Up first in this week’s roundup is CTI’s coverage of a Proofpoint report which reveals that state-sponsored hackers are increasingly targeting small and medium-sized businesses (SMBs) globally and using compromised infrastructure to launch further campaigns targeting other small businesses, governments, militaries and major corporate entities. Next, CTI analyzes a Fortinet report regarding a new PowerShell-based malware called PowerExchange that’s being used in attacks intended to implant backdoors in on-premises Microsoft Exchange servers. Finally, CTI wraps things up with a look at an interesting case involving both a ransomware attack – and an insider threat.
1. State-aligned threat actors target SMBs
According to Proofpoint, state-sponsored hackers backed by the governments of Russia, Iran, and North Korea are increasingly targeting SMBs globally. These attacks are designed to use the compromised infrastructure as launch pads for further campaigns in which the attackers target other SMBs as well as governments, militaries, and major corporate entities.
Proofpoint’s researchers carried out a retroactive analysis of SMBs targeted by advanced persistent threat (APT) actors throughout the first quarter of 2022 and up to the first quarter of 2023. Thanks to the firm’s unique vantage point into what it calls ‘Proofpoint Essentials’ telemetry, the security provider enables insight into 200,000+ SMBs for researchers seeking to identify key trends in the cyber threat landscape — with emphasis placed on observing the actors which pose unique threats to global SMBs.
Using this valuable data, Proofpoint identified various APT actors targeting SMBs. Such actors are believed by the researchers to be aligned with the governments of Russia, Iran, and North Korea, and reportedly conduct operations in support of the state interests of these countries.
The main attack trends targeting SMBs
Proofpoint researchers have identified three main trends in attacks targeting SMBs between 2022 and 2023. These include:
- The use of compromised SMB infrastructure in phishing campaigns.
- Regional SMB targeting by state-aligned actors for financial theft.
- Vulnerable regional managed services providers (regional MSPs) being targeted via phishing, and thereby introducing the threat of SMB supply chain attacks. Regional MSPs are small to midsize MSPs that service customers in a concentrated geographic area.
Using compromised SMB infrastructure in APT campaigns
One of the most interesting trends to emerge in Proofpoint’s analysis is the use of compromised SMB infrastructure by APT actors to facilitate phishing campaigns against secondary, high-value targets.
As the researchers point out, a typical example of such activity involved a threat actor successfully compromising a web server or email account at an SMB.
The method of initial access varied. Infiltration may have been the result of credential harvesting, or, in the case of a web server, via the exploitation of an unpatched vulnerability. Whatever the avenue of ingress, a compromised email address would often be leveraged to send malicious emails from a “trusted source” to desirable secondary targets.
As Proofpoint points out, if a threat actor was lucky enough to compromise a web server hosting a domain, the next step would more than likely involve the abuse of this bit of legitimate infrastructure — using it to host or deliver malicious malware to an upstream, third-party victim.
Three real-world examples
Real-world example: TA473
The report cites a real-world case in which Proofpoint’s researchers observed compromised SMB infrastructure being used by the APT actor tracked by the firm as TA473 (Winter Vivern), in phishing campaigns occurring between November 2022 and February 2023.
These campaigns targeted US and European government entities. In March 2023, Proofpoint published details about TA473’s transmission emails from compromised email addresses. In several instances, these emails originated from WordPress hosted domains that may have been unpatched or unsecure at the time of compromise. Additionally, unpatched Zimbra web mail servers have been exploited to compromise email accounts of government entities. In addition to sending emails via compromised SMB infrastructure, TA473 has also utilized compromised small and medium business domains to deliver malware payloads.
Real-world example: TA422
Another real-world scenario involved the routine impersonation of a SMB (located in Saudi Arabia and belonging to the auto-manufacturing sector) as part of a phishing campaign — the goal of which was the harvesting of credentials.
The campaign targeted private email addresses belonging to victims in the U.S. and Ukraine and has been attributed to TA422 (aka APT28), a state-sponsored threat actor linked to Russia’s GRU military intelligence service. Aside from clearly highlighting the ongoing targeting of Ukrainian entities by Russia-nexus APTs; the campaign also featured the spoofing of a Middle Eastern entity to target victims in the U.S. and Europe.
The threat actor included the spoofed address within the “MailTo” field of the email header likely to augment social engineering efforts to appear as the impersonated entity. However, this impersonation via the “MailTo” field has the practical outcome of returning undelivered emails to the legitimate domain being impersonated by the threat actor. Therefore, the unintentional side effect of rejected emails provided Proofpoint researchers visibility into the credential harvesting pages of TA422 that leveraged the following subdomains to host credential phishing pages: 42web[.]io and frge[.]io.
The third and final real-world example provided in Proofpoint’s report involved a significant case of APT impersonation which occurred in May 2022. The threat actor tracked by Proofpoint as TA499 (aka Vovan or Lexus), a Russia-based and state-linked actor who regularly solicits politically themed conference calls from high-profile, pro-Ukraine individuals, targeted a medium-sized business concerned with celebrity talent representation in the U.S.
TA499 sought to entice a major American celebrity into a video conference call about the conflict in Ukraine by impersonating Ukrainian President Volodymyr Zelensky. Proofpoint was able to attribute this campaign to TA499 based on a series of actor-controlled email addresses and domains that the group used consistently throughout 2022.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Based on the combined findings presented in Proofpoint’s report, it’s clear that state-sponsored APT actors are increasingly seeking to target SMBs — many of which are vulnerable to attacks— along with regional MSPs in support of state-aligned intelligence collection requirements.”
“Also made clear by the findings described above is the desire and willingness of these same state-backed groups to use the compromise of SMB infrastructure to aid in the facilitation of secondary attacks on high-value targets which are more likely to yield far more actionable intelligence.”
2. New PowerExchange malware backdoors Microsoft Exchange servers
Fortinet has discovered a new PowerShell-based malware called ‘PowerExchange’ that’s being used in attacks intended to implant backdoors within on-premises Microsoft Exchange servers. The activity is believed to be linked to the Iranian threat group known as APT34.
Fortinet observed several simultaneous attacks targeting a government entity in the UAE last year, one of which was yet to be identified until now. This case turned out to involve PowerExchange malware. The backdoor’s command and control (C2) protocol is email-based and uses the victim’s Microsoft Exchange server as its C2 server.
Further investigation revealed the existence of the backdoor on additional endpoints within the environment, with multiple other implants residing on various servers. One such implant, located on a Microsoft Exchange server, was a web shell known as ExchangeLeech.
The infection chain of this attack began with a traditional phishing email. The victim opened a zip file, named Brochure.zip, which contained a malicious .NET executable of the same name. The file, an executable with an Adobe PDF icon was dropped into a temp folder and displayed an error message when run. The executable is actually a dropper that facilitates the installation and execution of the final payload. It creates three files: autosave.exe, wsdl.ps1, and Microsoft.Exchange.WebServices.dll. The dropper then establishes persistence for autosave.exe via a scheduled task that will run periodically at five-minute intervals. Autosave.exe will run the final PowerShell payload – wsdl.ps1 – in a new process.
About the PowerExchange backdoor
- The PowerExchange backdoor gets its name from the nature of its C2 channel, as it leverages the Exchange Web Services (EWS) API to connect to the victim’s Exchange server and uses mailboxes to send and receive commands.
- A .NET DLL is loaded via reflection from the same folder in order to achieve this. The Exchange server is accessible from the internet, saving C2 communication to external servers and acting as a proxy for the threat actor.
- The backdoor connects to the Exchange server, sending the base64-encoded computer name to a mailbox to indicate that it is running. The mailbox and connection credentials are hardcoded within the backdoor itself. The operator can then reply with additional mailboxes that the backdoor should beacon in the current session, or the ID of a mail to fetch and execute a command from.
- In order to send data, the backdoor will create an email with the subject of “Update Microsoft Edge.” The body of this email is just the text “Microsoft Edge Update.” The data itself is passed as an attachment in the email that is titled, New Text Document.txt.
- Commands are sent to the backdoor as non-padded base64 encoded content in email attachments. The backdoor supports three specific commands by checking the state of predetermined variables following the evaluated expressions. Responses are returned in emails, to the same email address that the command message was received from.
Fortinet has attributed the campaign involving the PowerExchange backdoor is to the Iranian threat group APT34, which has historically targeted a range of sectors including financial, government, energy, chemical, and telecommunications. The group often takes advantage of relationships between organizations to carry out supply chain attacks.
PowerExchange exhibits quite a few similarities to the TriFive backdoor which has been previously linked to APT34. The backdoors are both written in PowerShell, activated by a periodic scheduled task, and the C2 channels leverage the organization’s Exchange server with EWS API. The code underlying the two differs, but it is assumed that PowerExchange is simply a new and improved version of TriFive.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“This campaign uses the victim’s Exchange server for its C2 communication, allowing the backdoor to better blend in with legitimate and benign traffic.”
“This technique allows the threat actor to better evade network-based detections. It is worth reiterating, however, that this backdoor currently targets on-prem Exchange servers, which are certainly becoming less common given a large shift to the cloud.”
3. IT employee impersonates ransomware gang to extort employer
Twenty-eight-year-old U.K. resident Ashley Liles has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.
Back in 2018, Liles worked as an IT security analyst at an Oxford-based firm. On February 27 of that year, his company experienced a cybersecurity incident wherein the threat actor gained access to a swath of its computer systems. The attacker then notified senior members of the company demanding a ransom.
Things only got stranger from there.
Thanks to his position, Liles was tasked with investigating the incident — during which the attackers contacted the company’s executives demanding a ransom payment. Liles played a significant role in the organization’s internal investigations and incident response activities, which were aided by Liles’ colleagues at the company and members of local law enforcement.
It was at this point that Liles discovered an opportunity to leverage the cybersecurity incident, taking advantage of the breach to benefit himself financially by ‘piggybacking’ off the existing incident, attempting to divert the potential ransom payment to a cryptocurrency wallet under his control.
BleepingComputer reports that during the incident response phase, Liles sought to “enrich himself from the attack by tricking his employer into paying him a ransom instead of the original external attacker.”
As stated in SEROCU’s press release, “He accessed a board member’s private emails over 300 times as well as altering the original blackmail email and changing the payment address provided by the original attacker. This was in the hope that if payment was made, it would be made to him rather than the original attacker.”
Liles even went so far as to create an email address which was nearly identical to the one being used by the actual attacker, and used the account to message his employer, pressuring them to give in to the ransom demand and make the payment.
Unbeknownst to both his employer and the police, Liles had effectively commenced a “separate and secondary” attack against the company — which was already battling an actual ransomware attack on another front.
Unfortunately for Mr. Liles, the company’s owner wasn’t interested in paying the attackers, and subsequent internal investigations quickly revealed Liles’ treachery — which by that point, included repeated unauthorized access to private company emails — access which pointed real investigators directly to his home IP address.
By this point, Liles had apparently begun to sense the walls closing in on him and commenced wiping all data from his personal devices — a task which he had successfully accomplished by the time his home was raided by SEROCU’s cyber-crime team and his computer was seized. Unfortunately for the beleaguered Mr. Liles, enough incriminating data was restored by investigators to build a case against him.
For the next five years, Liles denied all involvement in the crime. However, at a recent hearing at the Reading Crown Court, he finally pleaded guilty to all charges. Sentencing will be handed down on July 11, 2023.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“We often talk of insider threats and continuously count them among the serious cyber threats facing organizations, but discovering all the lurid details of a case such as this is somewhat of a rarity.”
“While the technical details of the case are slim, it does serve as a reminder of the sort of damage that can be done by one rogue individual who has too much leeway. Security analyst positions are typically well-paying jobs, which usually provide the employee with a significant degree of access and privilege. Threat actors are just as aware of these facts as we are. That’s not to suggest that threat actors are applying for security positions by the boatload. But there have been incidents in which threat actors have targeted this sort of employee for bribery, coercion, or blackmail in order to get insiders to aid them in facilitating malicious activity.”
As Help Net explains:
While some insider threats may stem from negligence or ignorance, this case highlights a more sinister scenario involving a malicious, opportunistic individual. Malicious insiders exploit their authorized access and privileges to engage in harmful, unethical, or illegal activities.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.