Ransomware/Malware Activity
Attackers Exploit Public ".env" Files to Breach Cloud Accounts in Large Scale Extortion Campaign
Researchers have identified an extortion campaign's cloud operation that compromised multiple victim organizations' AWS environments by leveraging exposed environment variable (.env) files containing sensitive variables. The campaign's attack infrastructure scanned 110,000 domains which uncovered 7,000 variables belonging to organizations' cloud services. The success of this attack campaign relied on misconfigurations in victim organizations that exposed their ".env" files within web applications. Environment files often define configuration variables used within applications that often contain secrets such as access keys, API keys, and database login information. In this campaign, attackers utilized exposed AWS Identity and Access Management (IAM) access keys obtained from the publicly accessible ".env" files. Once initially compromised, attackers performed discovery operations to identify their permissions, users, and enumerate existing S3 buckets in the victims' AWS environment. Attackers could then escalate their privileges in cases where the originally compromised IAM role had permissions to create new roles and attach policies to existing roles. Finally, attackers exfiltrated data from the victims' cloud storage containers prior to deletion and left behind a ransom note. The attack campaign was found to single out instances where the ".env" files contained Mailgun credentials, potentially indicating that the attacker was planning to use them to send phishing emails. It is currently unclear which threat group is behind the campaign, although researchers state that two IP addresses geolocated in Ukraine and Morocco were identified as part of the attackers' activities. To prevent compromise, CTIX analysts recommend that organizations harden their security posture by following security best practices like using temporary credentials, following the principle of least privilege, disabling unused regions within an AWS account, and enabling logging and monitoring for CloudTrail and VPC flow logs. CTIX analysts will continue to report on new and emerging threat actor campaigns and associated malware.
Threat Actor Activity
New Infrastructure Tracked to FIN7 Threat Actors
Cybersecurity researchers have unveiled new infrastructure linked to the notorious financially motivated threat actor FIN7. In the investigation, two (2) clusters of potential FIN7 activity were identified with IP addresses from Post Ltd in Russia and SmartApe in Estonia. These findings build on prior discoveries of Stark Industries IP addresses dedicated to hosting FIN7 infrastructure. The analysis indicates that the hosts associated with FIN7 were likely procured through reseller programs, a common practice in the hosting industry. This provides customers with secure infrastructure while adhering to the terms of service of the parent hosting entity. The investigation identified additional infrastructure linked to FIN7, uncovering four (4) IP addresses from Post Ltd and three (3) from SmartApe, all of which communicated with numerous Stark-assigned hosts in recent months. The researchers observed that twelve (12) hosts in the Russian cluster were also present in the Estonian cluster, underscoring the interconnected nature of FIN7's infrastructure. Following responsible disclosure, Stark Industries has suspended these services to mitigate the threat. The metadata review confirmed the established connections, providing a comprehensive view of FIN7's operational infrastructure. CTIX Analysts will continue tracking activity related to prolific cybercriminal groups, like FIN7.
Vulnerabilities
Microsoft Zero-Day Vulnerabilities Actively Exploited by North Korea State-Sponsored Threat Actors
Microsoft recently patched two (2) critical zero-day vulnerabilities that were actively exploited by the North Korea-linked Lazarus APT group, known for its sophisticated cyber operations targeting sensitive industries such as cryptocurrency and aerospace. The first flaw, tracked as CVE-2024-38193, is a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock, which was exploited by Lazarus to gain SYSTEM privileges, allowing them unauthorized access to sensitive system areas typically inaccessible to users and administrators. Discovered by Gen Digital researchers, this vulnerability enabled the group to deploy a stealthy rootkit known as FudModule, designed to evade detection and bypass security measures. Similarly, the second flaw, tracked as CVE-2024-21338, is a privilege escalation flaw in the AppLocker driver (appid.sys), which was previously exploited by Lazarus in February 2024 to gain kernel-level access, disable security software, and conduct other malicious activity. These attacks stand out because they exploit vulnerabilities in drivers already installed on Windows systems, rather than using the more common Bring Your Own Vulnerable Driver (BYOVD) tactic. This approach increases their effectiveness and makes detection and prevention much more challenging. Microsoft's recent security updates, issued as part of their Patch Tuesday releases, have significantly disrupted Lazarus's ability to conduct these advanced attacks, forcing the group to either find new exploits or revert to less effective methods. CTIX analysts recommend that all readers ensure that their Windows operating system stays up-to-date with the latest patches to prevent exploitation.
- The Hacker News: Microsoft Zero-Day Vulnerabilities Article
- Security Affairs: Microsoft Zero-Day Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.