LockBit threatens Mandiant after linking them to Evil Corp
The LockBit 2.0 ransomware group announced on its dark web publishing page afternoon, 6 May, the alleged compromise of cybersecurity firm Mandiant and its intention to publish a total of 356,841 files allegedly stolen from the firm. The publication included a file called “mandiantyellowpress.com.7z”, which would be related to the domain registered that same day, mandiantyellowpress[.]com, which redirected at the time to ninjaflex[.]com.
The LockBit threats followed Mandiant’s publication of an article indicating that the Russian-based group Evil Corp had begun using LockBit ransomware in its targets to evade US sanctions.
Since the threat became known, Mandiant has always said that they had no evidence of any kind of intrusion, but indicated that they were monitoring the situation. According to Bleeping Computer, which has been able to analyse the data, it is now confirmed that there has been no compromise. What LockBit has published is a message in which they deny the accusations made by what they call “tabloids” (referring to Mandiant) about a possible relationship between LockBit and Evil Corp.
The group points out that the scripts and tools for attacks are publicly available and can be used by any user, so a similarity between the tools used by two groups does not mean that they can be linked to a single identity. They also include a final line in their message disassociating themselves from any kind of political ideology or special service of any country.
* * *
Symbiote: stealthy new malware targeting Linux systems
Researchers at BlackBerry and Intezer released information yesterday about a Linux malware they have named Symbiote. The malware, originally detected in attacks on the financial sector in Latin America in November 2021, is notable for its highly advanced capabilities in stealth and process hiding.
Symbiote achieves this, in part, by not consisting of an executable itself, but rather a shared object library that is loaded into all running processes via the LD_PRELOAD directive, providing the attacker with rootkit functions, password-stealing capabilities and remote access.
Loading itself into numerous processes, the malware can manipulate the responses of various tools and system functions, allowing users and researchers to see only a biased version of the results they are looking for.
Among other things, it uses the Berkeley Packet Filter function, observed in backdoors developed by the Equation Group (NSA), to hide malicious traffic and determine which packets are visible when an administrator tries to capture traffic.
More info: https://www.intezer.com/blog/research/new-linux-threat-symbiote/
* * *
Attacks on telecommunications companies and network service providers
The US agencies NSA, CISA and FBI issued a joint security advisory warning about the detection of attacks perpetrated by malicious actors against telecommunications companies and network service providers globally.
According to them, this campaign is carried out by exploiting existing vulnerabilities, mainly in network devices, pointing to a total of 16 security flaws in different brands.
The advisory also highlights that, by gaining an initial foothold in a telecommunications organisation or network service provider, these malicious actors can identify critical users and systems responsible for maintaining the security of a country’s critical infrastructure.
Regarding the attribution of these campaigns, no specific actor has been identified as the one carrying out these intrusions, indicating that the purpose of the alert is to urge all organisations to patch the list of vulnerabilities and apply the mitigation measures provided in order to prevent potential security incidents.
More info: https://www.cisa.gov/uscert/ncas/alerts/aa22-158a
* * *
Long-running espionage campaign by actor Aoqin Dragon
SentinelLabs researchers have published research reporting the discovery of a state-linked APT called Aoqin Dragon, allegedly running undetected espionage campaigns for 10 years. This new actor is said to have been active against governmental organisations, educational organisations and telecommunications companies, all of them geographically located in Southeast Asia.
According to analysts, Aoqin Dragon has developed three major infection mechanisms among its TTPs: between 2012 and 2015 they used malspam campaigns with office document attachments that exploited vulnerabilities CVE-2012-0158 and CVE-2010-3333; between 2016 and 2017 their entry vector consisted of obfuscating malicious executables masquerading as fake antivirus icons; and since 2018, they use a removable disk shortcut file that when executed allows the injection of malicious code.
Aoqin Dragon is also notable for using two backdoors, Heyoka and Mongall, to exfiltrate information and allow communication with its victims’ networks.
* * *
Updates, PoCs and active exploitation of 0-day vulnerability at Atlassian
After Atlassian issued a security alert concerning the 0-day vulnerability CVE-2022-26134 in its Confluence Server and Data Center products last week, the company issued an update on Friday afternoon to fix the flaw in the event of a proliferation of exploit attempts.
Atlassian has urged customers to upgrade to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1 of its products as soon as possible, and has also released temporary mitigation measures for those unable to upgrade their software immediately. Several easy-to-implement exploits showing how to exploit the vulnerability to create new administrator accounts, force DNS requests, collect information, and create reverse shells were made public on Friday, and several attempts at exploitation have since been detected, as reported by researchers at Grey Noise.
