two CVEs to its Known Exploited Vulnerabilities Catalog. These vulnerabilities affect products from Microsoft and Zyxel. The vulnerabilities allow for denial of service and command injection. The Common Vulnerabilities and Exposures (CVE) identifiers assigned to these vulnerabilities are CVE-2023-38180 and CVE-2017-18368. It is crucial to promptly apply updates or follow vendor instructions to mitigate these vulnerabilities, with a CISA due date set between 28 August 2023 to 30 August 2023.