Attackers are exploiting vulnerable IIS servers to install the BadIIS malware, which is then used to manipulate SEO and redirect users to malicious websites.
Tag: T1190
Engage Report: Console Chaos – Fortinet FortiGate Firewall Exploitation
- Threat actors scan for publicly exposed FortiGate firewall management interfaces.
- They exploit a probable zero-day vulnerability (later identified as CVE-2024-55591) to gain unauthorized access.
- Threat actors establish
jsconsolesessions, often spoofing IP addresses like loopback addresses or public DNS resolvers. - They make various configuration changes, create new admin accounts, and enable SSL VPN access.
Hunting 4 Two Way Phish
Attackers are using phishing emails to deliver malicious Microsoft Visio attachments that redirect to credential harvesting pages.
Suspected TTPs:
- Spearphishing Attachment [T1566.001]
- Exploit Public-Facing Application [T1190]
- Drive-by Compromise [T1189]
- Command and Control [T1071]
- Exfiltration [TA0010]
- Impact [TA0040]
Threat Hunting Scenario based on the Cyber Anarchy Squad (C.A.S) Attacks
C.A.S actors gain initial access through the exploitation of public-facing applications, establish persistence, escalate privileges, and utilize various tools and techniques to achieve their objectives, including data exfiltration, encryption, and destruction.
Engage Report: Glutton PHP Backdoor
-
Tactic: Initial Access (TA0001)
-
Technique: Exploit Public-Facing Application (T1190)
-
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
-
Tactic: Initial Access (TA0001)
-
Technique: Valid Accounts (T1078)
-
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
-
Tactic: Initial Access (TA0001)
-
Technique: Supply Chain Compromise (T1195)
-
Procedure: Distribute pre-compromised business systems embedded with the
10ader_shellbackdoor through cybercrime source code forums.
-
Tactic: Execution (TA0002)
-
Technique: Command and Scripting Interpreter: PHP (T1059.004)
-
Procedure: Execute malicious PHP code (
task_loader,init_task,client_loader, etc.) within the web application environment to carry out various malicious activities.
-
Tactic: Persistence (TA0003)
-
Technique: Server Software Component: Web Shell (T1505.003)
-
Procedure: Inject web shells (
10ader_shell) into PHP files to maintain persistence on the compromised server.
-
Tactic: Persistence (TA0003)
-
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
-
Procedure: Install the Winnti backdoor as a daemon process by modifying the
/etc/init.d/networkfile.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
-
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (
v6.thinkphp1.com,v20.thinkphp1.com) and retrieve additional payloads.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
-
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
-
Tactic: Defense Evasion (TA0005)
-
Technique: Obfuscated Files or Information (T1027)
-
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the
10aderfunction code inclient_loader) to hinder analysis and detection. -
Tactic: Collection (TA0009)
-
Technique: System Information Discovery (T1082)
-
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
-
Tactic: Exfiltration (TA0010)
-
Technique: Exfiltration Over C2 Channel (T1041)
-
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
RomCom – Firefox and Windows Exec Duo
T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.
T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.
T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.
T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.
T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.
T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
CVE-2024-38178 MS Scripting Engine
- The attacker targeted Windows users running specific software with a built-in web viewer.
- They created a domain similar to a legitimate ad agency, serving malicious JavaScript code within their ads.
- This domain was then registered with the targeted software vendor, rendering the malicious ads in the software’s ad pop-up process.
- When users launched the software, the malicious ads would trigger a type confusion vulnerability (CVE-2024-38178) in the JScript9.dll engine, leading to remote code execution.
Hunting the Emperor – Engage Game of Emperor
Earth Estries exploited vulnerabilities in public-facing servers, such as CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN, and CVE-2022-3236 in Sophos Firewall, to gain initial access. They then used web shells like GHOSTSPIDER and SNAPPYBEE for persistence and command and control, allowing them to maintain long-term access to the victim’s network.