Threat actors were active as ever during December 2020, ending an already difficult year with a major ramification.
TA542 Back with a Vengence
Let’s start with the threat group TA542 (aka Mummy Spider, ATK 104, and Mealybug) that came back after a month and a half break. The group relaunched its Emotet botnet, delivering documents with malicious macros that once enabled, connected to seven malicious domains to download the Emotet payload. Some of the victims included Lithuania’s National Center for Public Health (NVSC) and several municipalities. The sent emails were disguised as replies to previous conversations, which circumvented detection by anti-malware solutions. Hi-jacking reply-chain emails is a known Emotet tactic. The malicious payloads included the QakBot and Trickbot (which also deploys both Ryuk and Conti ransomware) Trojans.
Nefilim Strikes Again
TA542 was not the only group of threat actors active in December. Nefilim, which has been very active since the start of the COVID-19 pandemic, launched a successful ransomware attack aimed at Whirlpool. The threat actors stole corporate data before encrypting it. Files stolen from Whirlpool during a ransomware attack were published by Nefilim. The leaked data included documents related to employee benefits, accommodation requests, medical information requests, background checks, and more.
Randstad Attacked by Ransomware
Recruiter Randstad was at the receiving end of an Egregor ransomware attack. The Ransomware-as-a-Service (RaaS) group Egregor emerged in September 2020 from the ashes of the now-defunct Maze ransomware group. Egregor accessed Randstad’s global IT environment and data relating to its operations in the US, Poland, Italy, and France. A subset of the data was published, a well-known tactic by ransomware groups to put pressure on their victims to pay the ransom.
FireEye Hit by Cyber Attack
Even cybersecurity firms were not safe; US-based FireEye announced that it had been hacked, quite likely by a foreign nation. The threat actors stole internal hacking tools that the firm normally uses to privately test the network defenses of its own clients. These “Red Team tools” replicate the most sophisticated hacking tools in the world to look for vulnerabilities in systems.
Iranian-backed APT group Fox Kitten was also active, suspected of being behind the Pay2Key ransomware attacks against Israel and Brazil. Fox specializes in cyber espionage and data theft campaigns. Previously, the group sold access to compromised corporate networks to other threat actors on the dark web, and provided access to the networks of compromised entities to APT33 (aka Elfin and Magnallium), a fellow Iranian hacking group.
Fox Kitten has been using Pay2Key ransomware attacks for the last two months to steal sensitive information from industry, insurance, and logistics companies by exploiting vulnerabilities in e.g., Pulse Secure, Fortinet, F5, Global Protect VPN products, and Remote Desktop Protocol (RDP) to gain access to the victimized networks and deliver its malicious payloads. One of the victims was shipping and cargo software company Amital; around 40 Amital clients were compromised in the supply chain attack.
Attack on the Finland Parliament
A similar attack targeting the Parliament of Finland took place at the end of December. The threat actors compromised the email accounts of multiple members of parliament and obtained information that could benefit a foreign state or harm Finland. The attack closely resembled the attack on members of the Parliament of Norway, when Russian State-backed PT28 threat actors hacked a large number of Stortinget email accounts via brute force and logged into the email accounts of the MPs.
Overview of the SolarWinds Hack
We are ending this overview with the SolarWinds hack, a state-sponsored global supply chain cyberattack that targeted the US government, government agencies, and numerous public and private organizations around the world. The threat actors gained access using a pre-crafted backdoor (dubbed SUNBURST) into the trusted SolarWinds Orion business software. The malware, disguised as a normal update, was delivered automatically to thousands of customers. Once a supply chain was compromised, lateral movement and data theft followed.
The malicious SolarWinds Orion plug-in is disguised as a legitimate Orion Improvement Program (OIP) protocol, communicating via HTTP to remote servers for retrieving and executing malicious commands (“Jobs”). These commands included the transfer and execution of files, the profiling and rebooting of the compromised system, and the deactivation of the system services.
The threat actors used VPN servers located in the same country as their victims to hide the IP addresses they used for the attack.
For a more in-depth blog post on the SolarWinds attack, click here.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!