Cybersecurity Week in Review: 3/01/21
Posted by: GuidePoint Security
This week’s roundup of cybersecurity news highlights how criminals continue to launch sophisticated attacks, including a complex and multi-layered attack on Microsoft Exchange servers, an advanced malware attack that leverages search engine optimization, a phishing attack focused on Wall Street investors and new evidence in the SolarWinds attack.
Criminals leveraging SEO features to distribute malware
A malware dubbed Gootloader is leveraging search engine optimization (SEO) techniques to deliver malware of all types—including ransomware and trojans. According to researchers, Gootloader has been given an upgrade from its original framework, which operated as a banking trojan focused on credential theft. The malware’s abilities now include memory injection, fileless execution, and components written in different programming languages.
The javascript-based malware has been active since 2011. Over the last few years, Gootkit (the loader component) expanded to establish a partnership with the REvil/Sodinokibi ransomware. Recently, researchers observed Gootkit distributing the Kronos trojan and Cobalt Strike (a tool developed for penetration testing).
The current rendition of Gootloader makes its way into systems via legitimate web pages hosting malicious ZIP archive files. The malware developers have manipulated search engine optimization techniques to get the web pages to appear near the top of the search results. Called ‘search engine deoptimization’ by researchers, the technique involves injecting malicious code into legitimate websites that have a good reputation. The threat actors then leverage their control over these websites to drive search rankings for highly specific queries such as “employee retention bonus agreement template.” The website code is written in such a way that anyone searching for content outside a target country is redirected to benign content. In contrast, those surfing the web from a target location are pushed to a malicious web forum page featuring a malicious ZIP file which, when clicked, injects fileless malware pulled from a remote server.
This first stage of the attack is heavily obfuscated to avoid antivirus scanning tools. Once past the first stage, Gootloader downloads “dotNET injector”, which is responsible for loading the final malware payload, such as the REvil or Gootkit malware.
More on this story can be found here, here, and here.
Wall Street investors targeted with business email compromise scams
Cybercriminals are targeting Wall Street investors with business email compromise (BEC) attacks involving unusually large sums of money.
Business email compromise is a type of phishing scam that typically involves spoofing the business name or email address of a legitimate organization and distributing a fake email to a potential victim. The email may request money in the form of an invoice or wire transfer or occasionally sensitive information, such as employee social security numbers.
In this most recent scam, cybercriminals are targeting investors with fake ‘capital call’ notices. In ‘capital calls’, an investment firm requests a draw down of money from an investor that has already been committed to a specific investment.
In these particular incidents, BEC threat actors pretend to be an investment firm requesting that previously committed investment funds be transferred into a supposed investment account set up by the criminals. According to researchers, the threat actors aren’t necessarily using insider knowledge on particular investments—instead, they’re emailing the investor’s accounts payable staff with the capital call notice demanding a drawdown for a fictitious investment. If the accounts payable staff complies and wires the money, the criminals quickly move the money to a different account and then use money mules to withdraw the money so the bank cannot track the funds and return the money to the victim.
The average payout in this particular scam has been particularly hefty—averaging $809,000—more than seven times the usual amount in a BEC wire transfer scam. You can read more on this scam in the article: Investors are the next target of large-scale cyberattacks
Major attack involving MS Exchange servers
Last week, organizations in the retail, education and government sectors were hit with a major attack targeting vulnerabilities in Microsoft Exchange servers. The vulnerabilities—known as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—enabled cybercriminals to gain persistent system access and control of an enterprise network, including the ability to steal email communications.
Microsoft had issued fixes for the vulnerabilities on March 2. At the time the patches were issued, Microsoft stated that these zero-days had already been used in attacks against “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.” Microsoft attributed the exploits to an organization it called ‘Hafnium,’ a state-sponsored criminal group operating out of China. Microsoft also noted that while the group operates out of China, it conducts its criminal operations from “leased virtual private servers (VPS) in the United States.”
Researchers first noticed the attacks and began investigating as early as January 5, 2021, with several security firms officially notifying Microsoft on January 27 and February 2. Researchers believe they can trace attack traffic back to at least January 3.
It appears that Hafnium significantly increased its attacks upon release of the Microsoft update notice on March 2. Cybersecurity professionals are now reporting that the Chinese threat actors have likely seized control of “hundreds of thousands” of Microsoft Exchange Servers worldwide.
Microsoft began alerting IT admins last week in several added complications that the updates may not install properly on Exchange servers if the “User Account Control” (UAC) had been enabled. (Details on the proper security update process were released by Microsoft.) And, unfortunately, even if organizations patched the bugs, if the threat actors had already deployed a web shell backdoor on the compromised Exchange servers prior to patching, attackers would still have access to servers. In response, early this week, Microsoft pushed out a new update for their Microsoft Safety Scanner (MSERT) to help organizations detect if web shells had been deployed in the Exchange attack.
Microsoft is also strongly urging organizations to investigate their Exchange deployments (using these recommendations) to ensure servers have not been compromised.
In addition, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) also issued an emergency directive last week requiring all Federal Civilian Executive Branch agencies running Microsoft Exchange on-premises products “to update or disconnect the projects from their networks until updated with a Microsoft patch.”
You can read more on this dangerous threat in these articles:
- Everything you need to know about the Microsoft Exchange Server hack
- A Basic Timeline of the Exchange Mass-Hack
- White House cites ‘active threat,’ urges action despite Microsoft patch
- Microsoft Exchange Server Exploits Hit Retail, Government, Education
- Microsoft: Exchange updates can install without fixing vulnerabilities
New Evidence in the SolarWinds Breach
Researchers have uncovered evidence to suggest that Chinese threat actors were behind the malicious web shell deployed on Windows systems that leveraged a previously undisclosed zero-day in SolarWinds’ Orion network. Late last year Microsoft disclosed that a second group may have been exploiting SolarWinds software to drop a persistent backdoor, named Supernova, on targeted systems. GuidePoint Security’s Digital Forensics & Incident Response team first identified the Supernova webshell being implemented as a modification to the existing ‘app_web_logoimagehandler.ashx.b6031896.dll’ module of the SolarWinds Orion application.
The new connection to a Chinese actor, Spiral, comes as researchers discovered the malware in November 2020 and found similarities between the incident and that of a prior intrusion activity on the same network uncovered in August 2020, which had been accomplished by exploiting a vulnerability in a product known as ManageEngine ServiceDesk as early as 2018. Attacks targeting ManageEngine servers have previously been associated with Chinese threat groups, and the modus operandi of exploiting long-term persistence to collect credentials, exfiltrate sensitive data, and plunder intellectual property is also similar. Additionally an IP address involved in the researchers’ investigation was geolocated to China.
More on this story can be found here.
Final Words
Last week’s news of the significant attack on Microsoft Exchange servers’ vulnerabilities underscores a key message pushed constantly by cybersecurity professionals—Patch. Patch. Patch.
However, the challenge for many IT admins is the ability to patch quickly enough to ensure security. As evidenced by the Hafnium attack, threat actors were already exploiting the Microsoft Exchange vulnerabilities in early January—at least two full months prior Microsoft’s release of the updates. Cybersecurity news outlets are reporting that these threat actors have likely already embedded malicious web shells in the Exchange servers of hundreds of thousands of organizations worldwide, enabling remote control of the victims’ servers. And the patches released by Microsoft are ineffectual if the web shells have already been installed.
According to cybersecurity reporter Brian Krebs: “KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.” Other security researchers involved in the initial Hafnium attack discovery are calling the situation a “ticking time bomb” and the cleanup effort as “Herculean”.
The bright side to this situation is that most researchers believe that the attack was caught early enough to give IT and security departments the opportunity to patch and remove any malicious tools such as web shells before the attackers can take advantage of the situation with additional future attacks.
This story will likely continue to evolve over the coming weeks and months. IT and security teams are urged to remain vigilant and alert for future updates and remediations.
GuidePoint Security