Tips
Open Sources Intelligence Update for February 27, 2024
Threat ID:scwx-TIPS 10307
Release Date:Feb 27

The daily Open Source Intelligence Update is compiled by the Secureworks(R) Counter Threat Unit(TM) (CTU) research team to highlight CTU(TM) activities, major issues, and trends affecting Secureworks customers. Links to external articles are provided for awareness and do not represent endorsement by CTU researchers.


CTU Research

CTU public blog post: Widespread Exploitation of ConnectWise ScreenConnect Server Vulnerabilities https://www.secureworks.com/blog/widespread-exploitation-of-connectwise-screenconnect-server-vulnerabilities


Open Source Intelligence

CISA and partners warn about IRON RITUAL cloud TTPs

The Cybersecurity Infrastructure Security Agency (CISA), in partnership with UK National Cyber Security Centre (NCSC) and other U.S. and international agencies released a joint advisory concerning recent tactics, techniques, and procedures (TTPs) used by the Russian state-sponsored threat group IRON RITUAL to gain initial access into a cloud environment.

CTU comment

IRON RITUAL is the Russian Foreign Intelligence Service (SVR)-affiliated threat group that was behind recent compromises of Hewlett Packard and Microsoft. A previous joint advisory about IRON RITUAL, published in December 2023, covered the group's abuse since late September 2023 of vulnerable TeamCity servers.

This latest advisory covers how the group has updated its TTPs to reflect how organizations have moved their operations to the cloud. These TTPs include brute forcing and password spraying to access cloud service accounts that are not protected by multi-factor authentication. The group also abuses tokens for authentication to cloud services and enrolls new devices to the cloud. It additionally makes use of networks of residential proxies to disguise the origins of its activities, in a similar way to Russian GRU-affiliated threat group IRON TWILIGHT and Chinese state-sponsored threat group BRONZE SILHOUETTE.

The advisory provides further evidence that some Russian state-sponsored groups are evolving their TTPs to match the environment they operate in. IRON RITUAL's targeting includes aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. Organizations in these sectors should ensure that they can detect the TTPs described in the advisory.

Source

North Korea continues to target developers with malicious packages

Phylum has examined a set of fake npm packages discovered on the Node.js repository that it believes are linked to North Korean state-sponsored threat actors.

CTU comment

The report analyzes an npm package masquerading as a code profiler that actually installs several malicious scripts including a cryptocurrency and credential stealer. The malicious package's name appeared intended to confuse victims hoping to download a legitimate utility used to measure code execution time.

The malware comprised obfuscated JavaScript that overlapped with BeaverTail, a stealer observed by Palo Alto Unit 42 in 2023 that also loaded modular cross-platform malware written in Python that gives threat actors remote access to the victim's system, exfiltrates data and establishes command-and-control (C2) communications. Palo Alto attributed the activity to North Korean threat actors posing as employers to lure software developers into installing malware.

Phylum was able to link this package via comments in its code to a now-deleted GitHub profile 'Nino Acuna' or 'binaryExDev'. Accounts that this profile followed hosted further repositories containing malicious code that had been forked multiple times by software developers, some of whom may have been job-hunting. The objective appeared to be to deliver malware that would steal the developers' cryptocurrency and credentials. Takedowns led to the threat actors behind these further repositories adapting their tactics by self-hosting the malicious npm dependency, and to uploading new packages with identical features to npm.

In August 2023, Phylum reported on similar abuse of the npm package registry that was itself linked to June 2023 activity attributed by GitHub to NICKEL GLADSTONE, a financially motivated subset of Lazarus Group activity. This latest discovery therefore appears to reveal a continuation of North Korean malicious activity. Developers should exercise caution about code packages they download from npm and other repositories, ensuring that they are first downloaded to sandboxes before being used in production environments.

Source

Chinese data theft activities revealed

SpyCloud has examined TTPs used by Chinese cybercriminals to illegally obtain and trade large amounts of data, including personally identifiable information (PII).

CTU comment

SpyCloud correctly observes that much discussion of cybercrime activity regularly overlooks Chinese threat actors in favor of focusing on attacks conducted by threat actors from Russian and other Commonwealth of Independent States countries and from West Africa. CTU researchers have previously examined multiple financially-motivated network compromises conducted by Chinese cybercriminal groups with the intention of deploying ransomware or cryptomining software.

This report from SpyCloud focuses on a connected stream of activity - the trade in illicitly obtained data, which may then be leveraged in further attacks. This data can include both domestic and foreign PII, as well as credit card and other financial data. Compared to stealer data available on Russian underground forums, this Chinese data for sale can be far more current, and even "real-time", which appears to be a description for data stolen to order.

Although a lot of the activity described in the report seems to impact Chinese-speaking victims, SpyCloud says that it can pose a threat beyond China. The report makes for an interesting read, not least for the slang terms used by the threat actors involved in this trade.

Source


References