Zero-Day in IE, Fantasy Data Wiper and COVID-bit -3rd Dec to 9th Dec -F5SIRT This Week in Security

North Korean hackers exploited Internet Explorer zero-day to spread malware

North Korea is known for its malicious activities. The most recent malicious activity where North Korean hackers have exploited a zero day in internet explorer to target South Korean users,  was unearthed by Google’s Threat Analysis Group.  Google researcher noticed multiple individuals uploaded a malicious Microsoft office document to Virus Total, on further investigation Google researcher’s discovered a zero day vulnerability. It was found that the malicious Microsoft document was used to impersonate govt report on Halloween Itaewon tragedy (Seoul).  Attackers took advantage of people’s interest in finding out more about the incident. They weaponised the Microsoft document to exploit zero day (CVE-2022-41128) in internet explorer.

When a user open up the malicious Microsoft document, it delivers an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer.

Interestingly, even though the internet explorer was retired and replaced by Microsoft Edge in June, Microsoft office still uses the Internet Explorer engine to execute JS (javascript) that eventually enables the attack. In short to deliver the exploit IE is not required to be default browser on target’s machine.

Detailed information on vulnerability fix is available at Microsoft website https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41128 

Resources

• itpro.co.uk/security/zero-day-exploit/369662/internet-explorer-zero-day-exploited-by-north-korean-hackers
• https://techcrunch.com/2022/12/08/north-korean-hackers-exploited-internet-explorer-zero-day-to-spread-malware/#:~:text=North%20Korean%20hackers%20exploited%20Internet%20Explorer%20zero%2Dday%20to%20spread%20malware,-Carly%20Page%40carlypage_&text=North%20Korean%20state%2Dsponsored%20hackers,to%20Google's%20Threat%20Analysis%20Group. 

Hackers use new 'Fantasy' data wiper in coordinated supply chain attack

Love for diamond is not a hidden secret  and I am not going to tell how to check the quality of diamond. What I am going to tell is how a Diamond wholesaler, Jeweller and some other firms were breached by  the Iranian Agrius APT hacking group where they used a new data wiper in supply chain attacks. Name given to the new data wiper is 'Fantasy’.   Before we talk about ‘Fantasy wiper’, let’s understand what is a data wiper. Data wipers falls under a category of malware, whose main aim is to delete data on breached computers, in short cause destruction . The software suite (created by Israeli vendor ) in which ‘Fantasy’ wiper was hidden is commonly used in diamond industry.  The Fantasy data wiper is a 32-bit Windows executable ('fantasy45.exe' and 'fantasy35.exe'). 

Once ‘Fantasy wiper’ is executed following you will see the follow activities.

• It gets a list of all drives and their directories except for the Windows folder, which is skipped, and all files in each directory.
• It overwrites the content of each file with random data, sets timestamps to midnight 2037, and deletes it. Which is to prevent the files from being recovered with data recovery tools.
• It deletes registry keys in HKCR, clears all WinEventLogs, deletes the Windows SystemDrive folder, and then enters a two-minute sleep.
• Lastly, it overwrites the master boot record, deletes itself, and reboots the system after another 30-second delay.

Resources

• https://izoologic.com/2022/12/09/new-fantasy-data-wiper-hits-israel-hong-kong-and-south-africa/
• https://www.bleepingcomputer.com/news/security/hackers-use-new-fantasy-data-wiper-in-coordinated-supply-chain-attack/
• https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/

Air-gapped PCs vulnerable to data theft via power supply radiation

We often hear about tools and techniques developed by researchers using which unauthorised users can get hold of data. A new addition to that list is a research done by Mordechai Guri of  Ben-Gurion University. Researcher has developed a new attack method known as COVID-bit attack which uses electromagnetic waves to transmit data from air-gapped systems,  which are isolated from the internet, over a distance of at least two meters (6.5 ft), where it's captured by a receiver. Interestingly even a wall couldn’t stop the transmission of data from isolated system, which means data could be picked up by a nearby laptop or smartphone even if there is a wall between devices.

To transmit the data in the COVID-bit attack, the researchers created a malware program that regulates CPU load and core frequency in a particular manner to make the power supplies on air-gapped computers emanate electromagnetic radiation on a low-frequency band (0 – 48 kHz).

As per researcher, the most effective defense against the COVID-bit attack would be to prevent the installation of malware which is required to transmit the data, which can be achieved by firmly restricting access to air-gapped devices. Another recommend from researcher is to monitor CPU core usage and detect any suspicious  or unexpected CPU load patterns. Per researcher there can be many false positives and overhead can impact performance and increases energy consumption. One more countermeasure suggested by researcher is to lock the CPU core frequency at a specific number, making the generation of the data-carrying signal harder, even if not stopping it entirely. Again this method can reduced processor performance or waste high energy, depending on the selected lock frequency.

Resources

• https://www.zdnet.com/article/this-evasive-new-cyberattack-can-bypass-air-gapped-systems-to-steal-data-from-the-most-sensitive-networks/
• https://www.bleepingcomputer.com/news/security/air-gapped-pcs-vulnerable-to-data-theft-via-power-supply-radiation/
• https://heimdalsecurity.com/blog/covid-bit-a-new-attack-method-that-can-breach-air-gapped-pcs/

Hacked corporate email accounts used to send MSP remote access tool

So far we have looked at malware, supply chain attack and new attack method to steal data, let’s look at another commonly used attack vector knows as phishing. It is a common practice that to check the email address in case of phishing email. But what if the phishing email comes from a legit corporate email account… hmm interesting ! Isn’t it ?. Yes, It’s been found by the researchers that a hacker group known as MuddyWater, associated with Iran’s Ministry of Intelligence and Security  used compromised corporate email accounts to deliver pushing messages. As per the reports MuddyWater is known for using legit tools run campaigns, in the past they used tools such as RemoteUtilities, ScreenConnect, Atera, Syncro. But the initial infection vector is phishing sent using a compromised legit corporate email account. Per researcher official signature was missing but because the email address was legit and known to them the target users still trusted those emails. 

To keep yourself safe, always check the details of email and if you have even 1% doubt about the email, don’t trust it.

Resources

• https://www.itworldcanada.com/post/muddywater-threat-actors-send-msp-remote-access-tool-via-hacked-corporate-email-accounts
• https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/