Ankura CTIX FLASH Update – June 10, 2022 – Fin Tech


Ransomware/Malware activity

New England Medical Services Shields Health Care Group Suffers Data Breach

Shields Heath Care Group (Shields), a Massachusetts-based healthcare provider that provides a variety of medical services to over fifty (50) hospitals and clinics throughout New England, announced a data breach affecting approximately 2 million individuals. Shields announced that they discovered suspicious activity on their network on March 28, 2022, and subsequently launched an investigation that found sensitive data was collected by an unknown threat actor with access from March 7-21, 2022 . The data currently disclosed includes full name, social security number (SSN), date of birth, residential address, provider information, medical record number, patient ID, diagnosis, billing information, insurance number and information, and other medical or treatment information. Shields emphasized that there is currently “no evidence that information from this incident was used to commit identity theft or fraud.” Shields stated that they would send notification letters to those affected once the investigation into the types of data exposed was complete. CTIX analysts will continue to monitor this data breach and will report on future situations related to this data as appropriate.

Threat Actor Activity

Evidence suggests a “brand new” Chinese threat group has been operating for at least a decade

A newly identified Chinese state-sponsored threat group called Aoqin Dragon has been caught conducting cyber espionage campaigns. After extensively tracing the threat actor, researchers at SentinelLabs uncovered a series of covert malicious activities dating back at least to 2013. These threat actors mainly target companies across Southeast Asia and Australia, including Cambodia, Vietnam, Singapore and Hong Kong. Attack vectors that Aoqin Dragon threat actors used in their campaigns start with social engineering and launch phishing campaigns loaded with malicious Microsoft Office documents. Based on historical attacks related to Aoqin Dragon, the malicious payload would leave behind either a Mongall backdoor or a customized version of the open-source Heyoka project. In the early years of this campaign, threat actors exploited the CVE-2012-0158 (Microsoft Office) and CVE-2010-3333 (Microsoft Office) vulnerabilities to inject their malware onto the user’s system. The phishing campaigns often revolved around either the disappearance of Malaysia Airlines flight MH370, political issues in APAC, or pornographic content to trick users into running the malicious documents. To evade detection after the compromise, Aoqin Dragon actors used DLL hijacking, files packed with Themida, and DNS tunneling. CTIX analysts continue to urge users to validate the integrity of all emails before downloading any attachments to reduce the likelihood of compromise by threat actors.

CISA warns organizations about Chinese espionage threats

The Cybersecurity & Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have issued a joint security advisory warning organizations of espionage activities by Chinese threat actors, particularly in the telecommunications industry. Chinese threat actors have exploited systems through vulnerabilities in Cisco, QNAP, Pulse Secure, Citrix, D-Link, Fortinet, Netgear, MikroTek, and DrayTek devices. Actors use reconnaissance programs such as RouterSploit and RouterScan to scan for any of the previously mentioned vulnerable devices. After threat actors compromise the device, they delve deeper into the organization’s internal systems, infrastructure, and top-level user accounts to carry out their malicious activities and establish persistence on the compromised system. Recently, Chinese threat group LuoYn used a man-in-the-middle attack against an organization to deliver malicious WinDealer payloads. With increased activity in China, the CISA, NSA and FBI are urging companies to validate the integrity of their cyber systems, ensure multi-factor authentication is enabled across the enterprise, and reset user account passwords every 30/60/90 critical days Devices.


Critical remote code execution vulnerability affects Atlassian Confluence servers

Atlassian has published an advisory regarding an actively exploited Critical Remote Code Execution (RCE) vulnerability affecting Confluence and data center servers. The bug, which is being tracked as CVE-2022-26134, is described as an Object-Graph Navigation Language (OGNL) injection vulnerability and, if exploited, would allow unauthenticated remote attackers to create privileged user accounts to run commands with Execute administrative privileges, force DNS lookups and take full control of the target server. Atlassian disclosed the vulnerability after Memorial Day 2022 weekend following an incident response investigation conducted by Volexity, which identified multiple threat actors (hundreds of unique IP addresses) exploiting this vulnerability. Shortly after the patch was released, researchers from Lacework Labs also found the presence of three (3) different botnets exploiting this vulnerability, tracked as Kinsing, Hezb, and Dark.IoT. These botnets are known to target Linux-based servers to deploy backdoors, Cobalt Strike beacons, and XMRig miners. Confluence servers are a very popular target for threat actors to gain initial access to corporate networks, where they perform malicious follow-up activities such as stealing sensitive data, deploying ransomware variants, cryptojacking miners, and conducting corporate cyber-espionage. This critical vulnerability has been officially patched by Atlassian and CTIX analysts urge admins managing this infrastructure to update their systems to the latest Confluence version available. When business organizations run their Confluence server and data server infrastructure in separate clusters, their administrators cannot update all at once and must instead implement the patch in a systematic “rolling update”. For these cases, Atlassian has offered a manual mitigation technique to allow administrators to prevent exploitation of the rest of their server clusters while taking a cluster offline to install the patch.


New ransomware strain discovered using Roblox currency as a payment method

On June 9, 2022, security researcher MalwareHunterTeam announced via Twitter a new ransomware called WannaFriendMe.exe that uses Roblox, a popular online video game, for ransomware payments. The ransomware attempts to impersonate Ryuk ransomware, a well-known strain of ransomware attributed to threat actor Wizard Spider by marking the encrypted files with the “.ryuk” extension, but analysis revealed that they are associated with Chaos Ransomware was created by builders sold on underground forums. The Chaos ransomware builder is known as “skidware”, meaning that its only users are “script kiddies” and the malware is not of high quality. Tests have shown that Chaos Ransomware encrypts files destructively, resulting in decryptors being unable to recover encrypted data over a certain size. What makes WannaFriendMe ransomware strain interesting is its demand for payment in Roblox game currency “Robux” rather than traditional cryptocurrencies. In the ransom note, the ransomware links a game on the Roblox store called Ryuk Decrypter, which costs a total of 1,499 Robux (under $20 USD). This ransom demand is small compared to most other ransomware programs, which probably means that the threat actor has no experience and may not be able to target many organizations or users. Due to the issues with the encryption method, CTIX analysts recommend victims of this ransomware not to pay the ransom demand and instead rely on backups to ensure files can be recovered.

The content of this article is intended to provide a general guide to the topic. In relation to your specific circumstances, you should seek advice from a specialist.


About Author

Comments are closed.