Cyber Intel Brief: February 29 – March 06, 2024

Customer Awareness Advisory: Threat Actor Exploits Critical TeamCity Vulnerability to Deploy Malware

Recently, Rapid7 published technical details of two vulnerabilities (CVE-2024-27198 and CVE-2024-27199) impacting JetBrans TeamCity server versions 2023.11.3 and earlier. Within hours, Proof-of-Concept exploits targeting CVE-2024-27198 were published to GitHub. Deepwatch has confirmed a threat actor compromised an organization in the Finance and Insurance sector, exploiting the TeamCity vulnerability CVE-2024-27198 to gain initial access and laterally move to other systems. Read the full Customer Awareness Advisory.

CISA Published Phobos Ransomware Affiliates Known TTPs and IoCs

Ransomware – Phishing – RDP Abuse – Phobos Ransomware – SmokeLoader – Angry IP Scanner – Mega[.]io – Industries/All

Threat Analysis

Threat actors affiliated with the Phobos ransomware ransomware-as-a-service (RaaS) gain access to vulnerable networks typically through the following methods: 

• Phishing campaigns with email attachments embedded with hidden payloads, such as SmokeLoader. Then, use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.
• Leveraging exposed Remote Desktop Protocol ports using IP scanning tools like Angry IP Scanner. Then, use open-source brute force tools to gain access.
• Leveraging RDP on Microsoft Windows environments.

Once access is gained, affiliates have been observed performing the following activities:

• Using Windows Command Shell to perform commands with Windows shell functions.
• Use open-source tools to enumerate the active directory.

Phobos operations featuring SmokeLoader employ the following three-phase process to decrypt a payload, allowing affiliates to deploy additional destructive malware:

1. Injects code into running processes, allowing the malware to evade network defense tools.
2. Uses a stealth process to obfuscate command and control (C2) activity by producing requests to legitimate websites. Within this phase, the malware prepares a portable executable for deployment in the final stage.
3. Unpacks and sends a program-erase cycle from stored memory, extracting it from a SHA 256 hash as a payload. Following successful payload decryption, affiliates can begin downloading additional malware.

Phobos affiliates have been observed evading defenses by: 

• Modifying system firewall configurations using commands like netsh firewall set opmode mode=disable. 
• Using Universal Virus Sniffer, Process Hacker, and PowerTool.

To maintain persistence, affiliates have been observed performing:

• Use commands such as Exec.exe or the bcdedit[.]exe control mechanism.
• Use Windows Startup folders and Run Registry Keys such as C:/Users\Admin\AppData\Local\directory.

To elevate privileges, affiliates have been observed:

• Using built-in Windows API functions to steal tokens, bypass access controls, and create new processes, leveraging the SeDebugPrivilege process.
•  Attempting to authenticate using cached password hashes on victim machines until they reach domain administrator access.

For discovery and credential access, affiliates have been observed performing the following activities:

• Using open-source tools such as Bloodhound and Sharphound to enumerate the active directory.
• Exporting browser client credentials using Mimikatz, NirSoft, and Remote Desktop Passview.
• Phobos ransomware can enumerate connected storage devices and running processes.

Affiliates use the following tools and techniques to exfiltrate targeted legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software, typically archived as either a .rar or .zip file:

• WinSCP and Mega.io for file exfiltration.
• Use WinSCP to connect directly from a victim network to an actor-controlled FTP server.
• Install Mega.io and use it to export victim files directly to a cloud storage provider.

After exfiltrating sensitive data, affiliates then:

• Use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments.
• Encrypt all connected logical drives using the Phobos ransomware. After the ransom note has been populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.

Affiliates have been observed using the following methods to contact and extort victims, forcing them to pay ransoms:

• Some affiliates extort victims via email, while others have used voice calls to contact victims. 
• Some affiliates use data leak sites to list victims and host stolen victim data. 
• Some use instant messaging applications such as ICQ, Jabber, and QQ to communicate with victims.

Risk & Impact Assessment

Phobos Ransomware presents a significant risk to organizations due to its various affiliates, which broadens its reach and potential impact across multiple sectors. The risk associated with Phobos Ransomware is intensified by its proven ability to exfiltrate sensitive data and make systems inaccessible. While the exact number of victims is unknown, these methods demonstrate a likelihood of Phobos Ransomware impacting organizations, exacerbated by its affiliates’ tactics to evade detection and use of sophisticated tools for data exfiltration and encryption. The unpredictable nature of its affiliate model, where different actors may deploy the ransomware in varied ways, further complicates the risk assessment, making it a considerable threat to any organization lacking stringent cybersecurity measures.

The impact of a Phobos Ransomware attack on an organization can be severe and multifaceted. Financial repercussions are often immediate, with demands for ransom payments coupled with the costs associated with system downtime, data recovery, and potential breaches of compliance with data protection regulations. Beyond the direct financial strain, organizations face the prospect of reputational damage, which can lead to lost business and eroded trust among clients and partners. The operational disruption, potential loss of sensitive or proprietary information, and the time and resources required to remediate the infection and strengthen defenses post-attack all contribute to the long-term impacts on an organization’s financial health and competitive position. Given these considerations, recognizing and mitigating the risks associated with Phobos Ransomware cannot be overstated.

Source Material: CISA, #Stop Ransomware: Phobos Ransomware

TA577 Employs New Attack Chain to Steal NTLM Information

Threat Actor – Phishing – NTLM Hash Theft – TA577 – Impacket – All Industries

Threat Analysis

TA577 actors sent tens of thousands of emails targeting hundreds of organizations globally. Emails masqueraded as or were replies to previous emails, a technique known as thread hijacking, with a zipped archive attached containing an HTML file.

In one example, the email inquired if the recipient saw the document they sent previously and included content that appeared to be from a previous email, providing the document name and a password. Each attached ZIP file has a unique file hash. Proofpoint states that each recipient’s HTML file is unique, possibly using the same document name provided in the email. When the recipient opened the HTML file, it triggered a connection to one of 15 known Server Message Block (SMB) servers that hosted a .txt file with names like 2.txt, A.txt, and yEZZ.txt (for example, file://66[.]63[.]188[.]19/bmkmsw/2[.]txt).

 At this time, malware delivery from the SMB servers has not been observed. However, any allowed connection could compromise NTLM hashes, along with revealing other sensitive information such as computer names, domain names, and usernames in clear text. Based on the characteristics of the attack chain and tools used, Proofpoint assesses with high confidence that TA577’s objective is to capture NTLMv2 Challenge/Response pairs from the SMB server to steal NTLM hashes. 

The reason TA577 delivered the malicious HTML files in a zip archive was to generate a local file on the host. If the threat actors sent the URI directly in the email body to recipients using Outlook mail clients patched since July 2023, the attack would fail. Furthermore, disabling guest access to SMB would not mitigate the attack since the file must attempt to authenticate to the external SMB server to determine if it should use guest access.

Proofpoint assesses that TA577’s likely objective is to exploit these hashes for password cracking or facilitate “Pass-The-Hash” attacks using other vulnerabilities within the targeted organization to move laterally within an impacted environment. Evidence supporting this hypothesis can be observed in the packet capture where the default NTLM server challenge “aaaaaaaaaaaaaaaa” and the default session ID “Acct: admin Domain:USER-PC Host:USER-pC” are shown in the traffic, which is uncommon in standard SMB servers, and indicates the use of the open-source toolkit Impacket.

High-level overview of TA577’s new attack chain:

1. Initial Access (T1566.001 Phishing: Spearphishing Attachment): TA577 actors sent phishing emails with a ZIP archive attached containing an HTML file.
2. Execution (T1204.002 User Execution: Malicious File): The recipient opens the malicious HTML file.
3. Credential Access (T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay): Opening the HTML file triggers a connection to an external SMB server, capturing NTLMv2 Challenge/Response pairs. 
4. Command and Control (T1071.002 Application Layer Protocol: File Transfer Protocols): The threat actors used SMB servers to interact with the victim’s machine and host the .txt files, facilitating unauthorized access to sensitive data.
5. Lateral Movement (T1550.002 Pass the Hash): The ultimate goal of capturing NTLM hashes may suggest an intent to use this information for lateral movement within the network, mainly through Pass-the-Hash attacks, exploiting these hashes to gain unauthorized access to other systems or data.

OR

6. Credential Access (T1110.002 Brute Force: Password Cracking): Another goal of capturing NTLM hashes is to use this information to access credentials, mainly through brute force cracking, exploiting these hashes to gain unauthorized access to systems or data.

Proofpoint assesses that the rate at which TA577 adopts and employs new tactics, techniques, and procedures (TTPs) demonstrates that the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods. Additionally, Proofpoint states that TA577, in addition to other initial access brokers (IABs), appears to closely monitor the threat landscape and knows when and why specific attack chains fail to be effective and will quickly develop new methods to bypass detections to increase the effectiveness and likelihood of victim engagement with their payload. Furthermore, Proofpoint has also seen an increase in multiple threat actors abusing file scheme URIs to direct recipients to external file shares, such as SMB and WebDAV, to access remote content for malware delivery. 

Risk & Impact Assessment

The emergence of TA577’s new attack chain presents a considerable risk to organizations globally. This risk is primarily due to the nature of the phishing campaign and the subsequent stages of the attack, which are designed to steal and exploit NTLM hashes. Given the targeted and deceptive approach of thread hijacking (or using emails that appear as replies) and using unique HTML files to circumvent detection, the likelihood of TA577’s campaign impacting an organization is significant. The campaign’s effectiveness is further compounded by its ability to bypass conventional security measures and the actors’ demonstrated adaptability in employing new tactics to maintain the efficacy of their attacks. While quantifying the exact likelihood is challenging without specific data on the campaign’s victimology, the nature of the attack, combined with the actors’ persistent innovation and the global scale of the campaign, while limited to hundreds of organizations, suggests a likelihood that organizations will be targeted.

The impact of a cyberattack leveraging TA577’s attack chain could be severe for an affected organization. The theft of NTLM hashes poses immediate security risks, including compromising credentials and unauthorized system access. This could lead to further malicious activities, such as lateral movement within the network, escalation of privileges, and, potentially, the deployment of additional payloads such as ransomware.

From a financial perspective, the implications could be substantial, encompassing operational disruptions, data breach response costs, legal fees, and potential regulatory fines. The reputational damage from such an attack could significantly undermine stakeholder confidence, leading to lost business and diminished customer trust. Moreover, the strategic impact of sensitive data loss or compromise could have enduring effects on the organization’s competitive position and operational integrity. Given these potential consequences and the likelihood of being targeted, organizations must recognize the gravity of this threat and consider prioritizing measures to mitigate the associated risks.

Source Material: Sophos, TA577’s Unusual Attack Chain Leads to NTLM Data Theft

Threat Actors Use Terminator to Disable Security Solutions and Leverage Vulnerable Drivers in Attacks

Vulnerable Driver Abuse – Bring Your Own Vulnerable Driver – Security Solution Disabling – Terminator – Zemana Anti-Logger Driver – Zemana Anti-Malware Driver – All Industries

Threat Analysis

Sophos recently disclosed that threat actors are leveraging a tool known as Terminator to disable security solutions in attacks. Terminator was first released in May 2023 and employs the Bring Your Own Vulnerable Driver (BYOVD) technique, leveraging vulnerable Zemana drivers. Since the initial release of Terminator, multiple variations of the tool, including open-source versions, a C# port, and a version written in Nim, have been released. 

According to Sophos, the BYOVD technique is increasingly becoming popular with ransomware actors and lower-tier threat actors, possibly due to the sheer number of vulnerable drivers (as of 4 March 2024, there are 364 “vulnerable drivers” listed on the open-source vulnerable driver repository loldrivers.io). Coupled with the proliferation of vulnerable drivers is the advent of off-the-shelf kits and tools that use Bring Your Own Vulnerable Driver (BYOVD) techniques, like Terminator, that are now widely bought and sold on criminal forums. 

Analysis of Terminator shows that it appears to be leveraging the BYOVD technique, leveraging two Zemana vulnerable drivers, zam64.sys (Zemana Anti-Logger) or zamguard64.sys (Zemana Anti-Malware, or ZAM). These drivers contain the same vulnerability and insufficient verification of processes that can send IOCTL codes to the driver and request various functionalities. These drivers maintain an ‘allow list’ of legitimate, trustworthy processes. However, a threat actor can add their own process to the allow list by sending a specific IOCTL code and passing a running processes ID as a parameter. Once added, the threat actor can request several functionalities from the driver, including terminating a targeted process, such as an Endpoint Detection and Response solution, by sending a specific IOCTL request code.

However, to utilize the driver in this way, a threat actor would need administrative privileges and a User Account Control (UAC) bypass to install the driver, or they would need to trick a user into installing the driver via social engineering. While leveraging vulnerable legitimate drivers could undoubtedly allow a threat actor to terminate security solution processes, it’s not necessarily straightforward, and escalating privileges could trigger other security protections.

Reviewing behavioral detection telemetry for the past six months, Sophos discovered several incidents in which threat actors used the Zemana Anti-Logger or Anti-Malware drivers. In some cases, threat actors ported the open-source Terminator projects to different languages or obfuscated them through packers to circumvent detection. The following provides an overview of attacks that are illustrative of the patterns Sophos observed across their telemetry data:

On 13 September and 10 October 2023, two attacks using very similar methodologies likely exploited a vulnerable Citrix application to gain initial access. From there, the threat actors injected a payload into the Windows Error Reporting process, wermgr.exe. Next, they tried to disable Sophos by issuing two commands, wmic service where \”PathName like ‘%sophos%’\” call stopservice /nointeractive and wmic service where \”PathName like ‘%sophos%’\” call delete /nointeractive.

The targeted devices had tamper protection enabled, so the attempts to disable and remove the Sophos services failed. Adjusting to the failed attempts, the threat actor dropped a driver and then deployed an EXE file named ter.exe. The binary unpacks itself to a slightly modified version of Terminator.

Upon execution, the binary loads the driver (“BINARY” resource) and decrypts via AES-256, with a hardcoded key in the binary. Finally, the binary writes the decrypted content into a newly allocated section and executes it. However, the attempt to load the driver was blocked. The PDB path string in the ter.exe binary noted the original project name, “Terminator-master,” which may suggest the threat actor modified code from the Terminator GitHub repository.

In another attack on 15 December 2023, threat actors targeted a healthcare organization, gaining initial access to an exposed server. However, if it was known, Sophos did not disclose the exact access method. Immediately after gaining initial access, the threat actors attempted to execute a PowerShell command to download a text file containing a PowerShell script from a command and control (C2) server. This PowerShell script tried to install the XMRig cryptominer on the targeted system. However, this was blocked. Due to this failed attempt, the threat actors tried to disable the Endpoint Detection and Response (EDR) client by running the Nim version of Terminator. However, the effort to load the driver was also blocked.

In an attack on 25 December 2023, the threat actor gained access to a single machine by an unknown means. First, they tried to load the Zemana Anti-Logger driver (zam64.sys), masquerading it as updatedrv.sys, from two different locations, %sysdir%\drivers\updatedrv.sys and <d>\programdata\usoshared\updatedrv.sys.

After these attempts failed, the threat actor switched to AuKill, another known tool that can disable security solutions, where the Process Explorer driver was named ped.sys in the temp folder. However, this attack was likely blocked as well.

Risk & Impact Assessment

Terminator toolkit and its variants represent a substantial risk to organizations, mainly due to their ability to disable security solutions and facilitate further malicious activities. The risk associated with these toolkits arises from their BYOVD technique, which allows threat actors to gain kernel-level privileges and perform various destructive actions, such as disabling Endpoint Detection and Response (EDR) solutions. Given the observed adaptations and the proven capabilities of Terminator variants to bypass security solutions, there is a recognized potential for these tools to impact organizations. However, estimating this risk is challenging due to dynamic variables, including the evolving nature of the Terminator toolkit, the diversity and operational scale of the threat actors employing it, and the range of potential targets. These variables introduce a degree of uncertainty in our risk estimation. While the exact success rate of Terminator in compromising organizations is difficult to quantify, its technical sophistication, coupled with the increasing popularity of BYOVD techniques among threat actors, suggests a growing threat.

A cyberattack leveraging Terminator could have severe consequences for an organization. From an operational perspective, Terminator’s ability to disable security solutions can facilitate various actions, such as deploying additional malware, potentially leading to extensive system compromise and operational disruption. Financial implications may include significant expenditures on incident response, system remediation, legal fees, and potential fines for regulatory compliance violations. Moreover, the reputational damage from a successful breach could lead to loss of customer trust, attrition, and competitive disadvantage, especially if sensitive data is exfiltrated or tampered with. Considering these risks and impacts, organizations must assess their vulnerability to such threats and prioritize enhancing their defensive strategies against BYOVD techniques and tools like Terminator.

Source Material: Sophos, It’ll be back: Attackers still abusing Terminator tool and variants

BABYSHARK Variant Deployed following Exploited ScreenConnect Vulnerability

Vulnerability Exploitation – Malware – Threat Actor – BABYSHARK – TODDLERSHARK – Kimsuky – North Korea- ConnectWise ScreenConnect CVE-2024-1708 & CVE-2024-1709 

Threat Analysis

During the attack, initial access was gained to the victim’s workstation by the threat actor through the exploitation of an exposed setup wizard of the ConnectWise ScreenConnect application. 

With ”hands on keyboard” access the threat actors then used cmd.exe to execute mshta.exe with a URL to TODDLERSHARK, a Visual Basic (VB) based malware. The initial payload downloaded by the MSHTA utility was a VB script that was heavily obfuscated. The script includes randomly generated functions and variable names, as well as substantial amounts of hexadecimal encoded code and junk code. Each time the payload is downloaded it results in changes to the function names, variable names, junk code, and hexadecimal content, ensuring that the file’s hash will differ with each download. 

• Furthermore, the addition of varying numbers of lines of junk code, containing randomized strings, serves to further obfuscate the meaningful code within the malware. After de-obfuscation, the code was found to initiate the download and execution of the next stage, a URL contained within the lengthy hexadecimal string (along with additional junk code). This URL also varies with each download of the initial payload. it is probable that a web application on the command and control (C2) server generates a unique payload, including a unique URL for the second stage, each time it is called.
  
  When decoded, the second stage download contained a set of functionalities made up of three parts:
  • Setting windows registry keys
  • Capturing and exfiltrating system information
  • Setting up a scheduled task

To set Windows Registry keys, the TODDLERSHARK runs a series of commands. These commands configure the VBAWarnings keys in Word and Excel to a value of “1” across Office 2010, Office 2013, and Office 2016. This setting of “1” implies that both untrusted and trusted macros can execute without prompting the user, disabling certain macro security features in those versions. 

The largest set of functionality within TODDLERSHARK is its ability to capture and exfiltrate data. The stolen information includes details such as host and user information, network and security software data, as well as installed software and running processes. After collecting the data, the tool utilizes the built-in Windows command certutil to encode the gathered information into a Privacy Enhanced Mail (PEM) certificate, which it then exfiltrated to the C2 web application. Hiding exfiltrated data within PEM files is a technique also previously used by Kimsuky. Upon completing its exfiltration task, the code deletes the captured data and the certificate file.

The last component of the malware involves creating a scheduled task. A script is first written into an Alternate Data Stream (ADS) of a file located within the ProgramData directory. This script includes a URL, which the scheduled task will query every minute. Any response from the URL is forwarded for immediate execution. Similar to the previously mentioned URLs, this URL is uniquely generated for each time the initial payload is executed. After creating the script, the malware establishes a scheduled task set to run every minute.

Risk & Impact Assessment

The exploitation of CVE-2024-1708 and CVE-2024-1709 presents a considerable risk to organizations using ScreenConnect versions before 23.9.8. The number of threat actors exploiting these ScreenConnect vulnerabilities for initial access is growing. In this case a likely new variant of BABYSHARK, TODDLERSHARK, was deployed after successful exploitation. The functionality of the malware poses a significant risk to organizations. Furthermore, due to TODDLERSHARK’s polymorphic behavior and use of uniquely generated command and control (C2) URLs, this malware can be difficult to detect in some environments. 

A cyberattack facilitated by this TODDLERSHARK malware could profoundly impact an organization, Financially, it could lead to substantial losses due to operational downtime, data recovery efforts, legal fees, and potential fines for compliance violations. The reputational damage could erode stakeholder trust, affecting customer relationships and leading to a loss of business. Furthermore, the theft or compromise of sensitive data could have long-term implications on competitive advantage, exposing the organization to further targeted attacks. 

Source Material: Kroll, TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant