CTI Roundup: How Weak is Your Password?

Up first in this week’s roundup, CTI provides an overview of Specops’ 2023 Weak Password Report, which demonstrates, above all, the need for a compromised password check that screens prospective passwords against a list of known breached passwords.

Next, CTI highlights a newly identified hacking group with a North Korea nexus (APT43), which Mandiant believes to be a sophisticated state-backed cyberespionage group that’s aligning its operational goals with those of the North Korean government.

Finally, CTI wraps things up with a look at the new AlienFox toolkit being distributed on Telegram, which besides highlighting the evolution of cybercriminal activity in the cloud, is used to harvest credentials from API keys and collect authentication secrets from cloud-based email services.

The end-user password mistakes putting organizations at risk

Specops has released its 2023 Weak Password Report, which contains an analysis of over 800 million breached passwords.

The report details some of the poor password practices that often put businesses at risk and explores why passwords are still one of the weakest links in a network.

Key findings from the Specops report

• Specops analyzed over 800 million compromised passwords and tested them against five regulatory standards including NIST, HITRUST for HIPAA, PCI, ICO for GDPR, and Cyber Essentials for NCSC. The firm’s research found that 83% of compromised passwords would still satisfy the password complexity and length requirements of these standards.
• Specops looked at passwords used to attack RDP ports in real attacks and analyzed a subset of 4.6 million passwords. More than 88% of passwords used in the attacks were 12 characters or less, with the most common length being 8 characters. Passwords containing only lowercase letters were the most common character combination found.
• The three most common base terms found in passwords used to attack networks include “password,” “admin,” and “welcome.”
• Specops uncovered several themes and patterns during their analysis of 800 million+ compromised passwords. People tend to pull inspiration from world events and their surroundings in general when creating their passwords. This is a tendency that hackers are aware of, and purposely explore when targeting victims.
• Football (soccer) is a universal language across the globe, which researchers found to be true even within the realm of passwords. The 2022 World Cup led researchers to uncover several World Cup-related terms in the compromised password database. “Soccer” actually tops the related terms list with over 140k inclusions, with “football” coming in second place. Researchers identified many current and former players topping the list of World Cup-related passwords.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It’s really no secret that poor password practices can make you and your organization vulnerable to cyberattacks. A previous Password Manager Report found that 41% of Americans rely on memory to track their passwords, indicating that they are likely using simple or repeatable passwords that are easy to remember.”

“Password length and complexity alone are not enough: There are many compliance regulations (think NIST) that set the standards for cybersecurity and include organization password policies. Many of these regulations emphasize the length and complexity requirements in password policy design, however, given how sophisticated attacks are getting today, this is often not enough on its own.”

“Specops’ finding that 83% of compromised passwords still satisfied many of the password complexity and length requirements of regulatory standards clearly indicates that length and complexity alone is not enough. In other words, a long and complex password that meets regulatory standards doesn’t mean anything in terms of maintaining a strong security posture if that password exists on a threat actor’s list of compromised passwords.”

“This data highlights why some regulatory recommendations are now including a compromised password check to better secure passwords. In the end, good password hygiene is more important than ever – and that goes beyond simply satisfying built-in password complexity requirements.”

Newly exposed APT43 hacking group targets US organizations

Mandiant has disclosed the activities of APT43 for the first time and believes this sophisticated cyberespionage group is a state-sponsored entity, aligning its operational goals with those of the North Korean government.

In addition to engaging in espionage-related activity, APT43 is believed to fund itself through cybercrime operations to support its primary mission of collecting strategic intelligence.

High-level details

• Non-Mandiant reported activities attributed to APT43 frequently refer to the group as Kimsuky or Thallium.
• APT43’s operations usually leverage spear-phishing campaigns backed by spoofed domains and email addresses as part of its social engineering tactics. Mandiant has not yet observed this group exploiting zero-day vulnerabilities.
• Since Mandiant began tracking APT43, they have noticed the adversary consistently conducting espionage activity against South Korean and US organizations.
• Before October 2020, APT43 primarily targeted government offices, diplomatic organizations, and think-tank-related organizations. From October 2020-October 2021, the operation shifted, and a significant portion of the activity was targeted toward health-related verticals and pharmaceutical companies – likely in response to the Covid-19 pandemic.
• APT43 has a large toolkit consisting of both publicly available malware and custom tooling. The group’s arsenal has been seen steadily evolving and expanding over time. The group has deployed publicly available malware like Gh0st RAT, QUASARRAT, and AMADEY in addition to LATEOP (publicly known as BabyShark) which is a backdoor based on VisualBasic scripts.

Cyber operations for APT43

APT43, like many threat actors, commonly leverages spear-phishing emails as its initial access vector. Additionally, the group embraces the use of spoofed websites for the purpose of credential harvesting.

APT43 is also regularly updating the content of its phishing lures, tailoring it to the specific target audience. To do so, it creates and maintains convincing personas and masquerades as individuals in certain industries. APT43 also launders cryptocurrency – the profits of which serve to augment the purchasing of the group’s operational infrastructure.

Espionage

While APT43 certainly engages in financially motivated crimes, its main goal is cyberespionage. The group is interested in information developed and stored within the US military and government, defense industrial base (DIB) and research and security policies developed by the US. The operation has interest in similar industries within South Korea.

Mandiant believes that APT43 may also be carrying out internal monitoring of other North Korean operations. APT43 has compromised individual espionage actors, including those within its own operations. It is unclear if this activity is intended for monitoring purposes, or rather accidental and the result of poor operational security.

Credential collection

APT43 regularly conducts credential collection campaigns to compromise financial data, PII, and client data. The group registers domains typo squatting popular search engines, web platforms, and cryptocurrency exchanges. The collected credentials are used to create online personas and set up infrastructure for its operations. The operation has leveraged compromised and actor-owned infrastructure to host and deliver its malware.

Changes in APT43’s targeting may reflect tactical shifts in collection requirements. For example, in late 2021, APT43 resumed credential harvesting campaigns against religious groups, universities, and NGOs. Then, in early 2022, the campaigns were observed targeting academics, journalists, politicians, bloggers, and other private-sector individuals. Lastly, in mid-2022, the campaigns shifted again to target South Korean bloggers and social media users associated with South Korean affairs.

Crypto targeting

The operation has targeted cryptocurrency since its emergence. Unlike other North Korean groups which are primarily focused on bringing in funds for the regime, APT43 likely carries out its cryptocurrency activity to sustain its own operations.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Mandiant brings up a rather interesting point regarding APT43’s seemingly self-funded operations and how this may be indicative of a broader mandate for North Korean groups:

The prevalence of financially motivated activity among North Korean groups, even among those which have historically focused on cyber espionage, suggests a widespread mandate to self-fund and an expectation to sustain themselves without additional resourcing.

“APT43’s continuous shifting of its methodology and tradecraft suggests it is highly responsive to the ever-changing landscape and to the goals of its espionage mission. This operation is quick to modify its TTPs to carry out what is needed to support the regime.”

3. New AlienFox toolkit steals credentials for cloud services

SentinelOne has uncovered a new toolkit called AlienFox that’s being distributed on Telegram. AlienFox allows threat actors to harvest credentials from API keys and authentication secrets from popular cloud-based email services.

• The toolkit is modular and is comprised of several custom tools and modified open-source utilities, allowing the threat actor to adapt and modify it to fit their needs.
• AlienFox’s targeting is primarily opportunistic and relies on misconfigurations on servers hosting web frameworks, including Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
• Once a server is identified, the threat actor can then dump configuration files storing sensitive information such as services enabled and the associated API keys and secrets.

AlienFox versioning

The AlienFox toolkit primarily focuses on cloud-based email services. Researchers have uncovered AlienFox versions 2 through 4 at this point, which date from February 2022 onward.

AlienFox V2

One of the archives analyzed of AlienFox V2 contains output from when an actor ran the tools, including AWS access and secret keys. This version of the toolset houses the core utility in a script named s3lr[.]py. A Python script, Awses[.]py, automates several activities related to AWS Simple Email Service – including sending and receiving messages and applying a persistence profile to the AWS account. With this script, the threat actor supplies the username at runtime, implying this is a hands-on-keyboard tool.

This version includes a goblok function (goblok translates from Indonesian to ‘idiot’) to create a new profile for persistence and privilege escalation. This function sends the values for parameters to variable iam where they are parsed. This action creates a new user in the victim’s AWS account. If the new user creation is successful, Admin privileges are granted to that user.

Another V2 script, ssh-smtp[.]py, parses configuration files for credentials and uses the Paramiko Python library to validate SSH configurations on the targeted web server. This version of AlienFox also includes an exploit for CVE-2022-31279, a deserialization vulnerability on Laravel PHP framework.

AlienFox V3

Of the versions observed by SentinelOne, the most unique archives were labeled as version 3. The following name variants were:

• ALIEN-FOX AFV 3.0 Izmir – created February 2022
• ALIENFOX III V3.0 AFV.EXE – created February 2022
• ALIEN-FOX AFV 3.5 JAGAUR – created April 2022
• ALIEN-FOX AFV 3.5 rondrickmadeit – created February 2022

This version introduced better performance and features initialization variables, Python classes with modular functions, and process threading.

AlienFox V4

The most recently observed toolset is organized much differently, with each tool assigned a number (i.e., tool 1, tool 2). The core script in the AlienFox root directory, named ALIENFOXV4[.]py, serves as a bootstrap for the numbered tool scripts in the child folders.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The AlienFox toolkit highlights the evolution of cybercriminal activity in the cloud. Most notably, attacks are no longer limited to cryptomining. Since most of the tools in the toolkit are open-source, threat actors have the added benefit of adapting the toolkit to fit their individual needs. SentinelOne has characterized the toolkit as highly modular and rapidly evolving, making it a more prominent threat as new features are added.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.