Ankura CTIX FLASH Update – June 21, 2022 – Financial Services
Ankura Consulting Group LLC
To print this article, all you need to do is be registered or log in to Mondaq.com.
BRATA Banking Trojan Observed With Enhanced Capabilities
Cleafly researchers observed the threat actor behind the “BRATA” banking trojan advancing the malware’s capabilities and noted that the group’s recent activity is now categorized as an Advanced Persistent Threat (APT) . This categorization is due to the group’s latest campaigns which included establishing “a long-term presence on a network targeted to steal sensitive information”. Researchers clarified that the threat group behind BRATA is highly targeted, as it focuses on a single (1) financial institution at a time and only pivots when the victim establishes effective and consistent countermeasures. The latest variant of BRATA has been updated with new phishing techniques, information theft capabilities, new classes for obtaining GPS data, overlay capabilities (which allow the malicious app to appear over other apps on a device), SMS sending and receiving capabilities, and device management permissions on the targeted device as well as loading a second-stage payload from its server. command and control (C2) to perform event logging. The BRATA variant has been observed targeting specific banking institutions across Europe and mimicking a targeted bank login webpage in an analyzed phishing campaign. Many updated features of the malware are still under development and Cleafly researchers have concluded that the threat actor updates BRATA in order to abuse the accessibility service on the devices and obtain additional data from other apps. A more in-depth analysis of the latest updates as well as Indicators of Compromise (IOCs) can be seen in Cleafly’s report linked below.
Emerging NTLM Relay Attack Discovered Using Microsoft’s Distributed File System
A new New Technology LAN Manager (NTLM) relay attack has been discovered using Microsoft’s Distributed File System. The attack allows a hacker to completely compromise a Windows domain. Many organizations use Microsoft Active Directory Certificate Services to authorize users, however, this service is vulnerable to NTLM relay attacks. In these attacks, the threat actors force or coerce a domain controller to authenticate an NTLM account under the control of the attackers. The authentication process passes the request to Active Directory Certificate Services over HTTP for a ticket-granting ticket (TGT). With this TGT, they can assume the identity of any device on the network, including a domain controller. To coerce a remote server into authenticating the malicious NTLM relay, hackers could use several potentially vulnerable protocols such as MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP. Although Microsoft has patched some of these protocols to prevent unauthenticated coercion, workarounds are frequently found that allow the protocols to be abused. This week, Filip Dragovic released a proof-of-concept (PoC) script for a new NTLM relay attack called “DFSCoerce”. The DFSCoerce attack uses the MS-DFSNM protocol, which allows managing the Windows Distributed File System (DFS) through an RPC interface. Security researchers who tested this new NTLM relay attack reported that it allows a user with limited access to a Windows domain to become a domain administrator. Currently, researchers say that the best way to protect against the DFSCoerce attack is to follow Microsoft’s advice on PetitPotam NTLM Relay Attack Mitigation. These mitigation methods include disabling NTLM on domain controllers, enabling extended protection for authentication and signing features, and using Windows built-in RPC filters or RPC firewall to prevent servers from being coerced. However, it is not yet known if blocking the DFS RPC connection would cause problems on a network.
Threat actor activity
Emerging ToddyCat Threat Group continues to target high-value targets
An evolving threat organization named ToddyCat is actively targeting Microsoft Exchange mail servers in Europe and Asia regions. ToddyCat first emerged in December 2020 when hackers compromised the high-value Microsoft Exchange servers of three organizations in Taiwan and Vietnam. Once compromised, the ToddyCat actors deployed a well-known China Copper web shell, ultimately leading to the installation of the Samurai backdoor. The group also deployed the Ninja Trojan, which allows multiple malicious actors to control a machine at the same time. Additionally, these backdoors give attackers the ability to evade detection, execute arbitrary commands/code, and obfuscate communications to command and control (C2) nodes via HTTP header manipulation . ToddyCat threat actors continue to compromise this campaign’s assets in the same way with slightly different versions of their backdoor programs. Another attack vector ToddyCat actors use is via Telegram, infecting a desktop device via malicious loaders sent to the user in zip archives. Network administrators should continue to patch vulnerable servers to reduce the risk of compromise from malicious actors. CTIX will continue to monitor this campaign and provide additional updates accordingly.
SIEMENS SINEC Industrial Control Management System vulnerable to remote code execution
Siemens has publicly acknowledged fifteen (15) vulnerabilities within its highly popular Network Management System (NMS) SINEC, two (2) of which are particularly troubling. If successfully exploited, these vulnerabilities could allow attackers to steal sensitive data, perform denial of service (DoS) attacks, and perform remote code execution (RCE). SINEC is an industrial control management system used to centrally manage and automate industrial networks with tens of thousands of different nodes. The two (2) vulnerabilities of note have been identified by researchers from the Claroty82 team and are being exploited in sequence as part of a chain of attack. The first vulnerability in the chain, identified as CVE-2021-33723, is described as an account takeover via improper authorization flaw, and allows unauthenticated users to access the SINEC administrator account by exploiting a loophole in the way users are allowed to change their own account details on the server. The problem is that the server does not validate that the user sending the profile modification request for an administrator account is indeed an administrator. This allows an attacker to change the password via a malicious JSON payload, giving themselves unlimited admin permissions. The second vulnerability in the chain, identified as CVE-2021-33722, is an RCE via path traversal flaw, which allows attackers to access restricted directories. As part of the platform’s business logic, SINEC allows users with administrator access to create sets of files in a container and then send that container to any device on the network. Attackers who have already gained administrative access can create a container containing a malicious file or webshell and drop it on the hosting server’s file system. Attackers can then export the container to any directory they name by providing path traversal characters, allowing them to copy these files to arbitrary locations on the filesystem and then execute them remotely. All fifteen (15) vulnerabilities have been successfully patched by Siemens, and CTIX analysts urge all administrators to ensure their infrastructure is up to date. The proof-of-concept (PoC) exploit by Team82 can be found in the report linked below, along with details on the thirteen (13) other less severe vulnerabilities.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: Finance and Banking of the United States