Digital lock on a chip board.

Ankura Cyber Threat Intelligence Bulletin

July 30, 2021

Observations

Over the past sixty days, the Ankura Cyber Security team has worked with clients to solve cybersecurity challenges involving emerging ransomware tactics, aggressive third-party compromise campaigns, spear-phishing operations, and sophisticated cyber espionage campaigns.

For this month’s report, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) has compiled detailed metrics surrounding the tactics employed during third-party vendor breaches. Additionally, because the Russian state-sponsored threat group REvil went dark, Ankura threat-intelligence operators collected and analyzed adversarial chatter and other data which could reveal potential factors which factored into their disappearance.

Lastly, during this period Ankura’s Cyber Security team has observed activity which could indicate that a new ransomware group is emerging as well as activity likely attributed to the Chinese nation-state-sponsored threat group known as LuminousMoth and MustangPanda (aka HoneyMythe).

THIRD PARTY BREACHES

The SolarWinds attack served as a reminder that security and privacy risks increasingly come from a variety of vectors, including third-party service providers and vendors. These vendors serve as a strategic target for sophisticated actors because they offer covert access to downstream targets. According to a report by Ponemon Institute in May 2021, 51% of businesses have suffered a data breach caused by a third-party. Additionally, 44% of the 51% of businesses have suffered a data breach within the last year and of the 44% of businesses, 74% of data breaches are due to granting too much privileged access to third parties[1].

A recent data breach caused by a third-party vendor is the Volkswagen data breach that occurred in June 2021. The breach was caused by exposed, unsecured data on the internet via an undisclosed third-party vendor between August 2019 and May 2021[2]. Volkswagen claimed to be alerted of the breach on March 10, 2021, and individuals impacted by the breach were customers of Audi as well as Volkswagen, which amounts to more than 3.3 million customers in North America alone. An unauthorized third party obtained limited personal information about customers as well as interested buyers from a vendor that was used by dealers for digital sales and marketing purposes. The information leaked was gathered between 2014 and 2019 in an electronic file that the third-party vendor left unsecured. On Monday, June 12, 2021, a hacker known as 000 posted the stolen Volkswagen data for sale on the notorious hacking forum RaidForums. 000 posted two samples of data which included full names, email addresses, mailing addresses, Vehicle Identification Numbers (VIN), and phone numbers. While Volkswagen claimed sensitive information was breached, 000’s post did not include Social Security numbers or driver’s license information. 000 is known to work closely with another hacker known as General badhou3a and stated that both hackers worked together to set up a script to scan the internet for exposed Azure Blobs, which are data repositories stored in Microsoft’s cloud. The hacker asked for a payment of $4,000 – $5,000 USD for the entire database. The total impact of this data breach has yet to be seen.

On Friday, July 2, 2021, a large-scale ransomware campaign impacted approximately 1,500 downstream businesses across the world. The threat actors responsible for the attack achieved this by exploiting the Managed Service Provider (MSP) Kaseya[3]. An MSP is a third-party software-as-a-service solution that automates common business processes. They are typically leveraged by both small and large companies to streamline internal processes. In Kaseya’s case, their remote monitoring and management service VSA, which manages IT infrastructure, was exploited by actors associated with the REvil threat group when they discovered three (3) vulnerabilities in Kaseya’s VSA application. The vulnerabilities allowed REvil to send a malicious software update containing the Sodinokibi payload to downstream clients.

Figure 1: Sodinokibi Ransomware Note

For example, Coop, a large supermarket based in Sweden, was forced to shut down almost 500 stores after implementing the malicious update. Coop leveraged Visma to manage its point-of-sale systems through the EssCom service. On July 3, 2021, Visma confirmed[4]they were affected by the Kaseya attack and that a number of their endpoints were infected. It took nearly one hundred (100) technicians and almost a week to restore access to their cash registers. The list of organizations affected by the attack is still growing and while Coop has been the largest company affected in the attack, many other companies are still recovering.

To prevent a third-party data breach, it is imperative to perform due diligence before onboarding the vendor. A Vulnerability Assessment and Penetration Testing (VAPT) document ensures that the vendor is properly securing their systems and data. Another technique is to limit the vendor’s access to any sensitive data and deny all access to internal systems unless otherwise specified as well as reviewing the vendor’s cyber security controls and posture is crucial. While these steps may help mitigate future risk, it is impossible to completely prevent future compromises.

REVIL UPDATE

Within the past few weeks, the ransomware landscape has changed significantly, with one of the longest and most reputable threat-actors, REvil, going completely dark. As of July 13, 2021, a total of twenty-one (21) sites that are known to be used by REvil were taken offline, with only a single server left standing. The server, which held unique client data, is believed to be operated by an affiliate of the group who was responsible for the attack related to this data. There has been much speculation as to why REvil decided to go offline – whether that be due to an allied takedown, rebranding as another group, or due to rising pressure from the Kaseya attack; none of these, however, have been confirmed. “Unknown”, the director of REvil, was notably banned on the XSS Forum. The same thing happened to the moniker darksupp (the director of Darkside) when the Darkside ransomware gang was taken down in May.

 

Figure 1: REvil’s Single Standing Client Storage Site

Less than twenty-four (24) hours after REvil’s disappearance, another ransomware group, known as AvosLocker, appeared on dark web forums. The group’s leak site is almost an exact copy of DoppelPaymer’s site, which is operated by TA505 (aka Evil Corp). The site was initially created on Jan 1, 2021, which suggests that this emerging ransomware group was likely backstopped some time ago. Although AvosLocker’s website is a near exact copy of DoppelPaymer there is still no confirmation whether AvosLocker is affiliated with TA505, is the new rebrand for REvil, or is just another new ransomware group entering the scene.

Figure 2: AvosLocker’s Dark Web Press Release

Figure 3: AvosLocker’s Dark Web Victim Datasets

It is possible that the aforementioned information correlates back to REvil leaving the ransomware space, with their disappearance already triggering a fight between other threat groups as to which one will control the majority of the market. Lockbit 2.0 has been extremely active – most notably focusing on “public relations”, such as trying to obtain an interview with the YouTube channel “Russia OSINT” (which recently interviewed “Unknown” of REvil). It is also worthy to mention the Conti threat group, which has always been increasingly active and an established adversary in the field. CTAPT will continue to monitor the individual actors associated with these groups as well as campaign activity and will provide an update in the next monthly intelligence product.

U.S. DEPARTMENT OF STATE TO INCLUDE CRITICAL INFRASTRUCTURE IN “REWARDS FOR JUSTICE”

In an ongoing effort to secure U.S. critical infrastructure from cyber threats, the U.S. Department of State has decided to incorporate critical infrastructure into its “Rewards for Justice” program. “Rewards for Justice” is a Department of State reward for information program intentionally set up for international terrorism. However, the Department of State has expanded its purview into the critical infrastructure with its new Tor-based tip line. In combination with this anonymous tip line, “Rewards for Justice” is protecting users by offering cryptocurrency as a payment option.

Stemming from the 1984 Act to Combat International Terrorism, “Rewards for Justice” is a Department of State program offering rewards for valuable information pertaining to several areas such as election interference, international terrorists, and now information on U.S. critical infrastructure[5]. In fact, the U.S. Department of State has released this statement: ““Rewards for Justice” is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)”[6].

The Department of State has decided to provide a Tor-based tip line which can be found at the address “he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion”. This is done due to the inherent nature of Tor, which is a network that directs network traffic through multiple relays, allowing the user to obfuscate their location and usage. Another way in which “Rewards for Justice” is protecting anonymity is by providing an option to receive payments in the form of cryptocurrency. Like Tor, users can obfuscate their transactions, thus protecting the user’s identity.

Protecting U.S. critical infrastructure is a growing concern and the recent actions of the Department of State reflect this. By expanding the purview of “Rewards for Justice”, the Department of State is hoping to make inside information lucrative via large sum payouts. Acknowledging the danger in this, “Rewards for Justice” has decided to protect anonymity by providing a Tor-based tip line in combination with offering payments in the form of cryptocurrency. In closing, programs such as “Rewards for Justice” are just one piece in the fight against cyber terrorism on U.S. critical infrastructure.

NEW TREND IN GOOGLE CHROME ZERO-DAY VULNERABILITIES

Throughout June and July of 2021, Google patched several zero-day vulnerabilities in Chrome, including the seventh and eighth Chrome vulnerabilities found “in the wild,” this year. Google’s aggressive approach comes as two (2) Chrome exploits were allegedly leveraged by state actors, and as vulnerabilities in other platforms continue to facilitate high profile cyber incidents. Zero-days recently patched by Google include the following:

According to Google, both CVE-2021-21166 and CVE-2021-30551 were deployed as one-time links sent to targets in Armenia. Once a victim clicked on the link, they were directed to attacker-controlled domains that collected device information and sent the information back to the attackers. The exploits were used alongside an Internet Explorer zero-day, CVE-2021-33742, and collectively these three zero-days were attributed to Candiru, an Israeli surveillance company whose clients include various foreign intelligence services[7].

While the Candiru CVEs are notable, they were not the only exploited zero-days that Google patched recently. In June, Google patched CVE-2021-30554, the seventh Chrome vulnerability reported “in the wild,” this year. CVE-2021- 30554 is a use after free vulnerability in the WebGL API used in Chrome, which could allow an attacker to remotely execute arbitrary code[8]. On July 14, Google announced it had patched CVE-2021-30563, the eighth “wild” zero-day in Chrome to be patched in 2021[9]. Like CVE-2021-30551, CVE-2021-30563 is a type confusion vulnerability in V8, Google Chrome’s JavaScript engine. Unlike the Candiru-linked CVEs, Google declined to address where these attacks had been used and by whom[10]. Google’s hesitance to elaborate on the operational use of these exploits makes sense, as premature disclosure of critical vulnerabilities can lead to threat actors exploiting unpatched systems.

EMERGING RANSOMWARE GROUP

On July 21, 2021, a new ransomware group was uncovered using the name Haron Ransomware. The ransomware group has already posted about one victim and is operating a blog as well as a leak site. CTAPT analysts were able to obtain and analyze a sample of this new variant which revealed seven (7) strings possibly related to the Prometheus ransomware group. Before REvil went dark, Prometheus used to refer to themselves as “Group of REvil” but have since removed this phrase from their branding. Analysts believe that the affiliate members of REvil associated with Prometheus may over switched over to Haron; however, this has yet to be confirmed.

Figure 1: Haron Ransomware’s Dark Web Blog Site

 

In-depth analysis of the Haron Ransomware dark web site and ransomware note were performed, and analysts noticed an almost exact replica of the Avaddon ransomware dark website and ransomware note. This reveal led analysts to believe this new ransomware group may be the resurgence of Avaddon, who disassembled last month. However, with the overlap between Prometheus ransomware strings and Avaddon’s ransomware site, it still raises a few questions as to who the actual operator of the ransomware group is.

Figures 2: Comparison of Avaddon’s

Figures 3: Dark Web Site to Haron’s

Haron completed their conversation with their first victim by emphasizing that other dark web marketplaces are currently offering to buy their information. CTAPT analysts have begun tracking this trend to identify if it will persist.

Figure 4: Conversation with Haron Ransomware Group

THREAT ACTOR OF THE MONTH

CTAPT analysts routinely monitor dozens of underground forums to identify threat actor activity, detect shifts in tactics, and identify transaction activity involving sensitive data of interest. As a result, CTAPT enumerates and tracks the most active threat actors over a thirty (30) day period and leverages this data to develop proactive indicators, warnings, and emerging risk.

Actors associated with both LuminousMoth and MustangPanda (AKA: HoneyMythe) are likely sourced to China and have been linked together based off victimology, Dynamic Link Library (DLL) sideloading, use of Cobalt strike payloads, and overlaps in Command-and-Control (C2) Infrastructure[11]. The threat actors utilize sophisticated spear phishing operations to target governments, telecommunications, and critical infrastructure systems. Ankura recently responded to a potential compromise of a client which was conducted using a spear-phishing email containing a link to a malicious file hosted on Dropbox, a known spear-phishing technique attributed to LuminousMoth. In a number of recent attacks, these Dropbox download links pointed to RAR (compressed file format) archives, ultimately containing two malicious DLL files, which upon execution of the legitimate files, would sideload the DLL files. The attached malware also tries to spread laterally, copying itself to all removeable USB drives if connected. LuminousMoth malware samples directly contact the C2 server, therefore exposing the IP address. Analysis of the IP addresses reveals additional domains related to spear-phishing attacks on the countries of Myanmar and the Philippines.

Figure 1: Link between LuminousMoth and HoneyMythe

 

Trending IOCS

Indicator Type Attribution
feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede Hash DearCry
e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 Hash DearCry
10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da Hash DearCry
2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff Hash DearCry
103.77.192[.]219 IP Hafnium
104.140.114[.]110 IP Hafnium
104.250.191[.]110 IP Hafnium
108.61.246[.]56 IP Hafnium
149.28.14[.]163 IP Hafnium
157.230.221[.]198 IP Hafnium
167.99.168[.]251 IP Hafnium
185.250.151[.]72 IP Hafnium
192.81.208[.]169 IP Hafnium
203.160.69[.]66 IP Hafnium
211.56.98[.]146 IP Hafnium

 

[1] https://www.securelink.com/research-reports/a-crisis-in-third-party-remote-access-security/
[2] https://www.bankinfosecurity.com/volkswagen-audi-notify-33-million-people-data-breach-a-16875[3] https://securityscorecard.com/blog/microsoft-exchange-attack-surface-was-smaller-and-more-targeted-than-previously-thought
[3] https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say
[4] https://media.visma.se/pressreleases/mjukvaruleverantoeren-kesaya-utsatt-foer-en-global-cyberattack-som-paaverkar-detaljhandeln-3114593
[5] hxxps://en.wikipedia.org/wiki/Rewards_for_Justice_Program
[6] hxxps://rewardsforjustice.net/english/malicious_cyber_activity.html
[7] hxxps://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
[8] hxxps://www.bleepingcomputer.com/news/security/google-fixes-seventh-chrome-zero-day-exploited-in-the-wild-this-year/
[9] hxxps://www.bleepingcomputer.com/news/security/google-patches-8th-chrome-zero-day-exploited-in-the-wild-this-year/
[10] hxxps://www.bleepingcomputer.com/news/security/google-fixes-seventh-chrome-zero-day-exploited-in-the-wild-this-year/
[11] https://securelist.com/apt-luminousmoth/103332/