Intel Reports

Activity Summary - Week Ending on 27 July 2023:

• Red Sky Alliance identified 1,969 connections from new IP’s checking in with our Sinkholes
• Demenin B.V. hit 302x
• 143 ‘new’ Botnets hits
• Juypiter
• ASW Credential Attack
• Estée Lauder
• MOveIT, Black Cat and CI0P
• School Cyber Security
• FCC

Red Sky Alliance Compromised (C2) IP’s  

On 26 July 2023, Red Sky Alliance identified 1,969 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 26 July 2023, analysts identified 143 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Jupyter Notebooks - In December 2022, the threat research team at Permiso Security reported about a cloud credential stealer campaign that primarily targeted Amazon Web Services (AWS) credentials from public-facing Jupyter Notebooks services. The actors likely accessed these impacted services through unpatched web application vulnerabilities.  From 14 June 2023 through the end of the month, SentinelLabs worked with the Permiso team to track and analyze files related to a new incarnation of this campaign targeting exposed Docker services. The hallmark shell scripts remain the core of these campaigns, though we also identified an Executable and Linkable Format (ELF) binary written in Golang. The research team at Aqua also recently reported elements they observed from these actors’ abuse of Docker images.  SentinelLabs thanks the Permiso Security research team for their collaboration on the research in this report. The Permiso team released a blog about this campaign, which can be found here.[1]

Tooling Updates:  Since the December campaign, the actor has made several updates to how their tooling works.

Script Functionality - The December campaign targeted AWS credentials; the most recent campaigns added functions that target credentials from Azure and GCP.  The actor actively modified these features as the campaigns evolved throughout June: Initially, a script aws.sh contained references to Azure credentials, but the relevant function was not called.  A week later, samples emerged where the Azure credential functions were called.  The actor stored the generic credentials in an array labeled CRED_FILE_NAMES. The AWS-specific array from the original script ACF has been replaced with AWS_CREDS_FILES.  Below is in more detail in the next section. There are also two new cloud service provider (CSP)-specific credentials variables: GCLOUD_CREDS_FILES and AZURE_CREDS_FILES.

The actor made the script more modular as it grew larger and more complex.  The AWS functionality is now split into three smaller functions that are driven by the run_aws_grabber function only if the system is identified as AWS. This increases the efficiency of the script by running AWS commands only on AWS systems, which also enhances the script’s stealth.

Infrastructure - The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns.  Instead, C2 activity relies on a hardcoded username and password combination that are passed as arguments to the curl command.  The older campaign infrastructure was hosted on a Netherlands-based IP associated with Nice IT Services.  The attacker has since moved infrastructure to AnonDns, a dynamic domain name service (DDNS) provider.  The campaigns through June 2023 use one of several AnonDNS subdomains:

• anondns.net
• anondns.net
• ap-northeast-1.compute.internal.anondns.net

Credentials Collection - The newer versions target credentials in newly added arrays GCLOUD_CREDS_FILES and AZURE_CREDS_FILES.  The versions emerging the week of 6/26/2023 added .env and docker-compose.yaml; the version from 6/15/2023 has env without the period, so the actor is apparently updating the tool to be more effective in the newest campaign.  The newest campaign also has a new variable, MIXED_CREDFILES which contains only redis.conf.  The newer versions omitted the following credentials files that were present in the December campaign’s ACF:

• cloud
• .npmrc
• gpg

The credentials collection logic in the new campaign’s samples targets the following services & technologies:

There is considerable overlap in the targeted files between these credential stealer campaigns and the TeamTNT Kubelet-targeting campaign reported by Sysdig in October 2022.

Arrays containing targeted credential file names in grab.sh

The script uses the cred_files function to search for credentials files on the system, write them to a temporary file $EDIS, copy the new file to a master credential-holding file $CSOF, then delete the temporary file.  The $EDIS and $CSOF variable file names and paths are randomly generated via the special use Bash variable $RANDOM, meaning the value is an integer between 0 and 32767 that changes each time $RANDOM is accessed.

The cred_files function in aws.sh

AWS - The new scripts show more attention to making the features modular, a natural evolution as a script becomes more complex.  The AWS-specific functionality is driven by a function named run_aws_grabber. Most AWS-centric features from the December campaign have been rolled into one of four functions driven by run_aws_grabber:

• get_aws_infos: Queries the AWS instance metadata service (IMDS) for IAM configuration and sets the output to $AWS_INFO, as well as security credential configuration from EC2 and IAM resources, which are set to $AWS_1_EC2and $AWS_1_IAM_NAME, respectively.
• get_aws_meta: Writes the values from each of the variables generated in get_aws_infosthen parses the data for specific values via grep and extracts them using sed, writing the output to the $CSOF variable.
• get_aws_env: Checks for values in AWS credential related variables, writes them to $CSOFwhen present.

When the $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is found, the function calls curl against the URL, then modifies the response using sed to format specific values into an aws configure set command. For example, the string AccessKeyId in the response is transformed to aws configure set aws_access_key_id.  The actor likely chose to format the values as a command so that the output feeds into additional automated actions.

The get_aws_env function in aws.sh

get_awscli_data: This function is only implemented in the two most recent versions: the function exists in the 6/15/2023 version of aws.sh, but it is not called. The function invokes aws sts get-caller-identity to collect the 12-digit AWS account identifier and writes the result to $CSOF.

Azure & GCP - A notable recent addition is logic specific to the Azure and Google Cloud platforms. The get_azure and get_google functions are implemented in the newest versions seen on 06/26/2023; the logic was present in the 6/15 campaign, but the functions were not called. These changes indicate that these features are being actively developed, so we expect more changes as the actors roll out and test these features.

Newly implemented get_azure function in g.aws.sh

System Profiling - The attackers now perform system profiling through the aws.sh scripts as well as other scripts delivered under certain conditions.  Another new feature is the get_docker function, which checks if the environment is a Docker container.  When it is, the function runs docker inspect against each running container and saves the result to $CSOF. The output will not necessarily have credentials and this likely serves as a mechanism for system profiling.  Additionally, the new version added the function get_prov_vars, which calls cat /proc/*/env* to collect environment variable details from each running process and writes the result to $CSOF.  The actor likely does this to enumerate other valuable services running on the system for manual targeting.  Researchers also observed profiling activity from Data.sh, a post-exploitation script that collects details from the system and sends it to the attacker’s server.  The script uses Bash to craft a web request to download the curl binary from the attacker’s server through the bashload function.  This is notable because attacks against minimal systems–such as containers–can be limited by the absence of ubiquitous binaries like curl.

The bashload function in Data.sh

The attacker sets variables for a lockfile and datafile in /var/tmp.  The result of the following reconnaissance commands is written to the datafile:

The script then sends the results collected in the datafile to the C2 using curl with a provided username and password.

Credentials Exfiltration - After collecting and processing the credentials, the credentials stealing scripts use curl to exfiltrate the contents of the $CSOF file to an AnonDNS-hosted server.  The script contains hardcoded credentials that are used to authenticate the request.  The June 2023 campaigns use the following username, password, and server URL combinations:

The send_data function from g.aws.sh

Propagation - In addition to the usual shell scripts, we observed the actor delivering a UPX-packed, Golang-based ELF binary.  The binary ultimately drops and executes another shell script that scans an actor-specified range and attempts to propagate to vulnerable targets. Rsearchers believe the reason the actor used this binary to deliver yet another script is due to the relatively noisy nature of the scanning activity.  The scanner is hidden as an embedded base64 object within the packed Golang binary, adding more stealth than a standalone shell script. Additionally, the binary drops Zgrab–a Golang network scanning tool–which depends on Golang environment variables that are set by running the parent Go binary.  The implemented code enables the binary to read a command from a string and execute it using os_exec.

The main_main function

The main_main function decodes an embedded base64 blob, resulting in a Bash script that is written and then executed by the main_runCommand function. In the embedded script, the setupsomething function downloads the following packages on systems using the Yum package manager:

• Compiler and code processing: gcc make git jq
• Network utilities: libpcap libpcap-devel curl
• This function also downloads the following packages on systems that use the Apt package manager:
• Compiler and code processing: gcc make git jq
• Network utilities: 8 libpcap0.8-devmasscan curl
• Next, setupsomethingchecks if masscan, docker, and zgrab are installed. If not, the script downloads the dependencies from the attacker’s server, hosted at the URI: /bin/[bin_name].
• The dAPIpwnfunction takes the following arguments:
• IP range: collected from the C2 server at /gr.php
• Ports: 2375, 2376 – respectively used for Docker unencrypted and encrypted communications
• Rate: 500,000 packets per second

The function passes these arguments to masscan, which scans the specified IP ranges then passes the results to zgrab, which looks for http responses from the remote endpoint /v1.16/version.  The output is filtered using grep to search for lines containing the strings 'ApiVersion' or 'client version 1.16'.  Aqua also detailed a step in the attack chain that looks for misconfigured Docker daemons running version 1.16. Interestingly, a Shodan search revealed only apparent honeypot systems responding with these strings on the specified ports.  When a system is deemed vulnerable, the script calls back to the C2 using curl with the vulnerable IP address and port added to the request URI.

Embedded script that scans for vulnerable Docker instances

Conclusion - This campaign demonstrates the evolution of a seasoned cloud actor with familiarity across many technologies.  The meticulous attention to detail indicates the actor has clearly experienced plenty of trial and error, shown in choices like serving the curl binary to systems that do not already have it.  The actor has also improved the tool’s data formatting to enable more autonomous activity, which demonstrates a certain level of maturity and skill.  While AWS has long been in the crosshairs of many cloud-focused actors, the expansion to Azure and GCP credentials indicates there are other major contenders holding valuable data.  Researchers believe this actor is actively tuning and improving their tools.  Based on the tweaks observed across the past several weeks, the actor is likely preparing for larger scale campaigns.  The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets.  The current focus on Docker is ultimately arbitrary: this actor has previously targeted other technologies and there are many other oft-forgotten vulnerable applications.  Organizations can prepare against these attacks by ensuring that applications are configured properly and patched as security fixes become available.  Docker access should be restricted to suit your organization’s needs while reducing exposure from outside connections.

Indicators of Compromise

Monero Wallet address, C3Pool XMR

43Lfq18TycJHVR3AMews5C9f6SEfenZoQMcrsEeFXZTWcFW9jW7VeCySDm1L9n4d2JEoHjcDpWZFq6QzqN4QGHYZVaALj3U

Domains

• ap-northeast-1.compute.internal.anondns[.]net
• anondns[.]netsilentbob.anondns[.]net
• anondns[.]net
• IPv4s
• 154.218.221
• 9.148.108
• URLs
• http[:]//silentbob.anondns.net/bin/chattr
• http[:]//silentbob.anondns.net/bin/a
• http[:]//silentbob.anondns.net/cmd/grab.sh
• http[:]//silentbob.anondns.net/cmd/clean.sh
• http[:]//silentbob.anondns.net/cmd/aws.sh
• http[:]//silentbob.anondns.net/cmd/xc3.sh
• http[:]//silentbob.anondns.net/bin/sysfix/curl.full
• http[:]//silentbob.anondns.net/bin/chattr
• http[:]//silentbob.anondns.net/insert/gscat.php
• http[:]//anondns.net/insert/tmate.php

GLOBAL TRENDS:

US - Estée Lauder Companies, the organization behind global cosmetics brands such as Aveda, Clinique, Estée Lauder, Mac and Origins, has suffered a cyber-attack that appears to have been the work of two distinct groups, namely the ALPHV/BlackCat and Cl0p ransomware operations.  Full details of the still-unfolding incident have yet to emerge, but in a statement, the organization said it believed it has resulted in data exfiltration. It is currently seeking to establish the nature and scope of that data.[2]

In a statement, the group said: “The Estée Lauder Companies Inc has identified a cyber security incident, which involves an unauthorized third party that has gained access to some of the company’s systems.  “After becoming aware of the incident, the company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cyber security experts.  The company is also coordinating with law enforcement.”  The organization said it was currently implementing further measures to secure its operations and would take additional steps if needed.  It added that it remains fully focused on remediation, including attempts to restore impacted systems, but acknowledged that the incident has and will continue to cause disruption to parts of its operations.  Meanwhile, the disclosure has attracted attention in the security community since both BlackCat and Cl0p have claimed responsibility.

On 18 July, Cl0p, the ransomware-cum-extortion operation behind the ongoing MOVEit Transfer breach, named Estée Lauder Companies on its dark web leak site, following either the failure or non-occurrence of negotiations.  At the same time, the gang named several other victims, according to researcher Dominic Alvieri, including American Airlines and comms regulator Ofcom, which has already disclosed it was victimized in the MOVEit incident.  It remains unknown if Estée Lauder Companies was itself a user of Progress Software’s MOVEit Transfer file transfer tool, which was first attacked via a zero-day by Cl0p almost two months ago, or whether it was compromised, as many others have been, via a third-party supplier.

Later in the evening, BlackCat also named Estée Lauder Companies to its own website. No details of how it supposedly accessed the victim’s systems have been made public.  Other recent victims claimed by the highly active gang include Barts NHS Trust and storage supplier Western Digital.  In screengrabs shared by Emsisoft’s Brett Callow via Twitter, a Cl0p representative claimed it had extracted 131GB of data from Estée Lauder Companies. Its representative posted: “The company doesn’t care about its customers, it ignored their security!!!”

A BlackCat representative wrote: “Estée Lauder, under the control of a family of billionaire heirs.  Oh, what these eyes have seen.  We will not say much for now, except that we have not encrypted their networks.   Draw your own conclusions for now.  Maybe their data was worth a lot more.   And another note to the public, ELC been attacked [sic] by our colleagues at Cl0p regarding the MOVEit vulnerability attacks.  We are not sure if anything came of this, but we only knew because they mentioned it in their emails.  We have reiterated to ELC that we are not associated with them and that this is completely separate.”

MOVEit cyber attack timeline:

• 31 May: Rapid7 observed exploitation of a SQL injection vulnerability in Progress Software’s managed file transfer product.
• 5 June: Microsoft said the recently disclosed zero-day flaw in Progress Software’s managed file transfer product is being exploited by threat actors connected to the Cl0p ransomware gang.
• 6 June: The BBC, Boots and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer product, exploitation of which is spreading fast.
• 7 June: The Cl0p cyber extortion and ransomware operation demands organizations pay a ransom to avoid data stolen via an exploited vulnerability in a file transfer product being leaked.
• 8 June: The Cl0p cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.
• 9 June: Network equipment and services supplier Extreme Networks revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Cl0p cyber attack.
• 9 June: Progress Software released a patch for a second MOVEit Transfer issue, which was uncovered by third-party security specialist Huntress Security during post-incident code scanning.
• 12 June: Communications regulator Ofcom said data on employees and regulated communications companies was stolen by the Cl0p gang.
• 14 June: A seven-day deadline set by Cl0p for victims of its latest attack to contact it to arrange payment passed on 14 June.
• 14 June: Cl0p uploaded details of 12 new victims to its dark web leak site late on 14 June.
• 16 June: CISA director Jen Easterly said "several" US agencies suffered intrusions via their MOVEit Transfer instances, but have not seen significant effects from the attacks.
• 11 July: Cl0p's data theft extortion campaign against MOVEit Transfer customers has apparently compromised hundreds of organizations. But it's unclear how many victims have paid ransoms.
• 13 July: Five weeks after the mass MOVEit breach, new vulnerabilities in the file transfer tool are coming to light as the Cl0p cyber crime group continues to terrorize victims. But has the gang bitten off more than it can chew?

US - As ransomware and other cyber-attacks become an increasingly potent threat to schools nationwide, a proposal by US Federal Communications Commission (FCC) Chairwoman seeks to create the first federal funding stream to help districts fight back.  A three-year pilot program announced by the FCC earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn’t been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months, if not more than a year, before the help makes its way to schools as education groups demand a more urgent federal response.[3]

As districts become “a prime target for cyberattacks,” the proposed pilot “will give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,” the chair said in a 12 July speech before the School Superintendents Association and the Association (AASA) of School Business Officers International.  Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested.  The FCC had previously considered allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year.  Yet officials at the national superintendents’ association worried that using E-Rate funds was a diversion from the program’s mission of helping schools and libraries connect to the internet, said the group’s associate executive director of advocacy and governance.  She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data.  “All signs point towards we’re going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,” she said. “That way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.”

A recent report by cybersecurity provider Sophos found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks, a marked 43% increase from 2021.  The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs.  Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country’s second-largest school system, that resulted in the public release of students’ highly sensitive psychological records.  An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports.  Last month, New York City Public Schools, the country’s largest district, acknowledged that some 45,000 students’ information had been stolen in a massive cyber-attack on the file-sharing software MOVEit.  The MOVEit attack has resulted in data breaches at least 375 companies and organizations, including universities in at least a dozen states.  The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many students nationally.

[1] https://www.sentinelone.com/labs/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/

[2] https://www.computerweekly.com/news/366545044/BlackCat-and-Clop-gangs-both-claim-cyber-attack-on-Estee-Lauder

[3] https://www.the74million.org/article/new-200m-fcc-proposal-could-help-districts-combat-cyber-attack-onslaught/