Brief #17: MGM Attack, Kubernetes Flaws, 3AM Ransomware and More

Mandos Brief, Week 37 2023: analysis of the MGM cyber attack, critical Kubernetes vulnerabilities, the new 3AM ransomware, Lazarus Group's CoinEx hack.

Brief #17: MGM Attack, Kubernetes Flaws, 3AM Ransomware and More

MGM Cyber Attack Deep-Dive - Attacker's Perspective

  • Infiltration and Privilege Escalation: The Alpha / BlackCat group infiltrated MGM's network, targeting their Okta Agent servers to obtain uncrackable passwords from domain controller hash dumps. They secured super administrator privileges to MGM's Okta and global administrator privileges to their Azure tenant, establishing a strong foothold in the network.
  • MGM's Response and Lockout: Upon discovering the breach, MGM hastily shut down their Okta Sync servers, inadvertently locking themselves out of their Okta environment. Their attempt to evict the attackers faltered due to weak incident response playbooks and inadequate administrative capabilities, compounded by a lack of understanding of network functionalities among their network engineers.
  • Ransomware Attack and Negotiation: Following a failed negotiation attempt, the group escalated their attack, deploying ransomware on over 100 ESXi hypervisors within MGM's environment. MGM sought external assistance to contain the escalating situation.
  • Communication and Data Exfiltration: The attackers established a secure communication channel with MGM, offering a download link for all exfiltrated data protected by a password derived from two senior executives' passwords. The situation was further complicated by uncertainty over the identity of the MGM representative in the communication channel.

Critical Kubernetes Vulnerabilities Pose High Risk to Windows Nodes

  • CVE-2023-3676 and Related Flaws: Three interrelated high-severity vulnerabilities have been identified in Kubernetes, affecting all environments with Windows nodes. The central issue, tracked as CVE-2023-3676, allows attackers with low privileges to execute remote code with system privileges on Windows endpoints within a Kubernetes cluster through the application of a malicious YAML file.
  • Exploitation and Impact: The vulnerabilities can be exploited by attackers with access to apply privileges in the Kubernetes API, enabling them to inject arbitrary code that will be executed on remote Windows machines with system privileges. The exploitation involves the use of specially crafted path strings parsed as parameters to PowerShell commands, leading to command execution and potentially granting administrator access on the node.
  • Affected Versions and Mitigation: Kubernetes environments with Windows nodes running kubelet versions earlier than v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17 are affected. It is imperative to update to the fixed versions to mitigate the risk. The Kubernetes community has released patches to address these vulnerabilities, and platforms like AWS, Google Cloud, and Microsoft Azure have issued advisories.
  • Root Cause and Prevention: The vulnerabilities stem from insufficient input sanitization in the Windows-specific porting of the kubelet, particularly in handling pod definitions. Moving forward, it is crucial to enhance input validation and sanitization processes to prevent such security lapses, and organizations should monitor Kubernetes audit logs for signs of exploitation, such as pod create events with embedded PowerShell commands.

New Rust Written 3AM Ransomware Wipes Out Data Safety Net

  • New Ransomware Strain: The 3AM ransomware, written in Rust, is a newly identified threat that has been used in a limited manner, primarily as a fallback option for attackers when other ransomware deployments, such as LockBit, fail. It has been witnessed in a single attack where it replaced LockBit after being blocked.
  • Attack Methodology: Before encrypting files, 3AM stops various services and attempts to delete Volume Shadow Copies to hinder data recovery. The ransomware appends a "threeamtime" extension to encrypted files and drops a ransom note threatening to sell stolen data unless a ransom is paid. The attackers use Cobalt Strike for post-exploitation and privilege escalation, and employ a series of commands to stop security and backup-related software, making the recovery process challenging.
  • Ransom Note and Negotiation Site: The ransom note, found in every folder that the malware scans, refers to the encryption process as a "3AM" event, a "time of mysticism." The attackers operate a basic negotiation site on the Tor network, facilitating chat-based negotiations through a passkey provided in the ransom note.
  • Potential for Future Attacks: Despite being a new entry in the cybercrime landscape, 3AM has caught the attention of threat actors, indicating a potential for future use. The ransomware is still under investigation, and its connections to known cybercrime groups remain uncertain. It has a rudimentary leak site listing victims, showcasing its operational status and hinting at its readiness for broader deployment.

North Korean Lazarus Group Hacks CoinEx Cryptocurrency Exchange

  • Hackers Target CoinEx: On September 12, 2023, the CoinEx cryptocurrency exchange reported unauthorized transactions involving large sums of Ethereum, Tron, and Polygon cryptocurrencies. The initial loss estimates ranged from $27 million to $55 million, with different security firms providing varying figures based on their analyses.
  • Lazarus Group Involvement: The North Korean hacker group, Lazarus, is suspected to be behind this attack. This attribution is based on the analysis of blockchain security firms and on-chain investigators who identified that the group used the same address that was previously utilized in other significant hacks, including the recent attacks on Stake and Optimism platforms.
  • User Assets and Exchange Response: CoinEx has assured its users that their assets are secure and that all affected parties will be fully compensated for their losses. The exchange has temporarily suspended deposits and withdrawals to enhance security measures and is closely monitoring the wallet addresses linked to the hack to prevent the stolen funds from being moved or cashed out.
  • Increasing Crypto Heists: This incident adds to the growing list of high-profile cryptocurrency heists, with almost $1 billion reported lost to various exploits, hacks, and scams in the crypto space since January 2023. The frequency of such attacks underscores the urgent need for strengthened cybersecurity measures in the rapidly evolving digital asset landscape.

Phishing Meets EV Certificates: The New Dual Threat in Ransomware Delivery

  • RedLine and Vidar Malware Evolution: Threat actors have transitioned from using RedLine and Vidar malware for info-stealing to distributing ransomware. Leveraging EV code signing certificates, which undergo stringent verification processes, they have managed to maintain a high level of trust and bypass security measures. The actors have been observed to use spear-phishing emails focusing on urgent topics related to health and hotel accommodations to lure victims.
  • Abuse of EV Code Signing Certificates: Despite the introduction of hardware key generation to enhance security, threat actors have found ways to abuse EV code signing certificates, with over 30 EV code-signed samples used from July to August 2023. The actors possibly own or have access to the hard tokens required for signing, highlighting a significant gap in the current security infrastructure.
  • DBatLoader Malware Updates: The DBatLoader malware, active since 2020, has seen new capabilities, including UAC bypass and various process injection techniques, enhancing its ability to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. The malware is still under development, with recent versions attempting DLL hooking techniques to bypass AMSI, albeit with current implementations being flawed.
  • Sophisticated Email Campaigns: Threat actors have been leveraging sophisticated email campaigns, utilizing cloud services and bypassing email authentication methods to deliver the DBatLoader malware. The campaigns, which target English, Spanish, and Turkish speakers, use common lures such as shipping orders and billing inquiries to persuade targets to open malicious attachments, signaling a heightened risk of infection from commodity malware families.