The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From April 2023
(1) FIN7 Operators Seek Out Veeam Backup Servers for Network Compromise

Category: Threat Actor Activity | Source: WithSecure

Financially-motivated threat group FIN7 is discovered to be exploiting vulnerabilities in Veeam Backup and Replication software for data compromise. In a report from WithSecure Intelligence, researchers observed an attack on March 28th, 2023, with shell commands executed from a Veeam Backup instance. WithSecure attributed the attack to FIN7 operators or attackers with access to "FIN7 tradecraft." With "low-to-medium confidence," WithSecure assesses that the attackers exploited CVE-2023-27532, which allows unauthorized users within the network perimeter to access encrypted credentials stored in the configuration database of the exposed Veeam server. Additional observations of the exploited server found probing activity a few days prior, communication port 9401 for Veeam Backup Service over SSL was opened, servers were vulnerable to CVE-2023-27532, and the release of a proof-of-concept (POC) CVE-2023-27532 by Horizon3 on March 23rd preceded the attack by a few days. "The POC contains remote command execution functionality. The remote command execution, achieved through SQL shell commands, yields the same execution chain observed in this campaign," said WithSecure.

The shell commands initiated the download and execution of a PowerShell script from a 'sqlservr.exe' process. Analysis of the PowerShell scripts found they were POWERTRASH, "an obfuscated loader written in PowerShell that has been attributed to FIN7." The naming convention of the scripts aligns with files that FIN7 has deployed in other campaigns. WithSecure's incident timeline indicates the intrusion spanned two days. Reconnaissance commands were launched to identify network connections, running processes, IP configurations and registry settings for Veeam. For persistence, a new account was created using WMIC. Several PowerShell scripts launched from the operator also aided in creating persistence in the registry. Lateral movement was first tested using WMI method invocations. WithSecure identified attackers transferring two of their PowerShell by dropping them into ADMIN$ share of the remote host using SMB and executed "through remote service creation." The scripts were used to enumerate the target hose and "performed remote injection into the ‘PlugPlay’ service, which made a network connection to a remote host on port 443." WithSecure has not determined the objective of the attacker in this campaign, and the specific exploit of Veeam remains unknown. However, it is clear that the Veeam software is within the threat actor's attack scope, underscoring the urgency for administrators to patch and defend their servers.

(2)  BumbleBee Malware Found in Disguised Software

Category: Malware Campaign | Source: SecureWorks

To facilitate the distribution of malicious malware through Google Ads or SEO poisoning, threat actors often employ a popular tactic of pairing wanted content with unwanted content. Secureworks' analysis revealed BumbleBee malware is being spread through "trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace." This campaign was observed since at least February 16th, 2023, with the identification of a fictitious Cisco AnyConnect download page. "An infection chain that began with a malicious Google Ad sent the user to this fake download page via a compromised WordPress site," said Secureworks.

After the trojanized software is downloaded, a legitimate version of the software is installed through an MSI installer file. However, the installation also initiates a malicious PowerShell script that loads the BumbleBee malware into memory. With the modular nature of BumbleBee, it can be used to download additional payloads for data collection and ransomware. An intrusion observed by Secureworks saw threat actors downloading remote access software three hours after initial access was obtained to move laterally, collect system data and credentials, and ultimately deploy ransomware.

(3) Heightened Threat from Iranian State-Sponsored Hackers

Category: Threat Actor Activity | Source: Microsoft

A subgroup associated with the Iranian nation-state group, Magic Hound (aka PHOSPHORUS, Mint Sandstorm), is discovered to be conducting data theft campaigns against "high-value targets." In a report released by Microsoft, the sub-group is described as being "technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities." Threat actors in this sub-group gradually honed their proficiency in leveraging publicly disclosed proof-of-concept (POCs). While the Iranian actors had previously been slow to weaponize POCs, often taking weeks to adopt, they've since matured, showing their enhanced technical prowess to make immediate use of POCs from the day the POC has been disclosed.

Two attack chains presented by Microsoft shared the same initial stage attack with initial access granted through exploiting a POC, followed by the execution of a PowerShell script to obtain system and network information. Impacket is then used to initiate lateral movement onto the "higher value devices" identified by the PowerShell script. From here, the chains deviate with the first path involving the execution of additional PowerShell scripts to conduct additional enumeration, activate RDP connections, create an SSH tunnel and ultimately compromise the victim's Active Directory database. In the second variant of the attack chain, following the use of Impacket, the threat actors connected to their C2 established persistence through a scheduled task and deployed their own custom implants " such as Drokbok and Solider." These malware are crafted to leverage the attacker-controlled "GitHub repositories to host a domain rotator containing the operators’ C2 domains,'' to enable them to "dynamically update their C2 infrastructure,'' as examined by Microsoft. 

Grounding the Storm with Detections from the Forge

A Destructive Pairing with MERCURY and DEV-1084

Category: Threat Actor Activity | Source: Microsoft

A collaboration between the Iranian threat actor, MERCURY (aka MuddyWater), was observed with a threat actor Microsoft tracks as DEV-1084. According to a report from the Microsoft Threat Intelligence team, the two groups worked in tandem to compromise an on-premise and cloud environment. While the attackers attempted to disguise the attack as a ransomware operation, the objective was to achieve a more destructive and unrecoverable result. MuddyWater operators performed the initial breach, exploiting known vulnerabilities, and then relinquished the campaign to DEV-1084 to carry out the intrusion and the destructive portion of the attack. As analyzed by Microsoft, DEV-1084 performed "extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients."

The operators of DEV-1084 employed a range of techniques to maintain persistence, which included deploying web shells, creating a local user account, and elevating privileges. They also downloaded several tools onto the compromised hosts, including PowerShell scripts to establish a backdoor and remote access tools like RPort, Ligolo, and eHorus to facilitate their activities. Microsoft has reported that the stolen credentials were used during the lateral movement phase, which resulted in various commands being generated through remote scheduled tasks, Windows Management Instrumentation (WMI), and encoded PowerShell commands. Once lateral movement was achieved, they deployed the same persistence mechanisms established on other machines. "Interestingly, after each main attack step, the actors did not always immediately continue their operations but would wait weeks and sometimes months before moving to the next step," as noted by Microsoft.

Prior to the ransomware deployment phase, DEV-1084 operators initiated an attack in the victim's Azure cloud environment. In the span of 2 hours and 43 minutes, they entered the cloud environment using a compromised account, adding and manipulating properties to obtain elevated privileges before proceeding to delete servers and hosts. Microsoft assessed the end objective "was to cause data loss and a denial of service (DoS) of the target’s services." DEV-1084 used Group Policy Objects (GPO) and a scheduled task to facilitate the spread of their ransomware payload.

Want more? 

The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.

- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy