Malware Activity

Successful Ransomware Attack Against Microsoft 365's SharePoint Online Observed

Researchers have recently observed a successful ransomware attack against SharePoint Online (Microsoft 365). This attack was conducted through a Microsoft Global Software-as-a-Service (SaaS) administrator account and is currently speculated to have been conducted by the 0mega ransomware operation due to the account name, additional observables, and infrastructure that were created and used. 0mega launched in May 2022 and has been observed targeting organizations around the globe with double-extortion attacks. Few victims have been posted to the group's leak site and a sample of the ransomware has yet to be reviewed as of June 7, 2023. The researchers shared that the actor created a new Active Directory (AD) user called "Omega" with escalated privileges, which included Global Administrator, SharePoint Administrator, Exchange Administrator, Teams Administrator, and site collection administrator capabilities to various SharePoint collections and sites. It was noted that the actor also removed over 200 existing administrators in just a two (2) hour period. The observed attack exfiltrated files did not encrypt files on the victim machine and uploaded thousands of "PREVENT-LEAKAGE.txt" text files. This upload is believed to be for notifying the victim of the exfiltration that occurred and to provide a communication method for negotiating a ransom. Researchers stated that "the attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future," and emphasized that this type of attack will continue to occur because "there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products." CTIX analysts will continue to monitor for attacks against SharePoint Online as well as confirmation of the threat group responsible for the observed attack.

• Obsidian: SharePoint Online Attack Blog

• SecurityWeek: SharePoint Online Attack Article

• Help Net Security: SharePoint Online Attack Article

Threat Actor Activity

Threat Profile: Cadet Blizzard

Security researchers have uncovered a new threat group believed to be operating in relation to the Main Directorate of General Staff of the Russian Federation (GRU). The group is tracked as Cadet Blizzard and has already launched multiple campaigns since their foundation in January 2022, however, additional technical traces show activity attributed to the group in 2020. Cadet Blizzard actors leverage techniques such as conducting disruption, destruction, information gathering, and exfiltration through any means necessary. Cadet Blizzard attacks their target by first breaching their infrastructure, establishing a foothold within the target's network, and exfiltrating data prior to causing major disruptions to the target and their infrastructure. The group did undergo a brief hiatus in the middle of 2022 and has reemerged strongly since the start of 2023. Since their rebirth in 2023, attribution has shown more signs pointing to the Russian Federation. Several key factors that show linkage to the organization include the posting by a forum user, Free Civilian, of exfiltrated data gathered by Cadet Blizzard threat actors. Historically, Free Civilian is known for their attribution to Russia and the explicit targeting of individuals associated with Ukraine. In addition to the forum posting, Free Civilian also created a telegram channel containing stolen documents, also obtained by Cadet Blizzard, during the Russia-Ukraine conflict. Lastly, these threat actors utilize an arsenal of malicious tools and programs to deploy against their targets, most commonly used by WhisperGate. WhisperGate is a destructive program designed to cripple a target's Master Boot Record (MBR) and corrupt system files beyond repair. Cadet Blizzard continues to show their strength in the first half of 2023 and is likely to continue their crusade well into the remainder of the year. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.

• The Record: Cadet Blizzard Article

• Microsoft: Cadet Blizzard Article

Vulnerabilities

Fortinet Patches the Actively Exploited Critical "XORtigate" Vulnerability Affecting FortiOS and FortiProxy

Industry-leading cybersecurity and network security solution provider Fortinet has patched an actively exploited critical vulnerability in their Fortigate SSL-VPN solutions that is being exploited by threat actors to conduct remote code execution (RCE). The flaw tracked as CVE-2023-27997 (CVSS of 9.2/10), has been dubbed "XORtigate" by researchers and is a pre-authentication heap-based buffer overflow vulnerability in every FortiOS and FortiProxy SSL-VPN appliance. Threat actors can exploit this flaw by sending maliciously crafted requests to vulnerable instances of FortiOS and FortiProxy, downloading a config file from the targeted devices, and adding a malicious "super_admin" user account named "fortigate-tech-support." The threat actors facilitating the campaign are targeting victims in government as well as the manufacturing and critical infrastructure sectors. Historically, Fortinet products are popular targets for hackers, and Shodan scans indicate that there are currently more than 500,000 Fortigate firewalls that are reachable from the internet. Although just last month Microsoft attributed the exploitation of an unknown zero-day flaw in public-facing instances of Fortinet's FortiGuard devices to a Chinese state-sponsored threat group named Volt Typhoon, Fortinet is hesitant to attribute the exploitation of XORtigate to the same threat actor at this time. Given the severity of the vulnerability coupled with its active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added XORtigate to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw by no later than July 4, 2023. The patch is available, and CTIX analysts recommend that any administrators managing Fortigate appliances install the updated software to prevent exploitation. If the patch cannot be immediately installed due to the negative effects that would have on critical processes, Fortinet has published some workaround mitigation techniques in their customer advisory. This matter is evolving in real-time, and CTIX may publish a future update in the event that further technical data or confirmed attribution to a known threat group is made.

• The Hacker News: XORtigate Article

• Rapid7: XORtigate Blog

• Fortiguard: XORtigate Advisory

• CISA: XORtigate KEV Advisory

Honorable Mention

Third Vulnerability in MOVEit Transfer Gets Patched

UPDATE: Progress Software shared on June 15, 2023, that a third flaw had been discovered in their MOVEit Transfer managed file transfer (MFT) software solution. The newly addressed critical vulnerability is another SQL injection flaw, tracked as CVE-2023-35708, with the potential to lead to escalated privileges and unauthorized access to victim environments. Progress has released security patches for all affected software versions and restricted HTTPS traffic for MOVEit Cloud. They have also urged customers to restrict all external HTTP and HTTPS access to their own MOVEit Transfer environments until patching is finalized, suggesting that firewall rules be modified to temporarily block traffic on ports 80 and 443 until those vulnerable servers have been patched. Researchers believe that this vulnerability is not a bypass of any previous vulnerability, stating that it has its own attack path. It again reaffirms the claims made by researchers that the design of file transfer platforms is fundamentally flawed and that patching single vulnerabilities will only defend organizations until threat actors are able to find another way to conduct the same type of exploitation. New findings for this campaign are being published weekly, and the Ankura CTIX team will continue to monitor the situation and inform our readers of new and interesting information.

• The Hacker News: MOVEit Transfer Article

• Bleeping Computer: MOVEit Transfer Article

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims.