What’s Surging? Our Picks of The Most Thunderous News From October 2023
The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats.
(1) CISA Updates #StopRansomware Advisory for AvosLocker
Category: Ransomware News | Source: CISA
In a joint Cybersecurity Advisory (CSA) released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), updated details surrounding the AvosLocker ransomware gang have been shared. AvosLocker is a ransomware-as-a-service (RaaS) entity that has caused havoc, with incidents identified as recently as May 2023. This threat operates across various critical infrastructure sectors within the United States, targeting Windows, Linux, and VMware ESXi environments. Like many ransomware groups, AvoLockers aims to leverage the threat of data encryption and theft for double-extortion.
The AvosLocker affiliates exhibit a propensity for leveraging legitimate software and open-source tools during their ransomware operations. These tools encompass a range of tactics, such as utilizing remote system administration tools, executing scripts to employ native Windows tools, employing open-source networking tunneling tools, maintaining command and control through tools like Cobalt Strike and Sliver, and employing credential harvesting techniques using tools like Lazagne and Mimikatz. Moreover, for data exfiltration, AvosLocker affiliates utilize tools like FileZilla and Rclone. The FBI has reported the use of various custom PowerShell and batch scripts for lateral movement, privilege escalation, and disabling antivirus software, reinforcing the sophistication and adaptability of this threat group. Custom webshells have been employed to facilitate network access and further their malicious activities.
CISA provides a comprehensive list of recommended mitigation steps for organizations to adopt, addressing the evolving threat of AvosLocker ransomware. These steps encompass securing remote access tools, imposing strict restrictions on RDP and remote desktop services, securing and monitoring PowerShell usage, and consistently updating software with the latest patches.
(2) The Siege of Southeast Asia's Government Sector with Alloy Taurus
Category: Threat Actor Activity | Source: Unit 42
Tracking clusters of cyber activity against government entities in Southeast Asia by researchers from Unit42. A cluster tracked as CL-STA-0045 is assessed to be attributed to the Chinese cyberespionage group, Alloy Taurus also referred to as Gallium, with moderate confidence. This ongoing cyber campaign began in early 2022, targeting government entities in Southeast Asia, and is characterized as “multiwave intrusions” with a penchant for exploitation of vulnerabilities in Exchange Servers. The threat actors employ a range of tools and techniques in their operations. Unit42 suspects the "main goal behind the activity was to facilitate long-term espionage operations."
The attack begins with the threat actors gaining access to the target network and installing web shells, including China Chopper, on internet-facing web servers. These web shells allow the attackers to initiate system and network reconnaissance on the compromised host and also create administrative accounts. Subsequently, the attackers attempt to execute undocumented .NET backdoors named Reshell and Zapoa, which provide them with remote command execution capabilities.
To maintain access and evade detection, the attackers install SoftEther VPN software, renaming it to blend in with legitimate files. They also connect to external hosts, including GitHub, and download additional tools such as Kerbrute and LsassUnhooker. The attackers make efforts to steal credentials through various means, including brute force attacks, password theft, and NTLM downgrade attacks. The threat actors target critical assets within the network, particularly web servers and domain controllers, using tools like AnyDesk and SSH tunneling. They attempt to install additional tools and malware, such as Cobalt Strike, Gh0stCringe RAT, HDoor, and a variant of Winnti malware.
(3) Espionage Campaign 'Operation Jacana' Targets Guyana Government Agency
Category: Threat Actor Activity | Source: ESET
An espionage campaign targeting a government agency in Guyana dubbed "Operation Jacana," is reported by ESET researcher, Fernando Tavella. The campaign is reported to have been identified in February 2023 through a spear phishing email that lured the target using recent geopolitical events. While not definitively attributed to a specific APT group, ESET assesses with medium confidence that a China-aligned threat actor is responsible for this operation. Of the malware distributed in the campaign, a variant of Korplug/PlugX was discovered aiding the attribution to a China-aligned threat actor. Tavella points out there is an economic interest for China in Guyana, driven by the Belt and Road Initiative — a global infrastructure development project launched by China aimed to foster economic partnerships and connectivity across various countries.
Spear phishing emails with subjects related to Guyanese public affairs were used to lure victims, with links leading to a ZIP file hosted on a Vietnamese government website. Once the victim extracted and launched the ZIP file, containing an executable for a new C++ backdoor tracked as "DinodasRAT," infected the victim's system. Name based on its command & control (C2) configuration string "always begins with Din." This multifaceted malware can exfiltrate files, capture screenshots, manipulate the Windows registry, execute commands, and more.
After the initial compromise, the threat actors executed lateral movement within the victim's network using tools like Impacket. They employed various commands, including certutil to download files, create persistence with a new account, and extract credentials using ntdsutil.exe. DinodasRAT, with its unique capabilities, played a central role in the espionage campaign, enabling the attackers to remain stealthy in their operations along with the use of additional malware in Korplug and a SoftEther VPN client. While lateral movement and malware along with C2 activity were reported, the level of impact of the Operation Jacana campaign is unknown and whether attackers were able to exfiltrate data from the compromised government entity.
Grounding the Storm with Detections from the Forge
Octo Tempest's Advanced Social Engineering Drives Monetary Goals
Category: Threat Actor Activity | Source: Microsoft
A financially motivated threat actor, armed with sophisticated social engineering capabilities, is detailed in Microsoft's latest research report. The threat group tracked as Octo Tempest, is assessed to be affiliated with the ALPHV/Blackcat ransomware gang, in addition to having overlaps with threat activity attributed to 0ktapus, Scattered Spider, and UNC3944. Octo Tempest is considered one of the "most dangerous financial criminal groups," known for its broad use of social engineering, adversary-in-the-middle techniques, and SIM-swapping capabilities. Their activities have evolved from initial tracking in early 2022 targeting mobile telecommunications and business process outsourcing organizations to a wider range of industries, including technology, financial services, and more.
During their social engineering campaigns to obtain initial access, Octo Tempest actors conduct research to understand the targeted organization’s structure and personnel. They will engage with "technical administrators, such as support and help desk personnel" to gain initial access by resetting passwords or resetting multi-factor authentication (MFA). Conversely for easy access, Microsoft observed Octo Tempest "impersonating newly hired employees in these attempts to blend into normal on-hire processes." Alternatively, Octo Tempest is capable of obtaining initial access through compromised credentials purchased from underground markets, utilizing SIM swapping, contacting and convincing an employee to install remote access software, or visiting fraudulent login portals. In more aggressive but rare instances, Microsoft reports Octo Tempest resorting "to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access."
Once access has been obtained, the attackers scour for data, running "broad searches across knowledge repositories to identify documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults." After the attackers have conducted a thorough review of the network and data, they utilize the data gathered pivoting to fulfill privilege escalation and persistence objectives. Also, with an understanding of the network, Octo Tempest has disabled security monitoring or defenses to evade detection. They target security personnel in an effort to manipulate security monitoring tools and EDR into permitting the download of their desired tools. Additionally, they disable notifications by setting up inbox rules to "automatically delete emails from vendors." Depending on the attack, their intrusion culminates with cryptocurrency theft, data exfiltration, and/or, ransomware deployment. Octo Tempest's affiliation with ALPHV/BlackCat enables the group to deploy ransomware on Windows, Linux, or VMWare ESXi servers and leverage the ransomware gang's data leak site for extortion.
The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.