February 4, 2023

Volume XIII, Number 35

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
Advertisement

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

Ankura CTIX FLASH Update - November 1, 2022

Ransomware/Malware Activity

Two New Reports Published on the LODEINFO Malware Targeting Japanese Organizations

Kaspersky researchers have recently published two (2) reports on their observations of APT10, the Chinese Cicada hacking group abusing antivirus software to target Japanese organizations with a new version of the "LODEINFO" malware. LODEINFO is a sophisticated and fileless backdoor that is regularly updated to target "think tanks" as well as media, governmental, diplomatic, and public sector organizations in Japan. Researchers first discussed their observations from March and June of 2022, where APT10 attacks in Japan used a Microsoft Word file as the initial infection vector and later used an SFX file that utilized a decoy file with the name of a famous Japanese politician in the filename. During this time, a new downloader shellcode called "DOWNNIISSA" was observed being used to deploy the LODEINFO backdoor. From March to June of 2022, various improvements were made to the backdoor shellcode and multiple versions were produced. Some of the improvements include adding encryption for command-and-control (C2) communication with an "ancient crypto algorithm," 2-byte obfuscation for backdoor command identifiers, and a hashing algorithm to gain API functionality. Other improvements include adding evasion capabilities for US environments, generation of user agents for C2 communications, the injection of the 64-bit shellcode in memory command, and reducing backdoor commands to improve the efficiency of the backdoor. Kaspersky researchers also noted that versions v0.6.6 and v0.6.7 have been observed in September 2022 utilizing new tactics, techniques, and procedures (TTPs), which are detailed at a high level in the conclusion of the second report. Technical details as well as indicators of compromise (IOCs) can be viewed in Kaspersky's two (2) reports linked below.

Threat Actor Activity

Threat Profile: Cranefly

An emerging threat organization tracked as Cranefly, also known as UNC3524, has been observed utilizing new techniques, tools, and scripts in their active campaigns. Cranefly threat actors focus on launching campaigns against corporate development, mergers & acquisitions, and large corporate transactions. Stealthy attacks are Cranefly's preferred attack method, hiding within the infected system by deploying several backdoors on unprotected appliances such as load balancers and wireless access point controllers. Recently, threat actors began targeting employees who are heavily involved with major corporate transactions, specifically with the “Geppei” dropper and “Danfuan” malware. The Geppei dropper sets the stage for the attack, which allows for the Danfuan malware and other threat actor payloads to be deployed onto the compromised system. These malicious payloads are able to communicate stealthily by reading commands from Internet Information Services (IIS) logs which are masked as harmless web requests from Cranefly command-and-control (C2) servers. No data has been observed being exfiltrated from the victim’s infrastructure, leading researchers to believe Cranefly's primary motive is intelligence gathering. CTIX continues to monitor threat actor activity worldwide and will provide updates accordingly.

Vulnerabilities

ConnectWise Patches Critical RCE Vulnerability Impacting Thousands of Users Across the Globe

IT solution provider ConnectWise has patched a critical remote code execution (RCE) vulnerability in their ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions. If successfully exploited, threat actors could execute arbitrary code within the vulnerable environment, as well as pilfer sensitive information. The flaw is described as an Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerability. This type of vulnerability occurs when the affected software constructs a command utilizing external user-supplied inputs from an upstream component, but the software fails to neutralize special elements which can modify how the command is processed and interpreted when it's sent back to a downstream component. The R1Soft SBM backup solution is a very popular tool utilized by cloud hosting providers and managed service providers. According to a Shodan scan, more than 4,800 R1Soft servers are exposed to the internet and may be vulnerable to attacks if they haven't been patched. CTIX analysts recommend that ConnectWise users ensure their instances of Recover SBM have been automatically updated to v2.9.9, and R1Soft users should upgrade to SBM v6.16.4 immediately.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.National Law Review, Volume XII, Number 306
Advertisement
Advertisement
Advertisement

About this Author

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash ([email protected]

202-481-7305
Advertisement
Advertisement
Advertisement