Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 3/21/2022

“PrintNightmare” Vulnerability 

Overview

There has been a recent pattern of State-Sponsored Russian attackers utilizing the “PrintNightmare” vulnerability to exfiltrate emails and files and gain unauthorized access to networks.  This is achieved by leveraging weak Multifactor authentication configurations and allowing them to register a new device where the “PrintNightmare” vulnerability executes code and gains access to the system without detection.

Potential Impact

The previous Windows Print Spooler Vulnerability has not been properly patched. It affects every version of Windows, as Microsoft had attempted to create patches for Windows 7 and Server 2012. As a result, Russian hackers can work within the active directory and gain control of the system. American government agencies and private agencies are at risk as Russian hackers continuously attempt to obtain intelligence.

Recommended Actions
  • Monitor remote access/ RDP logs and disable unused remote access/RDP ports.
  • Deny atypical inbound activity from known anonymization services, to include commercial VPN services and The Onion Router (TOR).
  • Deploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing, restrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on domain controller’s SYSVOL share.
  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
  • When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.
  • Monitor network traffic for unapproved and unexpected protocols.

Sources
https://us-cert.cisa.gov/ncas/alerts/aa22-074a

Opportunistic cyber criminals take advantage of Ukraine invasion | Talos Threat Advisory. 

Potential Impact

Since the beginning of the war in Ukraine, Talos researchers have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising. This activity has been increasing since the end of February. These emails are primarily related to scam activity but have also delivered a variety of threats, including remote access trojans (RATs). 

The global interest in the ongoing war in Ukraine makes it a convenient and effective news event for cybercriminals to exploit. Cisco Talos saw the same type of activity when the COVID-19 pandemic started and we are now seeing it with Ukraine. Criminals, especially cybercriminals, are opportunistic. If a certain topic of lure is going to increase the chances of a potential victim installing their payload, they will use it. 

We expect this type of behavior to continue and likely increase in the days and weeks ahead. As this conflict wears on, an increasing number of criminals are going to try and exploit it. We’ve already seen a huge amount of scam activity in addition to malware delivery via traditional means like email. This particular conflict is unique in that a vigilante cyber army is conducting attacks using software they don’t understand, something else we’ve found abused.

Recommended Actions

Organizations need to be working to detect this type of activity in your environment. While there may be protections in place to stop the malware attacks from occurring, the risk of scams is significant and can be difficult to block, especially in the case of BEC, where trusted accounts are sending malicious emails. One way to address this is hunting in your own telemetry, if applicable, to try and find these threats as they are occurring. We recommend building a word list to search on, making sure to include cyrillic versions in both Ukrainian and Russian, as they are also being widely targeted by attackers.

Sources

https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html

The Lampion trojan, key Russian-based malware in the banking industry, has had its newest version (212) reverse engineered for the first time. 

Overview

This has given key insight into the behaviors of the trojan including its primary second and third stage payloads. Lampion spreads primarily through phishing emails containing fake/malicious Office documents/PDF files. Within those files sits a VBS (visual basic script) which contains the Trojan loader and C2 communication address(es).

Additionally, the VBS file has been inflated to roughly 56MB to bypass junk detection filters in modern email security tools. This is in stark contrast to its previous size of ~13KB.  The inflation also helps to reduce the accuracy of Hash-based blocking as it allows for modification of the junk space.

After the initial VBS script is loaded, the malware will then begin pulling additional VBS files such as 2nd_stage_vbs followed by (normally) two DLLs from a randomized AWS S3 bucket IP. 

Once all files are loaded the Trojan will begin de-obfuscating its commands and moving into the installation stage.

Potential Impact

Lampion is an incredibly efficient malware and should not be taken lightly. While primarily impacting the banking industry, Lampion can easily be adjusted to run as an all-purpose Trojan to attack any industry. The sophistication of the malware is attributed to Russian APT activity and thus can be considered more dangerous than other APT group activity. 

Recommended Actions

Partnering Email security solutions with an EDR platform is the best prevention strategy for this malware to both prevent its initial access and prevent it from gaining a foothold on an endpoint.

However, additional steps can be taken to implement a more defense-in-depth approach. Blocking the current well-known VBS file and hash is advised:

  • Filename: Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs
  • MD5: 2e295f9e683296d8d6b627a88ea34583

Along with that blocking of the filenames of the normal 2nd and 3rd stage attacks can also be implemented – the hashes of these files differ wildly which makes hash-blocking not a valid pathway:

  • sznyetzkkg.vbs
  • jghfszcekwr.vbs
  • soprateste.zip

Sources
https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html?web_view=true

Threat actors are using a technique called Browser -in-the-Browser (BITB) in phishing campaigns. 

Overview

BITB attacks simulate a browser windows within a browser window to entirely spoof legitimate domains. This methos takes advantage of third-party single sign-on options.  

Potential Impact

Security awareness training teaches users to inspect the URLs for suspicious indicators but BITB attacks allow threat actors to spoof legitimate domains and include trustworthy URLs. However, users would need to first be directed to a phishing domain that would execute a BITB attack. 

Recommended Actions

Ensure security awareness training includes current tactics and techniques used by threat actors. 

Sources
https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html
https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-anyone-create-fake-chrome-browser-windows/

Cybercrime groups based in Russia and some Eastern European countries act largely with impunity.  

Overview

What is the current or potential problem?
Cybercrime groups based in Russia and some Eastern European countries act largely with impunity.  Recent analysis of leaked information of the Conti ransomware group suggests that these criminal groups may have ties to the Kremlin.  

How do you know if you are vulnerable?
The ransomware tsunami of 2021 should have every organization considering themselves a potential target for cybercrime.

Potential Impact

What is likelihood/impact?
Organizations are constantly under attack from cybercriminals, and the likelihood of a compromise is high.  Whether or not that compromise leads to serious problems for an organization depends on the strength of its security program.

Recommended Actions

Implement a security program that includes continuous vulnerability management and network monitoring capabilities.

Sources
Inside Conti leaks: The Panama Papers of ransomware – The Record by Recorded Future
Conti Leaks Reveal the Ransomware Group’s Links to Russia | WIRED

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us