Episode 45: February 13 2023

February 13, 2023 Jim Guckin 27:0338.59M Comments Off

Contents

Links

TA866 Threat Group Selectively Targets U.S. and German Organizations

Attack
- The attack begins with a phishing email sent to the potential victim that likely uses thread hijacking and contains PDF documents laden with malicious URLs, Microsoft Publisher (.pub) attachments with malicious macros, or URLs pointing to malicious .pub files.
- When the URL is clicked or the macro inside the document is executed, the victim system gets compromised and the attack chain gets initiated.
- It downloads custom malware called Screenshotter and WasabiSeed on the victim’s machine.
  - The malware steals screenshots and Active Directory domain-related information from the victim’s machine and sends them to the attacker.
  - After manually scanning these details, the attacker also downloaded AHK Bot and Rhadamanthys Stealer in some cases.
Look Out for
- TA866 is believed to be working in the time zone UTC+2 or UCT+3,
- use of the Russian language for variable names and comments in malware code hint towards its Russian origin.
- The threat actor indulges in a multi-step attack chain that involves manual intervention.

Wentworth-Douglass Hospital.
- Garrison Women’s Health
- New Hampshire
- Feb 10th
4,158 Data Destroyed
- Not able to recover.
- No evidence was shown.
- Lost Data
  - Medical and/or treatment information (such as visits, procedures, tests, medical record number, diagnosis, medical history, genetic information, and various types of assessments, imaging, and results.
  - Coding claims and insurance/payment information for services.
  - Scheduling information for upcoming appointments.
Global Network Systems
- Hosting Provider
- aware of the issue on Dec. 12
- April 29, 2022, and Dec. 12, 2022, was subject to unauthorized third-party activity that rendered the information inaccessible
  - NO BACKUP!?

Pepsi Bottling Ventures LLC
- largest bottler of Pepsi-Cola beverages in the United States
- manufacturing, selling, and distributing popular brands.
- operates 18 bottling facilities across North and South Carolina, Virginia, Maryland, and Delaware.
Breach
- occurred on December 23, 2022
- discovered January 10th, 2023
  - 18 days later
- The last known date of unauthorized IT system access was January 19, 2023.
  - 9 more days
- installed malware, and downloaded certain information contained on the accessed IT systems.
Accessed Data
- Full name
- Home address
- Financial account information (including passwords, PINs, and access numbers)
- State and Federal government-issued ID numbers and driver’s license numbers
- ID cards
- Social Security Numbers (SSNs)
- Passport information
- Digital signatures
- Information related to benefits and employment (health insurance claims and medical history)
Remediation
- Monitoring
- Fixed Security measures
- reset all company passwords.
- informed the law enforcement authorities.

Tod Beardsley, director of research at Rapid7
- Blog article listing major vulnerabilities.
  - ONLYOFFICE, OpenKM, LogicalDOC, and Mayan
CVE-2022-47412
- ONLYOFFICE
- impact versions from 0 through 12.1.0.1760
- stored cross-site scripting (XSS)
  - exploited if an attacker can ensure a malicious document is saved in the DMS for indexing.
    - Allowing
      - steal session cookies to create new, privileged accounts or perform a browser session hook and secure access to stored documents.
CVE-2022-47413 and CVE-2022-47414
- OpenKM
- DMS version 6.3.12
- Vulnerabilities
  - XSS bug that requires a victim to save a malicious document.
  - attacker to have authenticated access to the OpenKM console. If they meet this condition, a stored XSS security flaw can be reached in the document ‘note’ function.
CVE-2022-47416
- LogicalDOC
- XSS in an in-app chat system
  - Only Enterprise Version
CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418
- LogicalDOC
  - LogicalDOC Community Edition and Enterprise, versions 8.7.3 and 8.8.2, respectively
Rapid7
- Contacted vendors and got no response