Hardcoded AWS Credentials

Summary: Symantec’s Threat Hunting team discovered over 1,822 iOS apps and 37 Android apps containing hard-coded AWS credentials. Most of the identified apps provide direct access to private cloud infrastructure with a substantial portion allowing access to live databases. These databases contain sensitive user and customer information.

The source of these discovered vulnerabilities can be traced to using shared components such as a library or third-party SDK (Software Development Kit). The developers using those components could have left it for convenience in the development stage, accessing certain assets, and overlooked codes. The problem with leaving hard-coded AWS credentials is that usually the same token can be used for other AWS contents and thus expose sensitive information.

Why it matters: The threat of hardcoded AWS credentials is a supply chain vulnerability that can allow threat actors to access otherwise-secured technologies. In the case of these detected AWS vulnerabilities, the use of open-sourced or shared components are used to develop the apps. These shared components can bypass the normally secured services. More importantly, the implementation of these hardcoded credentials can allow threat actors to pivot from one vulnerability to another and thus exposing sensitive user and customer data.

Lazarus Group Targeting Energy Companies

Summary: The North Korean Lazarus Group (APT38) has been found to be targeting US, Canadian, and Japanese energy providers, as per several sources. The Cisco Talos group has observed Lazarus leveraging a known Log4j vulnerability to compromise VMWare Horizon servers. Once compromised, additional malware is then loaded onto the affected system to grant persistent access for reasons linked to espionage. The long-term goal of this group is to siphon off trade secrets from top energy providers to be then turned over to the North Korean government.

Cyber espionage is not new, however, the tactic behind these attacks is constantly evolving. This latest series of attacks reported by Cisco shows the actors using a “year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMWare Horizon servers.” Once a connection is established by the adversary, a bespoke remote access trojan (RAT) is placed on the system to ensure that the actors can exfiltrate data over an extended duration.

Why it matters: Although monitoring and protection are in place, it is essential for the energy and other critical infrastructure industries to be aware of the constantly evolving nature of government-funded cyber espionage. It is for this reason that it is imperative to ensure safeguards are in place to protect company secrets. It is also increasingly important to patch systems to prevent hackers from taking advantage of known vulnerabilities on enterprise networks. Zyston monitors for possible exploitation of Log4j vulnerabilities as well as potential data exfiltration, however, constant vigilance is required from all parties to ensure proprietary data is safe from prying eyes.

New Phishing Attacks Target Multifactor Authentication

Summary: Multiple companies have reported a new sophisticated phishing attack using SMS phishing messages with links to phishing sites. The messages mimic the name of the employer as well as the authenticating body. The most prevalent of these authenticating bodies has been “Okta.” As such, one of the most common formats for phishing links is “[COMPANY]-okta.com.” These websites are set up minutes before the texts are sent to avoid detection of the company’s phishing sites.

The core vulnerability that is targeted by the threat actors is the user’s multifactor authentication (MFA) credentials. Normally, MFA credentials are used as an added layer of protection for users to further verify the user’s identity. One of the most prevalent forms of MFA is the use of time-based one-time passwords (TOTP). The attackers rely on the users to provide not only their credentials but also the TOTP. Once placed within the phishing site, a Telegram messaging bot forwards the credentials to the threat actor to allow them access to the victim’s accounts.

Why it matters: It is commonly said that end users are the most vulnerable links in security. As such, multiple factors of authentication have been widely adapted to reinforce the standard authentication method of usernames and passwords. One of the more prevalent forms of doing so is applying TOTP and other forms of one-time passwords. This attack circumvents this defense by allowing the target to enter the password in a false website, thus giving the threat actor the ability to access the user’s account in their stead. The implementation and success of the attack has allowed threat actors to implement supply chain attacks. More importantly, these attacks show that even with formal training and technical controls, the end users remain an attack vector.

Intermittent Encryption Ransomware

Summary: Threat actors have begun implementing intermittent ransomware to avoid detection and increase encryption speed. To do so, threat actors have begun intermittently encrypting parts of files rather than the entirety. By encrypting only parts of the files, the attackers manage to go undetected. Additionally, by only encrypting small portions of the file, it reduces the attack time while maintaining its impact. Given that files require the entirety of their bits for them to be accessed, this new technique offers speed with no known downsides.

The intermittent encryption tactic was originally started by LockFile in mid-2021 but has since expanded to multiple ransomware products. The rise of Ransomware-as-a-Service and the multiple Ransomware offering intermittent encryption techniques shows the growth of the intermittent encryption tactic used by attackers. As of now, most ransomware detection products use intense file IO operations as a flag to detect attacks. However, the configurable settings and patterns of intermittent encryption can allow threat actors to minimize IO operations and remain undetected.

Why it matters: Ransomware is one of the fastest-growing threats facing companies. Ransomware is of particular interest as it is a financially costly attack that can disrupt business operations. The development of Ransomware-as-a-Service allows for less technically savvy individuals to implement already created ransomware. This service has increased the number of threat actors and the number of victims. To combat this, companies have developed software to detect and combat ransomware. These defensive software programs have allowed companies such as Zyston to detect Ransomware threats. However, in turn, malware developers have begun to develop programs to allow them to continue their threats. The use of sophisticated malware will continue to rise as further defenses are developed.

Fake Conversations in Phishing Emails

Summary: An Iranian hacking group, designated as TA453, has been detected using multiple personas in phishing emails. Phishing emails have been detected with multiple fake personas, or sock puppet accounts, being CC’d in the email message to the victim. The fake personas then respond to the email to create a sense of legitimacy and trustworthiness. These fake emails use personal email addresses rather than impersonating the CC’d users’ institutional emails.

These elaborate email conversations are used to lure users into clicking malicious links that are attached to the email. Researchers have discovered that these links lead to a OneDrive link that contained a password-protected DOCX file. Three macros have so far been discovered involving the attack. The macros run in the background to collect user credentials and a list of running processes which are then exfiltrated using Telegram’s API (Application Programming Interface).

Why it matters: The prevalence of targeted phishing attempts has been included in basic security training. This group’s new strategy aims to disguise phishing attempts as genuine conversations to gain the user’s trust and circumvent the standard security awareness training. Commonly, impersonating institutions’ websites is a common tactic for threat actors to contact. However, this new technique uses impersonated personal email addresses to subvert the standard expectations of phishing emails. This new tactic shows the importance of developing new security training to combat the new threat actor tactics.

Security Tip of the Month

Summary: Always be suspicious of USB devices that are unfamiliar or have been purchased without being inside the manufacturer’s blister pack. Hackers have been recently observed sending unsuspecting persons USB flash drives from an unknown source containing malware hidden within the firmware of the device which infects any computer once it’s connected. These devices have been known to circumvent host-based antivirus detection as external devices are typically not scanned by AV prior to their use. The FBI and CISA recommend formatting even brand-new flash drives purchased from a reputable source prior to use to increase safety when using an external flash drive.

Adversaries have also been known to leave infected devices in parking lots and other communal spaces, like airports, in the hopes that curious people will insert them into their computers. It is recommended to just throw them away versus taking the risk of plugging them in and infecting your device(s).

Why it matters: Although leaving malicious devices is an older hacking tactic, it is still a very effective way to introduce malware onto systems without the need for immediate internet access. These infected devices can be used for a plethora of attacks, ranging from keyloggers that copy everything typed into a device and then forward that to the adversary later, to ransomware, which makes the device unusable. This data can include credit card numbers, social security numbers, passwords, and other potentially sensitive information that an adversary can use against a specific person or company. It is prudent to always run an AV scan on flash drives prior to their use to aid in the mitigation of any potential risk associated with their use.