Masergy Threat Intelligence Bulletin: Copy-paste attacks compromise breakdown

Published on June 29th, 2020

In the Spotlight: Copy-paste compromise breakdown by the Australian Cyber Security Centre

Key Topics Covered

Executive Summary

The Australian Cyber Security Centre (ACSC) has recently published an advisory on a campaign known as the Copy-Paste compromises. Included in the advisory is an overview of the campaign as well as mitigation and detection recommendations.

What happened?

The ACSC released an advisory on what they are calling the Copy-Paste compromises – representing the most significant, coordinated cyber-targeting against Australian institutions that their government has ever witnessed. THe ACSC refers to the campaign as the Copy-Paste compromise due to the threat actors’ frequent use of proof of concept (POC) exploitation code, web shells and tools that are copied from open sources. The threat actors have been mostly obtaining access vectors through the exploitation of public facing infrastructure through the use of remote code execution (RCE) in unpatched versions of Telerik UI. The threat actor has shown the “aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”

In the event that exploitation of public-facing infrastructure did not work, the threat actors would then utilize various spearphishing techniques. Once access is achieved, the threat actors will then use a variety of open source and custom tools to maintain persistence on their victim’s network. The threat actors were found using compromised web sites as command and control servers via web shell and HTTP/HTTPS traffic to render geo-blocking ineffective in addition to adding legitimacy to the traffic. The ACSC found no intent by the threat actor to carry out any disruptive or destructive activities on the victim’s environments.

Copy-paste Compromise – So What?

We are continuing to see the exploitation of public-facing infrastructure and software more and more as companies increasingly neglect to apply appropriate mitigation and patching. As these systems are public-facing, they are the lowest hanging fruit an actor can use to gain access into your network, requiring systems to have proper hardening to mitigate a network compromise which can lead to data loss or data exposure. The Copy-Paste attacks only further prove how easy it is for actors to compromise a network – just copy and paste an exploit found online on a vulnerable system. In addition, this attack also highlights the continued need for training on how to recognize phishing attacks, as the threat actors of this campaign used a variety of spear phishing techniques to gain access should their copy and paste exploitations fail such as:

Copy-paste Compromise – What Do I Do?

ACSC has two mitigation steps that they highlighted in their advisory – patching internet-facing software, OS, and systems as well as the use of multi-factor authentication on all remote services. Since all the exploits utilized in this campaign were publicly known with patches available, it was possible for victims of this attack to have avoided compromise had they patched their systems in a timely manner. We recommend all companies to apply software and hardware updates as soon as possible after appropriate testing. In addition, the ACSC strongly encourages applying detection recommendations provided by MITRE ATT&CK based on the tactics, techniques and procedures around the Copy-paste attacks. The best mitigation step is to identify and remove all systems and services that should not be public facing like databases or remote desktop protocols. In addition, we recommend the continuation of training regarding recognizing and handling suspicious emails for all company personnel.

Highlights in Brief

Shlayer Mac Malware Returns with Extra Sneakiness

Researchers at Intego spotted a new version of Shlayer Mac OSX malware that has improved with stealth features and uses poisoned Google search results to find targets. At first, it hides as a Flash Player installer that when downloaded and opened, displays instructions on how to install it. Shlayer extracts a password-protected .ZIP file that contains the Mac .APP to purposely evade antivirus software from detecting it. Upon infection, the malware can download other malware or adware from a command-and-control (C2) server. Because this is a new malware, researchers warn to beware of this kind of campaign since the installer and its payload had a 0/60 detection rate on VirusTotal.

Encryption Utility Firm Accused of Bundling Malware Functions in Product

Check Point researchers have identified a commercial encryption tool called CloudEye which is relatively similar to GuLoader malware being marketed by an Italian company. The software company has operated a seemingly legitimate website and business that maintains source code protection for Windows applications but has been privately providing service to threat actors. This malicious dropper is normally attached to emails and would trigger the download of an encrypted payload from cloud services like Google Drive or Microsoft OneDrive. Based on the statement from a CloudEye spokesperson, they will be suspending their services indefinitely due to their services being abused by hackers and used to spread malware.

IcedID Banker is Back, Adding Steganography, COVID-19 Theme

A new IcedID banking trojan has emerged that uses steganography to boost anti-detection capabilities, as well as improving IcedID’s way of monitoring the victims’ web activity. The security researchers have observed that an email spam campaign used to spread the malware is circulating in the United States using the COVID-19 pandemic and the Family and Medical Leave Act (FMLA) as the theme. The attachments contain malicious macros that if opened, will execute the IcedID banking trojan which is known to specialize in using man-in-the-browser attacks to intercept and steal financial information from the victims. In the latest campaign, the banking trojan harvests credentials and payment card data from various companies such as Amazon, American Express. Moreover, the new variant injects itself into msiexec.exe to eavesdrop browser traffic, and use steganography to download its modules and configurations.

Forward Look

1. https://threatpost.com/shlayer-mac-malware-extra-sneakiness/156669/
2. https://threatpost.com/legitimate-italian-guloader-obfuscator/156443/
3. https://threatpost.com/coronavirus-emails-netsupport-rat-microsoft/156026/

Appendix A

Language of Uncertainty

Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following defined matrix. To give the reader perspective, each statement is bounded by a probability range.

Source Evaluation

Masergy evaluated sources using the two matrices defined below, scoring the reliability of source and that of the information gleaned from them.