Cymulate’s June 2022 Cyberattacks Wrap-up

In June 2022, cybercrime flourished. Let’s look at last month’s cyberattacks making news.

Follina Day’s Work

Follina dominated the headlines as the Microsoft zero-day flaw that has been exploited by a number of threat actors, including Chinese state-sponsored hackers. They exploited the vulnerability to attack organizations associated with the Tibetan Government in exile. The Russian nation-state group APT28 (aka Fancy Bear or Sofacy) abused it during their phishing attacks against targets in Ukraine. Apart from state-sponsored actors, several ransomware threat groups used it to spread the Qbot banking Trojan (aka QakBot) to establish a persistent foothold in target networks for future attacks. 

How It Works

Once a document uses the Word remote template feature to retrieve an HTML file from a remote web server, it uses the ms-msdt MSProtocol URI scheme to load some of the code, also executing PowerShell. Microsoft Word executes the code via the Microsoft Support Diagnostic Tool (MSDT) even if macros are disabled. The vulnerability concerns Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. It can also be called from .lnk files, making it a double threat. To put it in other words, threat actors could exploit the vulnerability by executing malicious PowerShell commands via MSDT once malicious Office documents were opened or previewed, even if macros were disabled.  

MsiExec Wreck

Also, in June 2022, we saw threat actors using Msiexec impersonation for data exfiltration.  

1. They gained initial access by exploiting a vulnerability in ManageEngine SupportCenter Plus. 
2. This allowed them to drop a webshell in a cloud-accessible directory. 
3. This webshell was then used for WDigest authentication and regularly checking which users were logged into the beachhead server. 
4. An LSASS dump was performed to capture the credentials of an administrative user that had recently logged into the system. 
5. They then moved laterally to critical servers using Plink and RDP to exfiltrate sensitive information. 
6. The threat actors downloaded ekern.exe and deployed a script to establish a reverse SSH connection to the RDP port of the beachhead server. 
7. After an interactive RDP session was successfully established to the beachhead server, other computers in the network were enumerated. 

Log4Shell (Still…)

On another note, state-sponsored APT groups and other threat actors kept on exploiting the Log4Shell (CVE-2021-44228) vulnerability in VMware Horizon. This enabled them to abuse Unified Access Gateway (UAG) servers for initial access to organizations that did not patch or installed workarounds yet. To recap, Log4Shell is a remote code execution vulnerability affecting the Apache Log4j library as well as a range of products using Log4j, including versions of VMware Horizon and UAG. Threat actors could submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code to take full control of the affected system. Once threat actors obtain access, they can install loader malware on the compromised systems with embedded executables to activate remote C2 and collect and exfiltrate sensitive information from the victim’s network. 

Black Basta!

The Black Basta ransomware group flexed its muscles claiming that it had already made 50 victims in the United States, Canada, United Kingdom, Australia, and New Zealand. It looks like Black Basta took over from the now-defunct Conti group. The gang is also partnering with the Qbot malware group to spread the Black Basta ransomware. This malware targets VMware ESXi virtual machines (VMs) running on enterprise Linux servers of victims in the manufacturing, construction, transportation, telco, pharmaceutical, cosmetics, plumbing & heating, automotive, and apparel industries in English-speaking countries. Before deploying the ransomware, the attackers infiltrated and moved laterally across the compromised network. To avoid detection, two main techniques were used to disable Windows Defender. Firstly, the threat actors deployed the batch script d.bat locally on compromised hosts and executed various PowerShell commands. Secondly, a GPO (Group Policy Object) was created on a compromised Domain Controller to block changes to the Windows Registry of domain-joined hosts. To maintain their presence, the threat actors use mainly QakBot as well as Cobalt Strike beacons. 

Bronze Starlight

In June, we saw state-backed hackers using a new tactic to hide their true intent. China-based advanced persistent threat (APT) group Bronze Starlight started using ransomware attacks as a decoy for their espionage attacks. The group deployed LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 ransomware to throw incident responders off the scent. To enter a network, the attackers abused unpatched vulnerabilities affecting Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j.  

Mummy Spider on the Web

On a closing note, the Emotet threat group (aka Mummy Spider and Gold Crestwood) is back, targeting credit card information stored in the Chrome web browser. This type of revival is not new; the disbanded DarkSide ransomware group (notorious for hacking the Colonial Pipeline) reemerged as first BlackMatter and then BlackCat. The returned Emotet has improved its collecting and utilizing of stolen credentials, which are then being weaponized to further distribution of the Emotet binaries. The group also moved its infrastructure out of Europe with the help of the TrickBot Trojan actors.  

—–

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber safe!