Monthly Archives: June 2022

I. Targeted Entities

• Travel Industry

II. Introduction

As people begin to travel more post-COVID, researchers are warning that the travel industry is a prime target for an increase in cyber-related crimes. Criminal activity ranges from an uptick in adversaries targeting airline mileage reward points to website credentials for travel websites. The continued increase of these types of cybercrimes can have major impacts that may include flight delays and cancelations. The impact of these attacks is accounts that have been hacked and are stripped of their value.

III. Background Information

Since January, researchers at Intel 471 have found multiple hacks used by threat actors to trade the credentials linked to travel websites. The threat actors were specifically interested in “mileage rewards accounts with at least 100,000 miles.” These accounts are used to earn certain rewards on every dollar spent.[1] The credentials that were listed in February come from U.K. users from a major travel website and two U.S. airlines. The researchers at Intel 471 say, “access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. The accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”[1]

The exploitation of rewards programs, especially those associated with travel, is not new. In 2018, two Russian teens were arrested for infiltrating more than a half-million online accounts, targeting services that offer reward points.[2] Researchers say that as the travel industry bounces back from its COVID-related slump, the industry once again becomes a target for criminals.[2]

Other nefarious activity includes the targeting of travel-related databases. These databases contain employee and traveler personal identifiable information (PII), which the criminals can sell for money. Intel 471 researchers noticed threat actors had exploited a travel-related database of 40,000 employees in Illinois. The researchers say that this leaked information plays a role in travel-related fraud, allowing a criminal to generate new identities that can be used to cross borders or evade authorities.[1]

Researchers at Intel 471 suggest that customers stay vigilant while making travel arrangements, should book flights from reliable sources, handle payment cautiously, and be on the lookout for any out-of-place offers.

IV. MITRE ATT&CK

• T1566 – Phishing
  Adversaries may utilize methods, like phishing, that involve social engineering techniques, such as posing as a trusted source.
• T1555 – Credentials from Password Stores
  Adversaries may search common password storage locations to obtain user credentials.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

There are no IOCs for this threat advisory. However, users should remain vigilant of things that don’t seem right, and take the necessary precautions as they browse the Internet.

VII. References

(1) Intel 471, ed. “Cybercriminals Preying on Travel Surge with a Host of Different Scams.” Intel471, June 15, 2022. https://intel471.com/blog/travel-fraud-cybercrime-ransomware-pii.

(2) Tiwari, Sagar. “Travel-Related Cybercrime Takes Off as Industry Rebounds.” Threatpost English Global, June 15, 2022. https://threatpost.com/travel-related-cybercrime-takes-off/179962/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Tural Hagverdiyev, Uday Bilakhiya.

I. Targeted Entities

• Microsoft Office users

II. Introduction

Microsoft has recently established a workaround for a zero-day vulnerability, known as Follina, for Microsoft Office applications, such as Word, after being originally identified back in April. This vulnerability is a remote control execution (RCE) flaw, and if successfully exploited, threat actors have the ability to install programs, view, change, or delete data on targeted systems. The RCE is associated with the Microsoft Support Diagnostic Tool (MSDT) which, ironically, collects information about bugs in the company’s products and reports them to Microsoft Support.

III. Background Information

Microsoft explained that “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word…An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application”.[1] The workaround comes about six weeks after the vulnerability was first seen by researchers from Shadow Chaser Group on April 12^th and reported to Microsoft on April 21^st. The vulnerability was noticed in a bachelor’s thesis from August 2020, with attackers seemingly targeting Russian users.[2] A Malwarebytes Threat Intelligence analyst also found the flaw back in April but could not fully identify it. The company posted a tweet on the same day, April 12^th.[2]

At first, when the flaw was first reported, Microsoft did not consider the flaw an issue. But now, it is clear that the vulnerability should be taken seriously, with Japanese security vendor Nao Sec tweeting a fresh warning, noting that the vulnerability was targeting users in Belarus. Security researcher Kevin Beaumont called the vulnerability Follina; the name comes from the zero-day code references to the Italy-based area code of Follina (0438).[2]

There is no fix for the flaw, but Microsoft recommends that affected users disable the MSDT URL to rectify the flaw for now. Disabling the MSDT URL, “prevents troubleshooters being launched as links including links throughout the operating system.”[2] To disable the MSDT URL, users should follow these steps:

1. Run Command Prompt as Administrator
2. Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOTms-msdt filename”
3. Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f” [2]

Microsoft says that the troubleshooters can still be accessed using the Get Help application and by using the system settings. Microsoft also says that if the calling application is an Office program, Office will open the document in Protected View and Application Guard for Office, which Microsoft says will “prevent the current attack.” However, Beaumont refuted that assurance in his analysis of the bug.[2] Microsoft also plans on updating CVE-2022-3019 with further information but did not specify when it would do so.[2]

Meanwhile, the unpatched flaw poses a significant threat. One reason is that the flaw affects a large number of people, given that it exists in all currently supported Windows versions and can be exploited via Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.[2] Another reason is that the flaw poses a major threat in its execution without action from the end-user. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious code payload.[2] Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks.[2]

Researchers say that this flaw is similar to last year’s zero-click MSHTML bug (CVE-2021-40444), which was pummeled by attackers, including the Ryuk ransomware gang. In fact, threat actors already pounced on this vulnerability. Proofpoint Threat Insight tweeted that threat actors were using the vulnerability to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration. Moreover, the workaround Microsoft currently offers itself has issues and won’t provide much of a long-term fix. It is not friendly for admins because the workaround requires users to change their Windows Registry, says Aviv Grafti, CTO and founder of Votiro.[2]

IV. MITRE ATT&CK

• T1219 – Remote Access Software
  An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
• T1218 – System Binary Proxy Execution
  Threat actors bypass signature-based defects by proxying the execution of malicious content with signed, or trusted binaries. This technique often involves Microsoft-signed files, which indicates that the binaries were either downloaded from Microsoft or already native to the operating system.
• T1221 – Template Injection
  Threat actors create or modify references in user document templates to conceal malicious code or force authentication attempts.
• T1566 – Phishing
  Adversaries may utilize methods like phishing that involve social engineering techniques, such as posing as a trusted source.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Disable Microsoft Support Diagnostic Tool
  Microsoft recommends the affected users disable the MSDT URL to mitigate this vulnerability, as no patch yet exists for the flaw.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Microsoft Security Response Center, ed. “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Microsoft Security Response Center, May 30, 2022. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

(2) Montalbano, Elizabeth. “Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack.” Threatpost English Global, June 1, 2022. https://threatpost.com/microsoft-workaround-0day-attack/179776/.Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.

I. Targeted Entities

• Akami Technologies Incorporated and customers

II. Introduction

A recent denial of service (DDoS) campaign against a hospitality customer of Akamai, a cloud networking provider, and the defunct REvil ransomware gang claiming responsibility for it. It should be noted that researchers believe there is a high probability that the attack is not a resurgence of the infamous cybercriminal group but rather a copycat operation.

III. Background Information

Akamai researchers have been monitoring the DDoS attack since May 12^th, when a customer alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group purporting to be REvil. The requests contain demands for payment, a bitcoin wallet, and business/political demands.[1] While the attackers claim to be REvil, it is not clear if the defunct group is responsible for the attacks, given that the attacks seem smaller than previous attacks that the group claimed responsibility for. The apparent political motivation behind the DDoS campaign is also inconsistent with REvil’s M.O.

REvil, which hasn’t been seen since July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its attacks against Kaseya, JBS Foods, and Apple.[2] The disruptive nature of their attacks caused international authorities to take measures against the group, with Europol arresting a number of cybercriminals in November of 2021.[2] In March 2022, Russia, who up until then had done little to stop REvil’s operations, claimed responsibility for fully toppling the group at the behest of the U.S. government, arresting its individual members. One person arrested was instrumental in helping the ransomware group DarkSide, the group responsible for the Colonial Pipeline attack in May of 2021.[2]

The recent DDoS attack, which would be a shift in strategy for REvil, was comprised of a HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment. The victim was directed to send the bitcoin payment to a wallet address that “currently has no history and is not tied to any previously known bitcoin.”[2] The attack also has an additional geospecific demand that requested the targeted company to cease business operations across an entire country. The attackers threatened to launch follow-up attacks that would affect global business operations if the demand was not met and the ransom not paid in a specific amount of time.[2]

There is a precedent for REvil using DDos in its previous attacks, but it does not appear that this attack is the work of REvil. REvil’s M.O. was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information. The technique in this attack is different from their normal strategy. The political motivation tied to the attack, which is linked to a legal ruling about the targeted company’s business model, also goes against REvil’s normal tactics, with leaders in the past saying that they were purely profit-driven.[2] However, it is possible that REvil is seeking a resurgence by trying out a new business model of DDoS extortion. However, what is more likely is cybercriminals using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands.[2]

IV. MITRE ATT&CK

• T1498– Network Denial of Service
  This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausted the network bandwidth that Akamai customers relied on and demanded payment to end this attack.

V. Recommendations

• Phishing Awareness Training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set Antivirus Programs to Conduct Regular Scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
• Monitor Malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Cashdollar, Larry. “REvil Resurgence? Or a Copycat?” Akamai Blog. Akamai Technologies, May 25, 2022. https://www.akamai.com/blog/security/revil-resurgence-or-copycat.

(2) Montalbano, Elizabeth. “Cybergang Claims Revil Is Back, Executes DDoS Attacks.” Threatpost English Global, May 26, 2022. https://threatpost.com/cybergang-claims-revil-is-back-executes-ddos-attacks/179734/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.