Links:
https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/
https://threatpost.com/elusive-toddycat-apt-targets-microsoft-exchange-servers/180031/
https://itsecuritywire.com/quick-bytes/elusive-toddycat-apt-targets-microsoft-exchange-servers/
https://threatpost.com/mitel-voip-bug-exploited/180079/
https://threatpost.com/fancy-bear-nuke-threat-lure/180056/

Show Notes:

Voicemail Scam Steals Microsoft Credentials

• Attack detected since May
  • targeting a number of key vertical markets in the U.S
    • software security, the military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain
  • impersonates the organization and Microsoft to lift Office365 and Outlook log-in details.
    • still effective but less often used lure to steal credentials
      • by sending emails notifying potential victims that they have a voicemail message
      • if it isn’t broke, don’t fix it
    • Both the emails and the credential-stealing page appear to be coming from legitimate entities
  • How the Attack Works
    • one part of the campaign that does set it apart from similar attacks
      • more research and effort as the attacks are customized for each target
    • victims with an email that informs them that they have a new voicemail in a message that appears to be coming from the targeted organization
      • They use an address in the “From” field that mimics the targeted organization’s name as well as logo branding on the mail itself to appear legitimate.
    • The messages include an HTML attachment that (red flag)
      • when opened redirects the user to a credential-phishing site that also appears to be the real deal by mimicking Microsoft’s own log-in page.
    • Attackers use a consistent format for the URLs used in the redirect process
      • They include the name of the targeted organization
      • the email address of the targeted individual
        • company.theirdomain[.]com/<base64_encoded_email>
      • The phishing site even uses Google’s reCAPTCHA technique
        • requiring targets to prove they are “not a robot” by identifying objects in photos
        • lends more credibility to the experience.
      • Once through on the CAPTCHA
        • They are redirected to legitimate-looking Microsoft Office 365 sign-in page
      • to enter credentials on a site controlled by attackers
    • Avoiding Credential Theft
      • recommend that organizations reiterate secure email practices with their employees
        • to ensure that they’re not giving up their credentials to attackers.
      • users should not open attachments in emails sent from untrusted or unknown sources,
      • users should verify the URL in the address bar of the browser before entering any credentials
      • organizations should train employees on how to spot and report phishing attacks
        • as well as how to check the browser’s URL bar to ensure the website where they are entering credentials is legitimate
        • use multi-factor authentication so even if employees do give up credentials, there is an extra safeguard to keep attackers off the corporate network

ToddyCat APT Targets Microsoft Exchange Servers

• ToddyCat
  • An advanced persistent threat (APT) group
    • relatively new APT
    • little information about this actor
  • behind a series of attacks targeting Microsoft Exchange servers of high-profile government and military installations in Asia and Europe.
• The campaigns
  • First Wave: December 2020 and February 2021
  • the limited number of servers in Taiwan and Vietnam.
  • The first wave of attacks exclusively targeted Microsoft Exchange Servers
    • were compromised with Samurai
      • Sophisticated passive backdoor that usually works on ports 80 and 443
      • was a part of a multi-stage infection chain initiated by the infamous China Chopper and relies on web shells to drop exploits on the selected exchange server in Taiwan and Vietnam
    • Second Wave: February 2021 and May 2021
      • began abusing the ProxyLogon vulnerability to target organizations in multiple countries
      • added: Iran, India, Malaysia, Slovakia, Russia and the United Kingdom.
      • Now utilize two passive backdoors within the Exchange Server environment
        • Samurai and Ninja
          • Samurai backdoor lays the path to launch another malicious program called Ninja
          • used by the APT to take complete control of the victim’s hardware
            • possibly gives them lateral access to network
            • arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network
          • Third Wave: After May 2021,
            • added military and government organizations
              • based in Indonesia, Uzbekistan and Kyrgyzstan.
            • expanded to desktop systems while previously the scope was limited to Microsoft Exchange Servers only.
          • Attack Sequence
            • deployment of the China Chopper web shell
              • allows the dropper to execute and install the components and create multiple registry keys.
              • forces “svchost” to load a malicious library “iiswmi.dll”
              • performs its action to invoke the third stage where a “.Net loader” executes and opens the Samurai backdoor.
                • is hard to detect during the reverse engineering process as it “switch cases to jump between instructions, thus flattening the control flow” and uses obfuscation techniques.
              • advanced tool Ninja was implemented by Samurai to coordinate and collaborate multiple operators to work simultaneously on the same machine.
                • allowing an attacker to “control remote systems, avoid detection and penetrate deep inside a targeted network”.
              • Ninja shares similarities with the other post-exploitation toolkit like Cobalt strike in terms of capabilities and features.
                • control the HTTP indicators and camouflage malicious traffic in HTTP requests that appear legitimate by modifying HTTP header and URL paths
              • That’s Not All
                • China-based hackers are targeting victims of the ToddyCat APT gang within the same time frame.
                  • Chinese-language hackers use an Exchange backdoor called FunnyDream.
                    • researchers observed the same targets compromised by both APTs in three different countries.
                    • in all the cases there was a proximity in the staging locations and in one case they used the same directory
                  • Security researchers do not have any concrete proof that shows the linkage between the two malware families.

Mitel VoIP Bug Exploited in Ransomware Attacks

• Ransomware groups are using a novel remote code execution exploit to gain initial access to victim’s environments.
  • abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application
  • using it as a springboard plant malware on targeted systems.
• The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499,
  • was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.
  • Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.
  • Mitel MiVoice appliances SA 100, SA 400 and Virtual SA
• Mitel
  • Popular known for providing business phone systems and unified communication as a service (UCaaS)
• Bug Exploited to Plant Ransomware
  • The exploit involves two GET requests. The first one targets a “get_url” parameter of a PHP file and the second one originates from the device itself.
    • “This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.
    • The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.
  • According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.
  • Once the reverse shell was established, the attacker created a web shell named “pdf_import.php”.
    • The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from.
  • The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.
  • Researchers also identified anti-forensic techniques performed by the threat actors to conceal the activity.
  • “Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.
• Vulnerable Mitel Devices on Shodan
  • security researcher Kevin Beaumont shared a string to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.
  • According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, seconded by the United Kingdom.
• Mitel Mitigation Recommendations
  • recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity.
  • segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.
  • Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant

Fancy Bear Uses Nuke Threat to Exploit 1-Click Bug

• Fancy Bear
  • Russia-linked APT (aka APT28, Strontium and Sofacy)
  • The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.
  • linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.
• Attack
  • pairing a known Microsoft flaw with a malicious document to load malware
    • that nabs credentials from Chrome, Firefox and Edge browsers.
  • phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw
  • The attacks by the are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence
• Follina (CVE-2022-30190)
  • first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.
  • The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.
  • Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.
• On June 20, Malwarebytes researchers first observed the weaponized document
  • which downloads and executes a .Net stealer first reported by Google.
  • Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.
  • The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.
• Bear on the Loose
  • CERT-UA identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks
    • in parallel with the invasion by Russian troops that began in late February.

• The threat of Nuclear Attack
  • campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat”
    • in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict
    • The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.
    • The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file
      • http://kitten-268[.]frge[.]io/article[.]html.
    • The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme
    • The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine.
    • While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not
      • The recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands
    • The stealer’s main purpose is to steal data
      • including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox.
    • The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain
      • the old variant of this stealer
        • connected to mail[.]sartoc.com
          • 208.77.68
        • new variant
          • uses the same method
          • different domain
            • specialityllc[.]com.
        • both are located in Dubai.
          • the websites most likely have nothing to do with FuzzyBear
            • simply taking advantage of abandoned or vulnerable sites