Descubre
Blog
Soporte
July 25, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Turla Added Kazuar Backdoor, Citrix CVE-2023-3519 Exploited as Zero-Day, FIN8 Rewrote Sardonic, and More

Anomali Cyber Watch
<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Authentication bypass, Desired State Configuration, Phishing, Ransomware, Remote code execution, Russia,</b> and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/qFGtqXvjSfSxwbEz92xU"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.helpnetsecurity.com/2023/07/20/turla-compromised-microsoft-exchange/" target="_blank">Microsoft Exchange Servers Compromised by Turla APT</a></h3> <p>(published: July 20, 2023)</p> <p> Active for over ten years, Turla (Secret Blizzard) is a cyberespionage threat group attributed to Russia’s Federal Security Service (FSB). In June 2023, Microsoft and CERT-Ukraine detected a new Turla campaign targeting defense sector organizations in Ukraine and Eastern Europe with malicious phishing attachments. Once inside, the attackers were using the Rclone open-source exfiltration tool, the previously-described DeliveryCheck (CapiBar, GameDay) backdoor, and a new fully-functional backdoors/infostealer dubbed Kazuar. Turla used a new technique by abusing a PowerShell administration-automation feature called Desired State Configuration (DSC). It was generating a managed object format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory. This payload was acting as the DeliveryCheck C2 server-side component.<br/> <b>Analyst Comment:</b> Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open and activate it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness. All known network indicators associated with this Turla campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Tags:</b> mitre-group:Turla, actor:UAC-0024, actor:UAC-0003, actor:Secret Blizzard, actor-identity:FSB, source-country:Russia, malware:CAPIBAR, malware:GAMEDAY, malware:DeliveryCheck, malware:Kazuar, malware-type:​​Backdoor, technique:Desired State Configuration, abused:Rclone, abused:PowerShell, target-country:Ukraine, target-region:Eastern Europe, file-type:EXE, file-type:DAT, file-type:ASPX, file-type:PHP, file-type:MOF, file-type:XLSM, target-software:Microsoft Exchange, target-software:KeePass, target-software:Signal Desktop, target-system:Microsoft Exchange Server, target-system:Windows </p> <h3 id="article-2"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a" target="_blank">Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells</a></h3> <p>(published: July 20, 2023)</p> <p> CVE-2023-3519 is a remote code execution vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. A patch for this vulnerability was issued on July 18, 2023 but it was exploited as a zero-day since at least June 2023. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding one case of the exploitation of CVE-2023-3519 targeting a critical infrastructure organization's non-production environment. During the initial exploitation, a TGZ archive was uploaded on the NetScaler ADC appliance. It delivered a generic webshell, discovery script, and setuid binary that were used to conduct SMB scanning, collect NetScaler decryption keys, enumerate and exfiltrate active directory data by uploading it as an image file. The actor proceeded with post-exploitation lateral movement attempts and implanted an additional PHP webshell with proxying capability.<br/> <b>Analyst Comment:</b> Network-segmentation controls can effectively block lateral movement attempts by threat actors, as happened during this incident. Regular review of network, firewall, and DNS logs can help detect unusual activities that may indicate a cyber attack. NetScaler ADC and NetScaler Gateway users should apply the patch released by Citrix: relevant updated versions are NetScaler ADC and NetScaler Gateway 13.1-49.13, NetScaler ADC and NetScaler Gateway 13.0-91.13, NetScaler ADC 13.1-FIPS 13.1-37.159, NetScaler ADC 12.1-FIPS 12.1-55.297, NetScaler ADC 12.1-NDcPP 12.1-55.297, and later releases.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9869" target="_blank">[MITRE ATT&amp;CK] T1505.003 - Server Software Component: Web Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9726" target="_blank">[MITRE ATT&amp;CK] T1548.001 - Abuse Elevation Control Mechanism: Setuid And Setgid</a> | <a href="https://ui.threatstream.com/attackpattern/10014" target="_blank">[MITRE ATT&amp;CK] T1552.001 - Unsecured Credentials: Credentials In Files</a> | <a href="https://ui.threatstream.com/attackpattern/9771" target="_blank">[MITRE ATT&amp;CK] T1552.004 - Unsecured Credentials: Private Keys</a> | <a href="https://ui.threatstream.com/attackpattern/9873" target="_blank">[MITRE ATT&amp;CK] T1482 - Domain Trust Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9619" target="_blank">[MITRE ATT&amp;CK] T1069.002 - Permission Groups Discovery: Domain Groups</a> | <a href="https://ui.threatstream.com/attackpattern/10019" target="_blank">[MITRE ATT&amp;CK] T1018 - Remote System Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9984" target="_blank">[MITRE ATT&amp;CK] T1016.001 - System Network Configuration Discovery: Internet Connection Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23232" target="_blank">[MITRE ATT&amp;CK] Discovery - Network Service Discovery[T1046]</a> | <a href="https://ui.threatstream.com/attackpattern/9701" target="_blank">[MITRE ATT&amp;CK] T1087.002 - Account Discovery: Domain Account</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&amp;CK] T1560.001 - Archive Collected Data: Archive Via Utility</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9803" target="_blank">[MITRE ATT&amp;CK] T1074 - Data Staged</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9629" target="_blank">[MITRE ATT&amp;CK] T1090.001 - Proxy: Internal Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9839" target="_blank">[MITRE ATT&amp;CK] T1531 - Account Access Removal</a><br/> <b>Tags:</b> vulnerability:CVE-2023-3519, vulnerability-type:Remote code execution, target-software:Citrix, target-software:NetScaler, target-software:NetScaler ADC, target-software:NetScaler Gateway, target-sector:Critical infrastructure, malware-type:Webshell, file-type:TGZ </p> <h3 id="article-3"><a href="https://symantec-enterprise-blogs.security.com/threat-intelligence/syssphinx-fin8-backdoor" target="_blank">FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware</a></h3> <p>(published: July 18, 2023)</p> <p> FIN8 (Syssphinx), a financially-motivated threat group, has been observed in point-of-sale attacks since at least January 2016, and in ransomware attacks since at least June 2021. From 2019 to January 2021 the group was using and updating its ​​Badhatch backdoor. In August 2021, Bitdefender researchers detected FIN8 switching to a new C++ backdoor dubbed Sardonic. Symantec researchers observed a rewritten version of Sardonic in a December 2022 ransomware attack: the backdoor was ported to the C programming language and received some random changes to lower its detection rate. From June 2021 to December 2022, FIN8 has been observed using various ransomware strains moving from Ragnar Locker provided by Viking Spider, to custom White Rabbit ransomware, and back to third-party BlackCat (ALPHV, Noberus) ransomware provided by FIN7 (Carbon Spider).<br/> <b>Analyst Comment:</b> Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data. All known network indicators associated with the latest FIN8 ransomware attacks are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&amp;CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&amp;CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&amp;CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Tags:</b> actor:FIN8, actor:Syssphinx, malware:Sardonic, malware-type:Backdoor, malware:White Rabbit, malware:Ragnar Locker, malware:ALPHV, malware:BlackCat, malware:Noberus, malware-type:Ransomware, file-type:DLL, file-type:EXE, target-system:Windows </p> <h3 id="article-4"><a href="https://news.sophos.com/en-us/2023/07/18/sophos-discovers-ransomware-abusing-sophos-name/" target="_blank">Sophos Discovers Ransomware Abusing “Sophos” Name</a></h3> <p>(published: July 18, 2023)</p> <p> Despite the modern trend for ransomware crypters to be a single-purpose malware, the newly-discovered Sophos Ransomware (SophosEncrypt) does more than just encrypt files. It also has general-purpose remote access trojan (RAT) capabilities including connecting over the internet to a command-and-control (C2) server, hooking the keyboard driver for keystroke logging, and profiling the system using WMI commands. The ransomware checks the language settings on the system and refuses to run if it is set to use the Russian language. For the target to communicate with the attacker, Sophos Ransomware also uses somewhat old-fashioned methods: email, and the Jabber instant-messenger platform.<br/> <b>Analyst Comment:</b> Despite its outdated features, Sophos Ransomware is fully functional and can encrypt a machine even if disconnected from its C2. Its initial delivery method is not known, but users are advised to take a phishing/social engineering awareness training. Have proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. All known network indicators associated with Sophos Ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/12873" target="_blank">[MITRE ATT&amp;CK] T1614.001 - System Location Discovery: System Language Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a><br/> <b>Tags:</b> impersonated:Sophos, malware:Sophos ransomware, malware:SophosEncrypt, malware-type:Ransomware, abused:Jabber, abused:MinGW, open-port:21119, file-type:HTA, file-type:SOPHOS, target-system:Windows </p> <h3 id="article-5"><a href="https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/" target="_blank">Massive Targeted Exploit Campaign Against WooCommerce Payments Underway</a></h3> <p>(published: July 17, 2023)</p> <p> Publicly published on March 23, 2023, CVE-2023-28121 is a critical (CVSS:3.1 score is 9.8) authentication-bypass and privilege-escalation vulnerability in the popular WooCommerce Payments plugin. Wordfence researchers detected a large-scale exploit campaign targeting CVE-2023-28121 that began on July 14, 2023, and peaked at 1.3 million attacks against 157,000 sites on July 16, 2023. One-two days prior to being attacked, these sites were targeted for reconnaissance with requests looking for readme.txt files indicating that WooCommerce Payments is installed. After exploiting versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin, the attackers were installing the WP Console plugin to execute code on a site, deploying a malicious file uploader, and were able to create malicious administrator users with randomized alphanumeric usernames.<br/> <b>Analyst Comment:</b> If your site had a vulnerable version of the WooCommerce Payments plugin in July 2023, it is recommended to check for any unauthorized plugins or administrator users. Regularly update your website components with the latest security patches. All known network indicators associated with this CVE-2023-28121 exploitation are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9642" target="_blank">[MITRE ATT&amp;CK] T1136 - Create Account</a> | <a href="https://ui.threatstream.com/attackpattern/10163" target="_blank">[MITRE ATT&amp;CK] T1595.002 - Active Scanning: Vulnerability Scanning</a><br/> <b>Tags:</b> target-software:WooCommerce Payments, vulnerability:CVE-2023-28121, vulnerability-type:Authentication bypass, vulnerability-type:Privilege escalation, target-industry:E-commerce, target-industry:Retail, target-system:WordPress </p> </div> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
Subscribe Today
__wf_reserved_heredar
__wf_reserved_heredar

Explore more topics

Anomali
Anomali Copilot
Anomali Cyber Watch
Anomali Match
Anomali Security Operations Platform
Compliance
Cyber Threat Intelligence
ISAC
Malware
Modern Honey Network
Research
SIEM
SOAR
STAXX
Splunk
Threat Intelligence Platform
ThreatStream
UEBA
Anomali Cyber Watch
__wf_reserved_heredar