What’s Surging? Our Picks of The Most Thunderous News From September 2023
The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats.
(1) CISA #StopRansomware Advisory: Snatch Ransomware
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a report highlighting the ransomware threat posed by the Snatch ransomware gang as part of the agency's #StopRansomware series. Snatch, a ransomware-as-a-service (RaaS) operation, first emerged in 2018 and has since targeted various sectors, including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. The group employs double extortion tactics, threatening to release victims' data if ransoms are not paid. Snatch uses several methods for initial access, such as exploiting Remote Desktop Protocol (RDP) vulnerabilities and obtaining compromised credentials. They exfiltrate and encrypt victim data, taking up to three months to exploit networks thoroughly. The gang employs evasion techniques to disable antivirus software and communicate with victims through email and the Tox communication platform. CISA warns since "mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations.”
Insights from The Record have shed light on the recent surge of Snatch ransomware attacks, and their repercussions have been keenly felt across a spectrum of institutions. Affected entities range from law enforcement agencies, schools, and healthcare facilities to notable victims such as the Florida Department of Veterans' Affairs, law enforcement in Modesto, California, and a Wisconsin school district. Furthermore, Snatch's data breaches have extended to a diverse range of organizations, including a South African Defense department, automaker Volvo, a Canadian airport, and the Canadian Nurses Association. This concerning trend underscores the heightened threat posed by Snatch ransomware, with a notable concentration of activity in North America. Security experts like Nick Hyatt from Optiv have diligently monitored Snatch's actions from July 2022 to June 2023, revealing a strong emphasis on targeting North American entities. During this timeframe, Hyatt's team documented an unsettling total of 70 attacks.
(2) Six Month Intrusion of an Asian Electrical Company
Category: Threat Actor Activity | Source: Symantec
In a six-month intrusion beginning on February 28th, 2023, threat actors tracked as Redfly were discovered to have compromised a national grid organization located in an Asian country. Symantec's Threat Hunter team reported and analyzed the attacker's activities which ceased on August 3rd. During this intrusion, the attackers were observed compromising credentials, installing keyloggers, drop loaders, and moving laterally to infect additional hosts on the network. Notably, Symantec's tracking of this threat actor revealed a clear focus on organizations associated with critical infrastructure.
While the first signs of intrusion were detected on February 28th, the attacker maintained a low profile until May 16th. When they began executing scripts and loaders and gathering credentials from the registry. Their attack progressed intermittently through the month of May, with notable activities on the 17th, 19th, 26th, 29th, and 31st, with the deployment of several malicious payloads, gathering system information, additional credential theft from the registry, clearing security logs, and establishing persistence with a scheduled task on May 31st. Redfly's activity did not pick up again until July 27th, marked by the deployment of a keylogger. Their final activity took place on August 3rd, with credentials dumped from LSASS using a renamed ProcDump executable followed by additional credential theft from the registry once again.
Redfly's persistent targeting of critical infrastructure organizations represents a troubling trend among threat actors, as it underscores their intent to disrupt essential services within this sector. Symantec warns threat actors "maintaining a long-term, persistent presence on a national grid presents a clear risk of attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political tension."
(3) A Meticulous Espionage Group Circling Gov & Tech Orgs
Category: Threat Actor Activity | Source: Trend Micro
A cyberespionage campaign orchestrated by a hacker group tracked as Earth Estries was unveiled, revealing their activities that date back to at least 2020. Notably, Earth Estries shares some tactics, techniques, and procedures (TTPs) with another advanced persistent threat (APT) group, FamousSparrow. Insights of this espionage campaign and threat actors are revealed in a report from Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison.
Earth Estries operates with significant resources, showcasing adeptness in cybercrime and cyberespionage activities. They employ multiple backdoors and hacking tools for enhanced intrusion methods. Trend Micro reports that the actors prefer to minimize their footprint as much as possible, evident from the use of "PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface's (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data." Earth Estries is also observed to consistently delete traces of their malware before initiating the next phase of their attack.
This ongoing campaign targets verticals in government and technology across the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US. Tools deployed by Earth Estries include Zingdoor, a new HTTP backdoor, and TrillClient, an information stealer. DLL sideloading is a heavily utilized technique by the actor. Trend Micro's analysis of their DLL sideloading attacks was found to be used "against older versions of legitimate files, some even a decade old, in a bid to convert them into LOLBins." This method of attack is another attempt at a stealthy intrusion. Additional capabilities observed in Trend Micro's report include operators compromising an admin account, and deploying Cobalt Strike, PlugX, and Meterpreter stagers.
Grounding the Storm with Detections from the Forge
Okta Warns of a Intricate Attack Targeting Privileged Accounts
Category: Threat Actor Activity | Source: Okta
Okta revealed a series of social engineering attacks that have targeted several US-based Okta customers aimed at obtaining highly privileged admin accounts. These attacks have prompted an advisory to be released by the identity provider (IdP), sharing observed tactics, techniques, and procedures (TTPs) of the threat actors behind the campaign. Okta reports the campaign amped up in recent weeks as "multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users." Once their attempt succeeded, the attackers exploited their compromise of Okta Super Administrator accounts to misuse identity federation features, allowing them to impersonate users within the compromised organization.
According to Okta, the threat actors "appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account. In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions." Okta assessed the threat actors as being highly proficient having "demonstrated novel methods of lateral movement and defense evasion."
A noteworthy tactic initiated by the attackers was configuring "a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target." Abusing their controlled source IdP, it enabled them to achieve Single Sign-On (SSO) access to applications within the target IdP using the credentials of the targeted user. Okta has provided a list of indicators of compromise (IOCs) observed between July 29th, 2023, and August 19th, 2023 to aid customers with exposure checks and threat-hunting opportunities.
The Anvilogic Armory contains over 2,000 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.