Tag Archive for: attacker


FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.
  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog – Click Here

ATTACKER – Dark Tequila banking campaign hits Mexico

An active financial malicious campaign dubbed “Dark Tequila” heavily targeting Mexico since at least 2013 has been recently analyzed by the Kaspersky Lab researchers. According to reports, the malware primarily aims at stealing sensitive information, including but not limited to financial data, login credentials to popular websites, domain registers and file storage accounts.

Five operational modules have been identified by the researchers within the multistage payload, spread via spear-phishing or infected USB devices. The supporting infrastructure reportedly proved to be “unusually sophisticated” and the payload activates only if certain specific technical conditions are met. All the stolen data is then encrypted and uploaded to the C2 server.

The campaign was considered to be against Mexican institutions since the malware has a mechanism that will uninstall itself if the system is not in Mexico or the host infected is a “casual” infection. The target list retrieved from the final payload of the malware also contained the names of several Mexican banking institutions and some of the comments in the code were written in Spanish.

Proficio Threat Intelligence Recommendations:

  • Refrain from opening email from unknown senders and insert USB keys of unknown origin.
  • Deploy a SPAM filter that detects malicious attachments
  • Always make sure antivirus, software and operating systems are up-to-date.

General Information – Click Here

ATTACKER – Leafminer Expanding Operations to Target United States ICS Entities

In July of 2018, the threat actor Leafminer was detailed by Symantec as having targeted a list of government organizations and business verticals in the Middle East since at least early 2017. The article also detailed several aspects of how the attacker attempted to breach targets. One method detailed was the attackers using “file://” URLs embedded on websites used as watering holes that prompted Windows users that visited the site to enter their SMB credentials. When users provided input, it would transmit the user’s NTLM hash to the attackers to be cracked offline.

There were additional traditional attack methods observed in the article including using brute force / dictionary attackers against public facing services, EternalBlue for lateral movement, and common attack software such as Mimikatz, PsExec, and THC Hydra.

After this article had been released, a cybersecurity vendor that specializes in ICS incident response, Dragos, reported they had discovered Leafminer targeting US entities in the utility vertical. Dragos suggested that the threat actor uses embedded links that prompt for SMB credentials as well indicating that US entities might be experiencing future watering hole attacks similar to what was seen in the Middle East. Dragos named this threat actor “RASPITE.”

Dragos suggested in the blog that they have not received any evidence that the attackers have gained the ability to infiltrate ICS systems once a foothold has been gained into a utility entity, but that the attackers likely trying to gain access to organizations to prepare for a later ICS attack.

Proficio Threat Intelligence Recommendations:

  • Place two factor authentication on any public facing services where users authenticate.
  • Make sure Windows servers inside the network are up-to-date and patched, especially against ETERNALBLUE and other related recent SMB vulnerabilities.
  • Enforce password policies for Windows credentials such as complex passwords or periodic changes of passwords by users.

Symantec findings for Leafminer – Click Here

Dragos details on RASPITE – Click Here

Attacker: Corporate iPhones Attacked in MDM Campaign

This month security organizations and researchers discovered an attack that utilizes Apple’s popular and open source Mobile Device Management (MDM) system for iPhones. The MDM suite allows enterprises to conveniently deploy and manage employees’ iPhones remotely. The attackers in this campaign appear to have used social engineering to persuade unsuspecting users to enroll in MDM on their iPhones. From there, the attackers used MDM to remotely deploy Trojan spyware applications. Furthermore, they remained undetected for the past three years, while launching multiple successful attacks against targeted corporate employees in India.

The attackers, who are also believed to be operating within India, were able to coax their victims to install unverified certificates for MDM. The unverified certificates used deceptive naming conventions such as hxxp://ios-certificate-update[.]com and allowed for unchecked administrative privileges once installed. Following the initial compromise, it was later possible for the attacker to deploy the Trojan spyware applications on to the mobile devices of the affected users. While the applications appeared to be legitimate software, such as Telegram or WhatsApp, they were in fact modified versions of the legit software, which granted the attackers access to the target’s photos; contacts; real-time location; SMS messages; and application chat logs.

Proficio Threat Intelligence Recommendations:

  • Assess the authenticity of MDM certificates currently in use by your mobile fleet. Apple has already revoked several certifications that were linked to this malicious MDM campaign, but there are likely other malicious certificates that have yet to be canceled.
  • As MDM becomes more popular with large organizations, users should be made aware that installing additional certificates on to their mobile devices may allow unauthorized and/or malicious remote management activity.
  • Update IDS/IPS devices to blacklist certificates and/or traffic made towards the following malicious servers that have been identified thus far: Ios-certificate-update[.]com; www[.]wpitcher[.]com; techwach[.]com; and voguextra[.]com.
  • Update IDS/IPS devices to take appropriate actions when observing the following malicious application hashes: 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa.

General Information – Click Here

ATTACKER: Actors Behind Blackgear Campaign Update C2 Methods

On July 17th, new activity from the actors behind the Blackgear campaign has been reported by Trend Micro. The Blackgear campaign is an ongoing targeted attack against organizations mainly in Japan, South Korea, and Taiwan. It has been ongoing since at least 2008 when Protux, a malware used in the Blackgear camapaign, was discovered in spear phishing emails against Tibetan Activists. The campaign mainly consists of spear phishing for delivery and multiple stages of malware (binder, downloader, backdoor) for infection.

In the most recent Trend Micro report, the malware used by the threat actors behind Blackgear (Protux and Marade) advanced their methods of command and control by employing a way to download their configuration from posts on legitimate social media sites. In the Trend Micro article, screenshots were given where Facebook posts contained strings made out to be magnet links that actually contained the command and control data. The data was made out to be magnet links to avoid antivirus detection. Once the magnet link is downloaded, the malware decrypts the string to discover it’s command and control configuration.

Trend Micro also posted the command interface for the Protux malware that controls an infected host. In it, the tool appeared to have several capabilities that it could perform on the remote host including screen capture, shell access, and access the registry / process / service configuration of the system.

Trend Micro also gave details around sample phishing used in the attack chain. In it, at least one phish required a user to enable macros on an Excel file to perform infection via VBScript.

Proficio Threat Intelligence Recommendations:

  • Train users not to enable any type of Microsoft Office Macros delivered in email attachments.
  • Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.
  • Make sure all systems have up to date endpoint security controls that will allow users to access email.
  • In your Windows GPO (group policy), set the policy to disable running macros from files from the internet.

Trend Micro latest entry on Blackgear Campaign – Click Here

Attacker: Xenotime and Trisis ICS Attacks

Dragos, an information security consulting firm that specializes in industrial control system (ICS) security consulting, reported that the threat actor known as “Xenotime” has expanded its presence in compromising ICS systems beyond the Middle East. In late 2017, FireEye and Dragos reported a threat actor had released TRISIS malware that had targeted a Middle East oil company. The attack resulted in a complete shutdown of the oil and gas facility. Forensics revealed that malware had targeted the safety instrumentation system (SIS) component of a Schneider Electric’s Triconex system that was present within the facility.

Safety instrumentation systems are responsible for taking action on critical situations within industrial control systems. They could be responsible for opening and closing valves or other types of safety systems. Failure of an SIS may result in loss of life or the disruption in the functionality of a facility. This threat actor is suspected to be state sponsored and was attempting to engineer an attack that could be used to cause physical damage in the event of a political conflict. The new revelation from Dragos indicates that the same party that was targeting the Middle East company has now expanded its presence to multiple regions around the world by targeting multiple types of ICS environments. This is very alarming issue since this threat actor is actively attempting intrusions with the intent to cause physical damage to ICS systems that may result in a loss of life or major disruption of critical industrial facilities.

Proficio Threat Intelligence Recommendations:

  • Validate an ICS monitoring solution is in place.
  • Develop special focused monitoring use cases around assets within ICS networks.
  • Monitor for vulnerability advisories from your ICS vendors.

General Info – Click Here

Attack: AWS Route 53 Hijack

In late April, a complex attack was executed in the core internet infrastructure by attackers that redirected users of the MyEtherWallet.com website towards a phishing site.

The incident has been described as a BGP or Border Gateway Protocol “leak” that allowed the attackers to wrongly announce protocol (IP) in a space that’s owned by Amazon’s Route 53 managed DNS service. The hackers were able to hijack DNS entries after executing a BGP route hijack that redirected entire swaths of internet traffic meant for Amazon servers to systems that they controlled. Attackers acquired over $150,000 from the site because users ignored an HTTPS browser warning that stated that the site that was using a self-signed TLS certificate.

Some of the hijacked traffic was used by the MyEtherWallet.com internal team. Because of this discrepancy, attackers were able to point domain name resolutions from the MyEtherWallet.com domain to an IP address located in Russia, where they hosted their fake version of the MyEtherWallet.com website that logged private keys. Users who were logged into their account could have had their credentials compromised and users who had already signed in would have transmitted login information through cookies. Once the credentials had been compromised, attackers then were able to login and steal Ethereum from victims wallets. It was reported that DNS servers were hijacked at 12pm UTC on April 25th, and it appears that the redirects occurred for approximately 2 hours. The incident highlighted a well-known weaknesses in core Internet infrastructure.

Proficio Threat Intelligence Recommendations:

  • Do not input personal information into sites using self-signed TLS certifications
  • Block traffic from IP addresses geo-located in Russia

General Information – Click Here

Attacker: Grizzly Steppe

Russian state-sponsored cyber actors appear to be performing worldwide cyber exploitation of enterprise-class and SOHO/residential network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices). This campaign, particularly the choice of protocols and devices appears to have some overlap with earlier reports detailing the vulnerability CVE-2018-0171, as well as, reports detailing cyber-attacks on network infrastructure utilizing vulnerabilities in smart install (SMI).

This attack was an attempt to exploit vulnerabilities in routers and switches which was intended to advance spying, intellectual property theft and other malicious activity. It is feared that the exploited routers could be used to launch future offensive cyber operations.

Do note that Russian cyber actors do not actually need to leverage zero-day vulnerabilities or install malware to exploit the devices. They are taking advantage of the following older, existing vulnerabilities:

  • Devices with legacy unencrypted protocols or unauthenticated services
  • Devices that are insufficiently hardened before installation
  • Devices that are no longer supported with security patches by manufacturers or vendors such as end-of-life devices

Affected Systems:

  • Generic Routing Encapsulation Enabled Devices
  • CISCO Smart Install Enabled Devices
  • Simple Network Management Protocol Enabled Devices

Proficio Threat Intelligence Recommendations:

  • Regularly inspect firewall policies that have Cisco Smart Install (4786 TCP) open to the internet and make sure they are set to only allow the IP ranges that are required for the connection
  • Regularly inspect firewall policies that have telnet open to the internet and close the connection
  • Mitigate the risks of compromised credentials by utilizing multi-factor authentication and strong password policies for all accounts, with special emphasis on any external-facing interfaces and high-risk environments
  • Restrict internet access to the management interface of any network device
  • Configure network devices before installing onto a network exposed to the internet. If SMI must be used during installation, disable SMI with the “no vstack” command before placing the device into operation

General Information – Click Here

Attacker: Actor – Mabna Institute / Silent Librarian

The Mabna Institute, also known as the threat actor “Silent Librarian” (Phishlabs), is a group of nine Iranian citizens that have been charged in a computer hacking campaign. The campaign compromised various targets, such as US and foreign universities, private companies, and US government entities. Several specific targets were identified by PhishLabs and the FBI, and they include the US Department of Labor, the Federal Energy Regulatory Commission, the Los Alamos National Laboratory, and the Memorial Sloan Kettering Cancer Center. According to the FBI, the campaign has been ongoing for about four years and has compromised 144 US based universities and 176 foreign universities. According to Phishlabs, the tactics of the phishing campaigns used to compromise these entities barely changed over time. Targeted users were sent emails stating their library account was expiring. The users were then directed to a link which was a redirect to a phishing page requesting a username and password.

Proficio Threat Intelligence Recommendations:

  • User phishing training usually helps mitigate risk against users falling for basic types of phishing campaigns.

Phislabs technical analysis of the campaign – Click Here

FBI release on individuals wanted – Click Here

Attacker: Actor – TEMP.Periscope / Leviathan

The threat actor TEMP.Periscope (FireEye) / Leviathan (Proofpoint) has been observed running targeted spear phishing campaigns against maritime and engineering targets. The threat actors appear to be tied to Chinese espionage. The TTPs of this threat actor are what are normally expected from a state sponsored level threat actor. Some of the interesting tools used include “LUNCHMONEY” (FireEye), a utility used to exfiltrate data to Dropbox, and BLACKCOFFEE (FireEye), a tool used to obfuscated data on Microsoft Technet pages as command and control.

Technical analysis of TTPs used by TEMP.Periscope – https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Info on spear phishing campaigns detected attributed to Leviathan. – https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

Proficio Threat Intelligence Recommendations:

  • If the capability is available, ban the hashes of the IOCs identified by FireEye from running in your organization.
  • Consider banning certain cloud storage, such as Dropbox, if it does not have a business case within the organization.