Skip to content

Ankura CTIX FLASH Update - April 25, 2023

April 27, 2023

Malware Activity

Bumblebee Malware Loader Observed Infecting Machines through Fraudulent Software Installers

"Bumblebee," a malware loader discovered in April 2022, has been observed in a new campaign utilizing Google advertisements and SEO poisoning to target enterprises with promoted trojanized versions of popular applications, such as Cisco AnyConnect Secure Mobility Client, Zoom, ChatGPT, and Citrix. Bumblebee is often seen in phishing campaigns that deliver "payloads commonly associated with ransomware deployments" and has been actively evolving since its creation. Researchers emphasized that trojanizing installers for software that are "particularly topical (e.g., ChatGPT)" or often used by remote workers increases the likelihood of new infections. It has been observed that once Bumblebee has infected a victim device, the threat actor responsible moves laterally roughly three (3) hours after the initial infection and deploys Cobalt Strike as well as the legitimate AnyDesk and DameWare remote access tools. The actor uses a scheduled task to establish a persistence mechanism for Cobalt Strike, and additional tools are downloaded, such as various scripts and a network scanning utility mechanism. Researchers believe there are multiple threat groups and ransomware operations deploying Bumblebee, including Exotic Lily (a financially motivated threat group that uses ransomware variants such as "Conti" in its campaigns and is believed to be working with FIN12), Quantum, and MountLocker. CTIX analysts urge users to ensure all software is up to date with their latest patches to mitigate this risk. Indicators of compromise (IOCs) can be viewed in the reports linked below.

Threat Actor Activity

Threat Profile: Tomiris Group

A Russian threat organization has been targeting diplomatic/government entities throughout Central Asia with the objective of intelligence gathering. The group is tracked as Tomiris Group and has been active in the threat landscape since mid-2021, primarily focusing on the exploitation of government organizations throughout the Middle East and Southern Asia. Tomiris actors start their attack chain by using either spear-phishing campaigns against employees of the organization, drive-by downloads, or exploiting ProxyLogon vulnerable servers. After the initial point-of-entry, Tomiris actors deploy a variety of malicious trojans and information stealers onto the system. A unique high-level tactic utilized by the group is the deployment of numerous false flag scripts to the victim system, repeatedly deploying them through simplistic distribution protocols. Malware families observed during this campaign include the open-source “WARZONE-RAT,” “Python Meterpreter” or “Roopy” for command-and-control (C2) actions, “Telemiris,” and the “JLORAT” information stealer. Additionally, indicators of compromise and tactics seen in these campaigns from Tomiris show some possible association with the Russian state sponsored Turla organization; however, there is not enough substantial evidence linking the two (2) together. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.

Vulnerabilities

PaperCut Print Management Solution Under Active Exploitation

A working proof-of-concept (PoC) exploit has been published for an actively exploited critical vulnerability affecting the PaperCut print management software. PaperCut is a powerful print management solution for enabling, tracking, managing, and securing an organization's printing, copying, and scanning needs. The vulnerability, tracked as CVE-2023–27350, was given a CVSS score of 9.8/10 and is a remote code execution (RCE) flaw that allows unauthenticated attackers to execute malicious code on servers running vulnerable versions of PaperCut. Security researchers have reported that two (2) days after the active exploitation started, threat actors were observed exploiting CVE-2023–27350 to install malicious remote management software from the internet. Once the threat actors had remote control of the targeted servers, researchers observed installation of a malware strain known as “TrueBot.” TrueBot is linked to the notorious Clop ransomware group and their affiliates and was recently deployed to exploit the GoAnywhere vulnerability. Researchers have also observed the exploitation of a related vulnerability, tracked as CVE-2023–27351. This is an authentication bypass vulnerability with a CVSS score of 8.2/10 that could allow unauthenticated attackers to exfiltrate sensitive data. A scan from the Shodan search engine revealed that there are approximately 1,700 PaperCut instances exposed to the public-facing internet, and researchers have reported that approximately 900 of them remain unpatched. The wide availability of vulnerable servers, coupled with the low complexity of the attack, make this flaw particularly troubling. CTIX analysts recommend that all organizations implementing PaperCut NG or MF install the most recent security patch to prevent being targeted by threat actors.

Honorable Mention

Cybersecurity Researchers Take Control of a European Space Agency Satellite

Researchers at Thales just announced their successful joint hacking demonstration where they seized control of a European Space Agency (ESA) satellite. Researchers at Thales and members at ESA specifically orchestrated this satellite hacking exercise in time for the CYSAT conference this week in Paris to showcase the real-world consequences that cyberattacks could have on space systems. This demonstration coincidentally comes soon after highly classified leaked U.S. documents warned about China's development of similar capabilities that could allow them to seize control of satellites they deem to be hostile. The alleged documents shined light on capabilities that shy away from the traditional approach of communication jamming via signal blocking, and instead mimic operator signals that would enable the actor to effectively seize control of a satellite, disallowing support for communications, weapons, surveillance, intelligence, and reconnaissance. Thales performed their demonstration on ESA's OPS-SAT nanosatellite, a satellite about the size of a showbox with “an experimental computer ten times more powerful than any current ESA spacecraft.” While they do not plan to release the hard details of the demonstration until the CYSAT conference, Thales said they were able to hijack a number of ESA satellite systems using traditional cyberattack capabilities. The ethical hackers were able to inject malicious code into the satellite's system by first exploiting its "standard access rights to gain control of its application environment," thus, making it possible to obfuscate data coming back from the satellite, such as imagery, while also concealing any malicious activity to avoid detection. As civilization expands onwards into space, this exercise is an opportunity to raise awareness of flaws and vulnerabilities that exist among the converging sectors of space systems and cybersecurity.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

GET OUR CYBER THREAT
INTELLIGENCE UPDATES

Sign up for three months of Ankura’s CTIX FLASH Update, which provides cyber threat intelligence to an organization’s security team.

SIGN UP

Ankura InterXeptorTM
Risk Assessment

Our two-minute Risk Assessment can help you determine how prepared your organization is to repel a cyberattack.  Complete your risk profile now and have the answers you need immediately. 

Recognizing cyber threats that can compromise your organization and addressing those security gaps is critical to protecting your firm’s infrastructure. Mitigating your risk can be the difference between a highly manageable, isolated cybersecurity incident and a data breach causing a major disruption that paralyzes your organization for days.

Start

Congratulations.

It looks like you’re on the right track!

We want to offer you three months of Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Updates for free. You’ll receive recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims.

Thank you.

You’re registered to receive Ankura’s semi-weekly CTIX FLASH Updates.

Need a assessment? Talk to an advisor.

Your organization may be at risk and could benefit from improved cybersecurity.

By combining industry-best technology and human expertise, you can defend your infrastructure. Start today by downloading our Data Sheet that outlines the most vulnerable areas of risk and the tools you need to obtain continuous threat detection.

Thank you.

We hope you find the data sheet helpful.

Need a assessment? Talk to an advisor.

Your organization is at risk.

It’s time to start a conversation. You can never be too prepared for a cyber breach. Book a free consultation with our MDR experts to review the results of your risk assessment and identify the steps needed to protect your organization from cyber threats.

Thank you.

A member of our team will contact you soon to schedule a call.