In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
Tag: DEFENSE EVASION
STEELHOUND, STEELCORGI and Environment Variable Keying
Read More UNC2891 often made use of the STEELCORGI in-memory dropper which decrypts its embedded payloads by deriving a ChaCha20 key from the value of an environment variable obtained at runtime. In many cases, Mandiant was unable to recover the requisite environment variables to decrypt the embedded payloads.…
Summary
Multifactor Authentication (MFA): A Cybersecurity Essential• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.•…
Since the dawn of phishing, fraudulent invoicing and purchasing schemes have been one of the most common lures. The usual modus operandi involves appealing to the recipient’s desire to avoid incurring a debt, especially where a business may be involved.
FortiGuard Labs recently came across an interesting phishing e-mail masquerading as a purchase order addressed to a Ukrainian manufacturing organization that deals with raw materials and chemicals.…
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
Hive, which is one of the more notable ransomware families of 2021, made waves in the latter half of the year after breaching over 300 organizations in just four months — allowing the group to earn what could potentially be millions of US dollars in profit.…
奧義智慧團隊第一手調查,挖掘中國國家級駭客利用金融軟體系統漏洞,所引發的一系列高風險攻擊事件
Read More 隨著金融科技的技術持續發展,金融產業使用了更多的資訊系統,便也代表著比起過去任何時候,潛藏了更多未知的資安威脅,而駭客入侵所造成的影響,往往也牽一髮而動全身,有著絕不可小覷的風險。
2021 年底一連串我國證券商與期貨商遭受駭客撞庫攻擊、導致下單系統異常的新聞,在當時引發了社會上一片軒然大波。奧義智慧研究團隊在參與事件調查 (Incident Response, IR) 時,成功挖掘出關於金融攻擊事件的更多內幕,本篇文章將帶您深入瀏覽與探討,來自中國國家級駭客的金融產業供應鏈攻擊手法剖析、惡意程式技術,與對應的緩解措施等。
事件緣起去年臺灣發生多起證券、期貨商遭到撞庫攻擊,甚至出現下單異常案件的情況,研判應為系統性問題而非單一個案,並且對於交易秩序的影響相當嚴重。該攻擊事件疑似為特定組織型駭客所發起,長期且有目的性的滲透行動,從攻擊手法中可以觀察到,駭客具有針對不同目標環境開發對應後門、躲避安全軟體偵測的能力,並十分擅長於企業內網攻擊,操作手法亦相當熟稔。
奧義智慧科技 (CyCraft) 於 2021 年 11 月底到 2022 年 2 月初,監控到一系列大範圍且專門針對臺灣金融單位軟體系統的供應鏈攻擊事件,遂而開始展開進一步詳細的調查。初步發現,攻擊者準確利用了我國金融單位常用的軟體系統之漏洞,第一波攻擊於 2021 年 11 月底出現受駭案例,第二波活動的高峰期則在 2022 年 2 月 10 至 13 號之間,攻擊者來源 IP 位於香港。
經調查,本次攻擊事件所使用之後門程式為 QuasarRAT,經過分析啟動方式、保護機制與使用之 C2 中繼站等情資後,研判應為中國國家級駭客 APT10 所發起的新活動,主要針對國內金融業發動攻擊。
由於在過去的資安研究之中,源於中國的 APT 組織一般較少以經濟獲益為目標,然而,本起行動中則明確有著盜竊金融資料的行為,因此奧義研究團隊以「咬錢熊貓」(Operation Cache Panda) 這項代稱來命名此行動。
攻擊手法剖析Operation Cache Panda 行動中,利用到了一項證劵軟體系統管理介面的網站服務漏洞。首先,攻擊者上傳了中國駭客常用之 ASPXCSharp WebShell 進行網站主機控制,之後便開始利用知名內網滲透工具 Impacket 掃描內網電腦,試圖大範圍植入DotNet 後門程式,並意圖竊取受駭單位資料。
攻擊者大量使用了動態載入 DotNet 組件檔案 (DotNet Assembly) 的技術,透過攻擊手法 Reflective Code Loading(MITRE ATT&CK 編號 T1620),動態注射惡意 DotNet Assembly 程式碼到系統以合法執行程序。
此次事件除了使用到可編譯不同平台 Shellcode、透過 In-Memory 的方式執行 DotNet Assembly 的開源專案 Donut 外,亦發現使用部分 SharpSploit 程式碼注入 DotNet惡意程式,可以達到無惡意模組落地的隱匿效果,藉以降低被防毒軟體偵測機率。
其後攻擊者將會搭配 Impacket,透過 Remote Service/WMI 方式橫向擴散到內部主機。一旦成功取得內部主機的控制權,攻擊者便會建立 Reverse Tunnel RDP,使其更容易地透過遠端桌面操作受駭主機。
在本次調查當中,我們發現駭客使用了名為文叔叔的中國雲端檔案分享服務來下載相關工具,藉以達到一定程度的方便性以及匿名性;不過,也正因如此,駭客在透過 RDP 登入受駭主機時,反而容易留下更多追查線索。
本次遭駭的軟體系統在臺據稱有八成以上的市佔率,屬於金融機構的供應鏈攻擊。據悉已有多家企業遭受 Operation Cache Panda 行動不同程度的影響,建議金融單位立即修補軟體系統漏洞,限制 Web 管理介面的存取範圍,並盤點本文文末所提供的入侵指標 (Indicator of Compromise, IoC),包含網路 IP、檔案雜湊 (hash) 與惡意程式特徵等,另外也建議安裝奧義智慧的 Xensor EDR,開啟惡意程式保護模組 (Malware Protection Module) 以監控與阻擋相關的惡意活動。
奧義智慧第一時間監控,並告警駭客內網滲透活動奧義智慧全球情資平台 CyberTotal 歸因出攻擊者疑為 APT10攻擊技術分析 第一階段:突破與建立進入點本次攻擊所使用的 WebShell 取用於開源專案,此 Webshell 改良了中國駭客常用的蟻劍 WebShell 框架 (As-Exploits),並加強其動態加載與執行 DotNet Assembly 的能力,透過 GetType[0] 取得和建構出 Payload 的 Run類型,以確保能做到無惡意檔案落地與不會留下 Web存取紀錄之效果。
第二階段:移動與潛伏Operation Cache Panda 事件的攻擊者使用到六隻惡意程式,其中,只有三個檔案會落地,其餘皆在動態下載後載入。這六隻惡意程式各自負責了不同的功能,並串連成了本次的攻擊,整體流程請參照下方圖片。
惡意程式架構與活動分析PresentationCache.exe…
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware.
Read More Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges.…
On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.…
Attribution
Read More In August 2021, a disgruntled CONTI affiliate leaked training documents, playbooks, and tools used to assist in CONTI ransomware operations. Mandiant has determined that some of the activity listed above overlaps with techniques in the playbooks disclosed in August.
At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives.…
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment, while stealing browser information and emails.…
On November 11th, Google TAG published a blogpost about watering-hole attacks leading to exploits for the Safari web browser running on macOS. ESET researchers had been investigating this campaign the week before that publication, uncovering additional details about the targets and malware used to compromise its victims.…
Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.…
By Sriram P & Lakshya Mathur
Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy…
Cuba Ransomware Overview
Read More Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen to not pay the ransom or have recovered their data via some other means. At the end of the day, fighting ransomware has resulted in the bad actors’ loss of revenue.…
In this report the McAfee Advanced Threat Research (ATR) Strategic Intelligence team details an espionage campaign, targeting telecommunication companies, dubbed Operation Diànxùn.
In this attack, we discovered malware using similar tactics, techniques and procedures (TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda.…