Ankura CTIX FLASH Update - December 2, 2022
Previously Unreported Backdoor "Dolphin" Exfiltrates Data from Windows and Connected Mobile Devices
ESET researchers have published a new report on "Dolphin", a previously unreported backdoor malware that was first identified in April 2021. North Korean advanced persistent threat (APT) group ScarCruft (aka APT37 or Reaper) has been utilizing the malware in highly targeted operations for over a year and often in conjunction with the backdoor "BLUELIGHT", which is used to launch Dolphin's Python loader. ScarCruft often targets South Korean military and government organizations, but also focuses on additional Asian countries as well as companies in other industries that align with North Korean interests. Dolphin has various spying capabilities, including "monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers." The malware also collects usernames, the computer name, local and external IP address, RAM size and usage, operating system version, installed security software, and more. Researchers noted that Dolphin is a C++ executable that uses Google Drive for command-and-control (C2) communication, as well as to store exfiltrated data. It also establishes persistence by modifying the Windows Registry and modifies the settings of its victims' signed-in Google and Gmail accounts (in order to lower their security and maintain access). Dolphin's capabilities extend to any mobile device that is connected to the compromised host by using the Windows Portable Device API. Dolphin is continuing to evolve and advance its capabilities, and a technical deep dive as well as current indicators of compromise (IOCs) can be viewed in ESET's report linked below.
Threat Actor Activity
Threat Profile: Lilac Wolverine
A recent business email compromise (BEC) campaign has been observed in the wild, originating from a Nigerian threat organization. The group, tracked as Lilac Wolverine, is an up-and-coming threat group that has been targeting entities throughout the United States and Western Europe. Lilac Wolverine threat actors have been distributing phishing emails to upwards of fifty (50) corporate users in a single deployment, primarily targeted from compromised contact lists. Lilac Wolverine stands out from other BEC groups due to the number of deployments per day and varying combinations of attack tactics, in addition to exploiting user accounts. Phishing scams observed from the Lilac Wolverine threat group are generally themed around emotionally significant topics including COVID-19, geopolitical conflict, medical illness, and more. One significant tactic this threat group utilizes is hiding the target email addresses within the blind carbon copy (BCC) function, making it difficult to track the number of targeted users in each campaign. The emails will often request the recipient to purchase gift cards to help a friend or family member in need. Going a step further, this threat group will configure lookalike email accounts on popular email service providers (Gmail, Hotmail, etc.) in an attempt to bypass spam filters. CTIX urges readers to validate the integrity of all email communications before downloading any attachments, visiting embedded links, or providing financial information to lessen the risk of threat actor compromise.
Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL
IBM has patched a first-of-its-kind cloud service provider (CSP) supply-chain vulnerability attack vector impacting the IBM Cloud databases for PostgreSQL-as-a-service infrastructure. The flaw has been coined "Hell's Keychain," by researchers, and if successfully exploited by attackers, could allow them to escalate their privileges to a superuser, make configuration changes, and execute arbitrary code. The vulnerability was identified and reported by security analysts from Wiz Research following a ROUTINE PostgreSQL-as-a-Service audit, stating "This is a first-of-a-kind supply-chain attack vector, showing how attackers might be able to leverage mistakes in the build process to take over the entire cloud environment." The vulnerability exists due to two (2) fundamental flaws in the development of the architecture. First, the network access to sensitive internal build server infrastructure is overly permissive. Second, the scattering of plaintext credentials across the infrastructure exposes three (3) secret keys which can be identified and collected by the threat actor. A Wiz researcher stated that they successfully exploited the vulnerability by combining the chain of secret keys with the overly-permissive network link between Wiz's personal PostgreSQL instance production environment and the IBM Cloud databases’ build environment, allowing the researchers to gain access to IBM Cloud’s internal build servers and manipulate artifacts within. Unfortunately, this cloud-based supply-chain attack vector is not limited to IBM and reveals a class of PostgreSQL vulnerabilities that affect most cloud vendors, including Microsoft Azure and Google Cloud. To prevent exploitation, administrators of IBM Cloud databases for PostgreSQL should ensure they are running the latest secure version of the infrastructure as well as exercising due care and due diligence through best practices. Wiz CTO Ami Luttwak recommends passive scanning at each stage of the pipeline as well as considering "image signing verification via admission controllers to ensure these sorts of attacks are prevented entirely." A general best practice that isn't limited to IBM is imposing strict network controls between the public-facing environment and the organization's internal network. This novel type of vulnerability is likely to see an uptick in the future as threat actors around the world learn of this new cloud-based attack vector in supply-chains. The CTIX team will continue to monitor and report this type of activity to our readers.