The Good, the Bad and the Ugly in Cybersecurity – Week 38

The Good

This week, ten individuals and two entities were sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) for their roles in a variety of malicious cyber acts, including ransomware activity. The individuals are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and tracked under a number of threat actor names, including TunnelVision and APT 35.

The individuals and entities have been responsible for a number of campaigns throughout 2021, targeting and compromising U.S.-based transportation providers, healthcare practices, emergency service providers, and educational institutions. The sanctioned cyber actors were observed exploiting Microsoft Exchange vulnerabilities such as ProxyShell to attack and disrupt the services of an electric utility company, among others.

The IRGC-affiliated group is comprised of employees and associates of Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System), OFAC said. The ten individuals were named as “Mansour, Ali Ahmadi, Mohammad Ahmadi, Mahdavi, Rashidi, Khatibi, Nikaein, Mostafa, Mojtaba, and Shakeri”.

Three of the ten sanctioned individuals–Mansour, Khatibi, and Nikaein–have also been indicted with violating the Computer Fraud and Abuse Act (CFAA) and conspiring to violate the CFAA. A reward of up to $10 million is being offered for information leading to their identification or location.

The Bad

North Korean threat actor Lazarus has been up to its old tricks again in a continuation of its Operation Dream Job campaign, first observed in 2020. Now, the threat actors are using a trojanized version of the PuTTY SSH client to infect victims who fall for a fake Amazon job assessment.

The original Operation Dream Job campaign lured unsuspecting employees of prominent U.S. defense and aerospace companies with fake job offers in an attempt to install backdoors and spyware. Now, researchers have discovered that the Lazarus group’s latest ruse is to send emails to targets with a lucrative job offer at Amazon. The respondents then chat with the attackers via WhatsApp, where they are requested to take an assessment test and to download an ISO file called amazon_assessment.iso.

The .iso file includes a “readme.txt” with an IP address, login credentials and a PuTTY.exe executable. The executable contains a working version of the open-source SSH console application but has also been modified to infect the victim with a Themida-packed DLL. The malicious DLL contains shellcode that results in opening a backdoor on the victim’s device to allow the attackers to conduct espionage and other malicious activities. The backdoor is configured with three C2 URLs:

hxxps://hurricanepub[.]com/include/include.php
hxxps://turnscor[.]com/wp-includes/contacts.php
hxxps://www.elite4print[.]com/support/support.asp

It is not known at this point how widespread the campaign is, but further details and IoCs are available here.

The Ugly

This week’s Patch Tuesday was notable for more than the usual fixes of zero days and other Microsoft bugs, with MSFT revealing that this year the company had patched 1000 CVEs already, reaching “a sizable milestone for the calendar year” and a stark reminder of just how big an attack surface the OS vendor’s sprawling suite of products provides. Also notable was what was not patched: a bug in Microsoft Teams desktop client that allows attackers to access authentication tokens and accounts with multi-factor authentication (MFA) turned on.

The Teams vulnerability is present across OS platforms Windows, Linux and macOS and revolves around the fact that Teams stores user authentication tokens in clear text on the user’s local drive in locations that are unprotected by user access or TCC controls, meaning they can be read not just by someone with access to the machine but by other processes, including malicious ones, running as the same user.

The locations for each platform being:

Windows

%AppData%MicrosoftTeamsCookies
%AppData%MicrosoftTeamsLocal Storageleveldb

Linux

~/.config/Microsoft/Microsoft Teams/Cookies
~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

macOS

~/Library/Application Support/Microsoft/Teams/Cookies
~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb

Researchers discovered that these locations contain valid authentication tokens, account information, session data, and marketing tags that can be scraped by info-stealing malware and used to login remotely, bypassing MFA and gaining full access to the user’s account.

Microsoft, for their part, have said that the vulnerability “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network”. Make of that what you will, but with news just in that Uber are investigating a breach that involved socially-engineering a user with MFA turned on, maximum coverage across all attack surfaces should be top of mind. Security teams worried about the Teams vulnerability can find mitigation advice here.