Weekly Intel Report - November 2, 2022
Threatscape analysis that keeps you two steps ahead of the bad guys.
Ransomware, Malware & Phishing
A new and destructive 'Azov Ransomware' data wiper is being heavily distributed through pirated software, key generators, and adware bundles, trying to frame well-known security researchers by claiming they are behind the attack.
Recommendation: Threat actors are attempting to frame several security researchers for their malware, claiming that the researchers are to blame for their attack. This leads victims to attempt to reach those framed for decryption keys which they do not have.
The destructive new piece of malware Azov Wiper is being delivered through a known SmokeLoader malware botnet. SmokeLoader is a botnet that can be used by other threat actors to rent or buy installs to distribute their own malware on infected devices. Victims are being seen double encrypted with both Azov, and then STOP ransomware, both being delivered by SmokeLoader. The initial ransomware is dropped under a random file in the Windows temp folder and then executed. Once it is launched, the wiper launches several .exe to contain the Azov wiper. It then scans all the drives on the computer and encrypts any files that does not have .ini, .dll, or .exe extensions. The wiper will add .azov to any encrypted files, a d creates text files named ‘RESTORE_FILES.txt’ which contain a message from the threat actor.
At this time, the ransomware should be considered destructive since there is no way to gain recovery decryption keys. If the data wiper encrypts your data, there is a likelihood that you have also been infected with other malware like information-stealing trojans. Therefore, you should change passwords to online accounts, such as banking, password managers, and email accounts.
APT recommends a model of prevention, contingency, and recovery when dealing with ransomware. First and foremost, your SOC teams should be working around the clock within your tools to prevent any ransomware injection. Certain security systems should help prevent, but in the case of infiltration, Security and SOC teams must be prepared to shut down and isolate networks and devices to mitigate the spread of malware. After contingency planning, the next step is recovery. You should never be in a spot where you must pay the ransom to recover your systems. With good back-ups, a system wipe and reestablishing the data will solve any ransomware issues.
Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like SharkBot and Vultur, which can steal financial data and perform on-device fraud.
Recommendation: The malicious droppers continue to highlight the current evolution of malicious applications sneaking onto the official app store. This most recent evolution follows newly introduced policies, while masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser.
Targets of the malicious droppers include over 230 banking and cryptocurrency wallet apps from financial institutions in Italy, the UK, Germany, Spain, Poland, Austria, United States, Australia, France and the Netherlands. Dropper apps have become increasingly popular, and act as an efficient technique to distribute banking malware to unsuspecting users, as threat actors continue to refine their tactics to bypass restrictions imposed by Google.
The list of malicious apps for this exact actor is as follows: Codice Fiscale 2022, File Manager Small, Lite, My Finances Tracker, Recover Audio, Images & Videos, and Zetter Authenticator, all of which are still available on the app store.
APT recommends scanning all of your mobile devices within your environment for the above apps and removing them immediately. APT also recommends having a strong mobile device management program that enforces a controlled app store on all corporate devices and holds a strong bring-your-own-device (“BYOD”) policy that constantly monitors any personal devices for applications being downloaded. It is highly important to keep all devices up to date with the latest security update when available. Lastly, APT highlights the importance of continued security awareness training to all staff members, including all the different distribution methods that actors use to target victims, including telephone-oriented attack delivery (TOAD), droppers on official stores, smishing (SMS, social media and messengers), malicious advertisements, and exploits.
Raspberry Robin operators are selling initial access to compromised enterprise networks to ransomware gangs. DEV-0950 group used Clop ransomware to encrypt the network of organizations previously infected with the Raspberry Robin worm.
Recommendation: In data collected by Microsoft Defender for Endpoint, statistics showed that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert within the last 30 days. DEV-0950 threat actors were seen using Clop ransomware to encrypt networks of organizations that were previously infected with the Raspberry Robin worm. Last month, the attacks led to the deployment of the Cobalt Strike beacon.
Raspberry Robin is a windows worm that was discovered by cybersecurity researchers. Found to propagate through removeable USB devices, the malicious code uses Windows installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.
This is particularly interesting as the initial attack method for DEV-0950 threat actors to acquire most of their victims was typically phishing. This shift to using the worm enables them to deliver payloads to existing infections and move their campaign quickly to ransomware stages.
Threat groups and their tactics, techniques, procedures, and IOCs are constantly evolving and adapting. It is essential that as an organization you continue to stay in the know with threat actors and their angles of approach. Although the threat mentioned may not seem relevant to your entity or field at the current time, threat actors can develop new attack methods to target different fields at any given time. It is essential that you are aware and have a well-developed day-to-day threat hunting procedure within your organization to search for any IOCs in application and system logs, while scanning for any targeted vulnerabilities and blocking for file hashes, IPs, URLs, and known actor email addresses at both the endpoint and network level.
Vulnerabilities
SQLite patches 22-year-old code execution, denial of service vulnerability
Recommendation: The high severity vulnerability is tracked as CVE-2022-35737, scoring a CVSS severity score of 7.5. Trail of Bits said the bug impacts any app that relies on the SQLite library API. The vulnerability is exploitable on 64-bit systems when large string inputs contain %Q, %q, or %w format substitution types that, in this scenario, might cause programs to crash or worse.
In the most severe cases – when the “!” special character exists in the format string – it may be “possible to achieve arbitrary code execution . . . or to cause the program to hang and loop (nearly) indefinitely,” according to researchers. In addition, while the project uses the Fossil control system and this software uses printf, the team couldn’t find a way to inject a 2GB string.
CVE-2022-35737 was reported to the Computer Emergency Response Team (CERT) Coordination Center by Trail of Bits on July 14. CERT confirmed the issue, reached out to SQLite maintainers, and the team fixed the bug in the software’s source code only three days later – a task accomplished by converting to the use of 64-bit integers. APT recommends that you download and install the latest SQLite version v3.39.2, which was released on July 21.
Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability
Recommendation: There is an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections, of which an unofficial patch has been made available. Weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employs a JavaScript file to proliferate the file-encrypting malware, a fix published by 0patch was made available.
There were findings that corrupt Authenticode signatures can be used to allow the execution of arbitrary executables without any SmartScreen warning. According to, security researcher Will Dormann, “If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped regardless of script contents, as if there is no MotW on the file.”
APT recommends that you monitor compressed archive and image files downloaded from the Internet as the contents may not be tagged with the MotW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. Monitor files (especially those downloaded from untrusted locations) for MOTW attributes, and consider inspecting and scanning file formats commonly used to bypass MotW (ex: .arj, .gzip, .iso, .vhd).
In terms of mitigation, take into account disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations to disable the automatic Explorer "Mount and Burn" dialog for these file extensions. Finally, think about blocking container file types at web or email gateways, effectively unregistering container file extensions in Windows File Explorer.
Even the best security teams have growing pains. A maturity assessment can tell you where procedural gaps exist and highlight areas for growth in your vulnerability management program.
OpenSSL fixes two high severity vulnerabilities
Recommendation: The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.
CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state via buffer overflow. The OpenSSL team stated, “We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible.”
Per Open SSL's policy, organizations and IT admins have been warned since October 25 to search their environments for vulnerable instances and prepare them for patching when OpenSSL 3.0.7 is released. The Netherlands' National Cyber Security Centre is maintaining a list of software products confirmed to be (un)affected by this OpenSSL vulnerability.
The latest OpenSSL versions are included in the most recent releases of multiple popular Linux distributions, with Redhat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12, and Fedora 36 tagged as vulnerable by cybersecurity company Akamai.
APT recommends that you consider mitigation measures if you have a vulnerable version of OpenSSL by requiring admins operating TLS servers to disable TLS client authentication until the patches can be applied.
Researchers Disclose Details of Critical 'CosMiss' RCE Flaw Affecting Azure Cosmos DB
Recommendation: On Tuesday, Microsoft addressed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB that enabled full read and write access. The tech giant said the problem was introduced on August 12, 2022, and rectified worldwide on October 6, 2022, two days after responsible disclosure from Orca Security, which dubbed the flaw CosMiss.
Researchers Lidor Ben Shitrit and Roee Sagi stated, "In short, if an attacker had knowledge of a Notebook's 'forwardingId,' which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook without having to authenticate, including read and write access, and the ability to modify the file system of the container running the notebook." This container modification could ultimately pave the way for obtaining remote code execution in the Notebook container by overwriting a Python file associated with the Cosmos DB Explorer to spawn a reverse shell. Successful exploitation of the flaw, however, requires that the adversary is in possession of the unique 128-bit forwardingId and that it's used within a one-hour window, after which the temporary Notebook is automatically deleted.
Microsoft noted in its own advisory that it identified no evidence of malicious activity, adding no action is required from customers. It also described the issue as "difficult to exploit" owing to the randomness of the 128-bit forwadingID and its limited lifespan.
APT recommends that you apply physical security best practices regarding company or BYOD hardware. Limit physical access to a susceptible device, either by locking it away when done or by making it more inconspicuous to an attacker.