Forge Charged News: The Most Electrifying News From February 2023

Forge Charged News: The Most Electrifying News From February 2023

Security Trends

The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. 

What’s Surging? Our Picks of The Most Thunderous News From February 2023
  Coinbase Contains Incident Rooted from Social Engineering Campaign

Category: Data Breach | Source: Coinbase

Coinbase, a cryptocurrency exchange platform, has reported a security incident resulting from a successful phishing attack against one of its employees. Coinbase attributes the attack to threat actors responsible for the ‘0ktapus‘ phishing campaign, which has run since March 2022, targeting users and organizations using Okta’s Identity and Access Management service. Group-IB identified the campaign as having compromised at least 9,931 accounts from over 130 organizations. Although the attacker was able to access some contact information for multiple Coinbase employees, no customer funds or data were affected by the intrusion. The campaign was traced to have begun on Sunday, February 5th, 2023. The attacker sent SMS alerts to several Coinbase engineers, urging them to log in to their accounts to read an important message. While most employees ignored the messages, one fell for the attack and was directed to a phishing page where they forfeited their credentials. The attacker leveraged the victim’s credentials and attempted to log in but couldn’t get past Multi-Factor Authentication (MFA), prompting the attacker to contact the compromised employee through their mobile phone roughly 20 minutes later. The attacker masqueraded as part of the company’s corporate Information Technology (IT) division.

“Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back-and-forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately, no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers,” as shared by Coinbase. From there, Coinbase’s Computer Security Incident Response Team (CSIRT) stepped in to contain the incident, the employee ceased communication with the attacker, and CSIRT temporarily suspended “all access for the victimized employee and launched a full investigation.” Coinbase credited their “layered control environment” with preventing compromises to customer funds and information. Based on defensive recommendations shared by Coinbase for the intrusion, the attacker attempted to install cookie manager, EditThisCookie, and remote access software such as ANyDesk and ISL Online.

(2) QakBot Pairs with OneNote

Category: Malware Campaign | Source: Sophos

New Qakbot/Qbot campaigns have been discovered abusing the OneNote application to initiate its infection chain. Researchers from Sophos discovered the new trend on January 31st, 2023, from spam emails distributing Qakbot. The weaponized OneNote application can be delivered as an email attachment or downloaded through a link. The message within the email appears plain and innocuous, with only one-liners luring the recipient to click the link or open the attachment whilst labeling the matter as urgent. Interestingly, analysis from Sophos reveals the download link only targets Windows hosts by conducting a check on the host's user-agent string, "only browsers that transmit a Windows-computer’s User-Agent string in the query get the weaponized .one Notebook. All other User-Agent strings receive a 404 from the server hosting the malicious .one file."

The weaponized OneNote document is designed with a static image guiding the user to click an "Open" button to trigger an embedded, hta file retrieving Qakbot DLLs from a remote server and executing it with rundll32. The DLL files downloaded attempt to disguise themselves as image files using file extensions .jpeg and .png. Once executed, Qakbot injects itself into a running process as Sophos observed in their test machines, with Qakbot injecting itself into the Windows Assistive Technology manager, AtBroker.exe.

(3) Relentless Phishing from Gamaredon

Category: Threat Actor Activity | Sources: SCPC - UA & The Record

Russian state-sponsored threat group Gamaredon has been unrelenting in their phishing campaigns to distribute information-stealing malware against Ukrainian organizations. Two variants of the malware have been deployed, GammaLoad the PowerShell variant, and GammaSteel the .Net variant. Analysis from the State Special Communications Service of Ukraine (SSSCIP), identified all GammaLoad variants observed "are VBScript droppers, that use similar obfuscation techniques (base-64 encoding, text strings replaces) and are designed to abuse the trusted, signed system utilities (WMI, mshta.exe, wscript.exe, powershell.exe) in order to maintain persistence (through scheduled tasks creation, autorun registry keys modification) and download next-stage VBScript droppers from C2 servers. Each next stage downloaded payloads’ specialty is communication with a different C2 server."

Gamaredon's phishing campaigns often impersonate Ukrainian officials or leverage topics associated with the geopolitical situation. The infection chain begins from the execution of an attached archive file carrying a Windows shortcut (lnk) file to trigger a round of LOLBins executables to bring down GammaLoad or GammaSteel malware. The malware is used to steal user credentials, exfiltrate files, and take screenshots. Most of Gamaredon’s targets involve organizations in critical infrastructure, defense, security, law enforcement, and government. Gamaredon's activity is highlighted by a spokesperson from Ukrainian Computer Emergency Response Team (CERT-UA) stating that “Not a week went by that we didn’t detect some new mass phishing email campaign with Gamaredon malware.” At least 70 incidents were attributed to Gamaredon in 2022 by CERT-UA.

Grounding the Storm with Detections from the Forge

Category: Threat Actor Activity | Sources: Group-IB & Okta

If you are using Okta as your identity and access provider, it is crucial to monitor the system closely due to the level of access it manages. Threat actors are aware of the value of Okta credentials, especially the ‘Scatter Swine’ threat actor behind the ‘0ktapus‘ phishing campaign. A security advisory was released by Okta acknowledging the relentless phishing campaigns executed by the threat actor with Twilio and CloudFlare linked to Scatter Swine attacks. Having been capable of gathering 9,931 credentials, suspicious authentication activity should be monitored more closely. Sign-in activity can be tricky to monitor in the world of mobile and remote work environments, however, detections from the Anvilogic Forge can help bring clarity. We can enhance already suspicious sign-in threat identifiers with account modifications to help detect malicious activity. 

Anvilogic Forge Detection: Okta Suspicious Login then Account Manipulation

Want more? 

The Anvilogic Armory contains over 1,500 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.
- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy

Chat with our team to receive a free maturity assessment

Get in Touch

Ready to learn more about Anvilogic?

Kickstart your security operations

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.