Intel Reports

Activity Summary - Week Ending on 7 September 2023:

• Red Sky Alliance identified 933 connections from new IP’s checking in with our Sinkholes
• JPSP in Russia Hit Once
• 129 ‘new’ Botnets hits
• Project Discovery
• RCE Vulnerabilities
• Reverse Shell
• Adobe ColdFusion
• Costa Rica
• Switzerland

Red Sky Alliance Malware Activity   

Red Sky Alliance Compromised (C2) IP’s 

On 6 September 2023, Red Sky Alliance identified 933 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 6 September 2023, analysts identified 129 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Project Discovery - This past July, Adobe responded to reports of exploits targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution by releasing a series of security updates: APSB23-40, APSB23-41, and APSB23-47.  An in-depth analysis of those exploits has been documented by Project Discovery, including a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021.[1]  Since those updates, however, FortiGuard Labs IPS telemetry data has continued to detect numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which poses a significant risk of arbitrary code execution (Figure 1).  These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions.  Below provides a detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.

Figure 1: IPS Signature Activity

Overview - The targeted URI of the attack is “/CFIDE/adminapi/accessmanager.cfc,” which serves as a legitimate ColdFusion Component (CFC) endpoint.  Attackers attempt to inject their payload into the “argumentCollection“ parameter through a POST request.  A thorough packet capture illustrating this process is depicted in Figure 2.

Figure 2: Traffic capture

Attacker Actions, Probing - In July, analysts detected numerous active probing activities related to an interactsh tool that can generate specific domain names to help researchers test whether an exploit is successful (Figure 3).  However, attackers can also use it to validate vulnerabilities via monitoring the domain. We collected the following domains related to similar probing activity, shown in Figure 4, including mooo-ng[.]com, redteam[.]tf, and h4ck4fun[.]xyz.

Figure 3: Probing activities involving interactsh tool

Figure 4: Probing activities involving other domains

Attacker Actions, Reverse Shell - Analysis showed attackers are using a reverse shell, often called a remote shell or "connect-back shell," to attempt to exploit vulnerabilities within a target system by initiating a shell session, thereby enabling access to the victim’s computer.  Some exploits directed at the Adobe ColdFusion vulnerability use payloads encoded in Base64.  The original data can be seen in Figure 5, while the decoded data is presented in Figure 6.

Figure 5: Reverse shell exploit

Figure 6: Decoded data

Attacker Actions, Malware - Based on the data gathered, the attacks originate from multiple distinct IP addresses, including 81[.]68[.]214[.]122, 81[.]68[.]197[.]3 and 82[.]156[.]147[.]183.  These payloads are also encoded in Base64 (Figure 7).  Analysts also observed that the threat actor distributed this malware from the same server 103[.]255[.]177[.]55[:]6895, as revealed by the decoded information in Figure 8.

Figure 7: Payload of downloading malware.

Figure 8: Decoded data

The server (103[.]255[.]177[.]55[:]6895) is a publicly accessible HTTP file server and we can observe the campaign’s progress through it.  During analysis, certain files proved especially challenging to trace due to frequent updates made by the attacker.  The modifications to the files on the HFS public server are shown in Figure 9, showcasing the alterations made on 24 August.

Malware Variants – Analysts also identified four malware variants being used in these attacks.

Figure 9: Attacker’s webpage at different times on 8/24

The first entity is XMRig Miner, software that leverages computer processing cycles to mine for the Monero cryptocurrency.  It can be used for legitimate mining or be abused by cybercriminals by hijacking CPU cycles. This attack uses version 6.20.0, shown in Figure 10.

Figure 10: XMRig Miner

The second entity is Satan DDoS/Lucifer, a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) functionalities.  Lucifer was first reported in 2020.  Beyond deploying the XMRig miner in this case, it demonstrates adeptness in command and control (C2) operations and can propagate by exploiting numerous vulnerabilities and employing credential brute-forcing. It also supports TCP, UDP, and HTTP-based DDoS attacks.  Researchers initially identified Lucifer as targeting and operating on Windows-based systems, but from the welcome message in Figure 11, this variant targets Linux.

Figure 11: Message from Satan DDoS/Lucifer

Lucifer establishes persistence by configuring registry key values under “\Software\Microsoft\Windows\CurrentVersion\Run.”  It also employs “schtasks” to initialize its miner parameter and create a recurring task for persistence, as shown in Figure 12.

Figure 12: Mining configuration of Satan DDoS/Lucifer

The third entity is known as RudeMiner.  This isn’t the first instance of its association with Lucifer.  
As shown in the wallet information labeled “45sep79asuwcjz8dltu7xtjbtx7yyf7uo6qt9ymfbqxv8gJzsdpyd46hoh6dm8paxklnsw9u7vezwu1dqmjkroryan3zeq1” in Figure 13, this particular campaign can be traced back to 2020.  Figure 14 illustrates the presence of the DDoS attack methods associated with RudeMiner.

Figure 13: Message from RudeMiner

Figure 14: DDoS attacking methods from RudeMiner

The last entity is the BillGates/Setag backdoor, known for hijacking systems, communicating with C2 servers, and initiating attacks.  

FortiGuard Labs previously reported on its leveraging a vulnerability on Confluence Servers in 2021.  It can be identified via the checking process procedure with the file “bill.lock” shown in Figure 15.  The malware’s DDoS attack capabilities, as seen in Figure 16, encompass methods such as SYN, UDP, ICMP, and HTTP-based attacks.

Figure 15: Checking process in BillGates/Setag

Figure 16: Attacking methods in BillGates/Setag

Conclusion – Analysts have been tracking this vulnerability for weeks and have observed a significant volume of threat exploitation targeting Adobe ColdFusion.  Although the patches for these vulnerabilities have already been released, public attacks are still occurring.  

IOCs - Attacker's IP Address:

• 81[.]68[.]214[.]122
• 81[.]68[.]197[.]3
• 82[.]156[.]147[.]183

Malware Server’s IP Address:

• 103[.]255[.]177[.]55:6895

Files:

• 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
• 590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
• 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
• 4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a

GLOBAL TRENDS:

Coast Rica - Costa Rican President Rodrigo Chaves said last week that his country has recovered from a wave of ransomware attacks it suffered last year with stronger cyber defenses than ever.  Recounting the onslaught from a now-defunct group known as Conti, Chaves described a devastating impact on Costa Rica, which did not pay ransoms. Conti had demanded $20 million, leading the recently elected Chaves to declare a state of emergency in response to the overnight paralysis of critical government services.[2]

As recently as January, Costa Rica’s Ministry of Public Works and Transport (MOPT) was attacked and said that 12 of its servers were encrypted.  “We were attacked, affecting the backbone of the functioning of the state,” Chaves said during an interview with Nathaniel Fick, the U.S. ambassador-at-large for cybersecurity and digital policy, at the Center for Strategic and International Studies in Washington.  Our tax system, our customs system, electricity, even meteorological services … our Ministry of Transport, our social security, our health system attacked — so it was ugly,” Chaves said.

In March, the State Department announced plans to provide $25 million to bolster Costa Rica’s cyber defenses against threats from ransomware and other hacks.  The bulk of the money will underwrite and outfit a new and centralized security operations center to monitor, prevent, detect, investigate and respond to cyberthreats.  Chaves’ remarks highlighted his country’s role as a leading democracy in Latin America and as a longtime US partner.  “Costa Rica is a great house in a neighborhood that has some complications,” he told Fick.

Chaves suggested that the Russia-based Conti may have targeted Costa Rica for the historic and massive attack in part because he was the first Latin American head of state or president elect to call Russia's invasion of Ukraine “criminal.”  “We realized this was coming from Russia,” he said of the ransomware campaign. “Coincidence? Certainly, possible, probably from a group named Conti.”  Chaves said the attacks served as a wake-up call after “decades of negligence.”

Costa Rica has quickly embraced cybersecurity initiatives. It is one of at least 39 countries to participate in the Biden administration’s Counter-Ransomware Initiative, which was designed to bolster law enforcement and diplomatic cooperation against the exploitation of virtual currency to launder ransom payments, among other things.  The Chaves interview also touched on the extensive investments Costa Rica has made in security for 5G networks.  “We're looking at American companies, European companies and telling them you’re secure in this country,” he said.  “Your connectivity with headquarters with your plants is going to be fast, reliable, affordable, and, above all, safe.”

Switzerland - Almost half of Switzerland's large businesses have been the victim of cyber-attacks, often with disastrous consequences, according to a study published this past week.  A report by SwissVR Monitor found that 45% of Swiss companies with 250 or more employees claim to have suffered at least one cyber-attack.  The study, carried out between mid-May and early July by consultancy firm Deloitte and the Lucerne University of Applied Sciences, shows that the smaller a company is, the less likely it is to be the target of a serious attack.

The survey, which covered 400 board members of large, listed companies and small and medium-sized enterprises (SMEs), revealed that only 18% of companies with fewer than 50 employees had experienced a significant cyber breach.  "The link between company size and attack frequency is clear: large companies have greater global exposure and a wider potential target area for cybercriminals," the report's authors said.  They also suggested that smaller companies may be less inclined to inform their board of directors about any potential assaults.[3]

Florian Schutz, who is responsible for implementing Switzerland's national cyber protection strategy, reaffirmed that "all companies are at risk, whatever their size or sector."  Quoted in the report, he said that "many SMEs lack the financial and human resources to take effective cybersecurity measures, so their expertise and infrastructures are limited or non-existent".

Overall, the survey showed that companies are not sufficiently prepared to deal with cyber threats.  Only 57% of board members surveyed said that their board had come up with a clear cyber security strategy, and only around a third received regular reports from management on the main risks.  This will be of concern to many business leaders, as cyber-attacks can have serious consequences on a company's operations. According to the study, 42% of companies affected have experienced some form of interruption to their business.

Data leaks and disruptions to supply or production chains are also common, sometimes with consequences that aren't just limited to the company.  About 11% of respondents said that customers had been targeted by subsequent attacks.  "In addition to the loss of revenue due to business interruptions, high recovery costs, for example for data restoration, may also be incurred", the survey's authors said.

[1] https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities/

[2] https://therecord.media/costa-rica-cyberdefense-ransomware-rodrigo-chaves/

[3] https://www.msn.com/en-xl/africa/other/half-of-switzerlands-large-companies-have-been-the-victim-of-a-cyber-attack/ar-AA1gdCVc