eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Exploitation of Undocumented OAuth2 Endpoint to Obtain Persistent Google Service Cookies
Bottom Line: Multiple information stealers have adopted a technique for restoring persistent Google service cookies after a password reset. Until Google corrects the issue, organizations will need to take additional remediation actions to protect compromised accounts.
Beginning in November 2023, multiple information stealing malware began incorporating a new feature which claimed to restore Google authentication cookies. This capability purportedly would allow the malware to regenerate authentication cookies for Google services even after password reset. The technique was first revealed on October 20, 2023, by actor “PRISMA” on Telegram. The technique was incorporated into Lumma, Rhadamanthys, Stealc, Meduza, RisePro and WhiteSnake stealers throughout November and December 2023. These stealers actively advertised the capability to lure in customers, leading to an arms race between developers.
The issue lies in Google Chrome’s local configuration files, specifically the token_service table in WebData files. This table contains an encrypted token which can be used to regenerate Google authentication tokens using Google’s MultiLogin OAuth endpoint (https://accounts.google.com/oauth/multilogin). The token is encrypted on disk but can be decrypted using similar methods known to stealer authors for extracting passwords from Chrome. In a statement to The Hacker News, Google indicated that stolen authentication cookies can be invalidated by signing out of Chrome or revoking the device from the device page. This step is a crucial remediation action going forward when dealing with stealer infections.
eSentire Threat Intelligence Analysis:
The Malware-as-a-Service (MaaS) market is increasingly crowded, with operators vying for a leg-up on their competitors. This technique was incorporated into Lumma stealer as a premium feature on November 14, 2023. The update was quickly reverse engineered and copied by multiple other stealer authors. The crux of the issue is an undocumented OAuth endpoint used to provide a seamless experience for Chrome users when switching between user profiles. Google has taken action to both tamp down on abuse of this endpoint and publicly clarify how it impacts compromised accounts. The recent spotlight on this issue is likely to push the company to add more safeguards against abuse. In the interim, victims of stealer malware must first ensure their system is cleaned of the infection then invalidate all active sessions and reset their password from a clean device.
A Report on Meduza Stealer malware
Bottom Line: Information stealing malware is actively developed and stealers continue to be a silent, but real risk to companies.
Meduza is an actively developed stealer boasting support for 100+ internet browsers, 100+ crypto wallets, 27 password managers, Telegram, Discord, and Steam. This means that once an active Meduza infection is running on an endpoint, it can export the passwords from any of these products. The latest update to Meduza was released as recently as Dec 24th, 2023. A full list of affected software was released by Resecurity.
A primary method of Meduza relies on undocumented OAuth2 functionality. The exploit was first discussed on an underground Telegram channel in October 2023. By December, numerous stealers had adapted the method to steal and control Google accounts discovered during an active infection.
eSentire Threat Intelligence Analysis:
While hands-on ransomware intrusions represent an immediate and visible threat with catastrophic consequences, information stealers are more representative of a slower, stealthy attack. While the fallout of information stealers never appears catastrophic, information theft can often open the door to a hands-on intrusion down the road; for example, when stolen credentials are sold to ransomware groups.
Assessments of threat trends conducted by eSentire’s Threat Response Unit (TRU) have noted consistent growth in the information stealer market since 2021. In 2022, a significant upwards trend occurred, with numerous infostealers appearing on the underground market – and in active incidents.
Most infostealers arrive through the browser when employees are looking for free software & software cracks. Infostealers can be distributed on software distribution sites (like SourceForge) but have also been observed leveraging Google Ads to capture users when they search for common software like Slack, Telegram, and Signal.
When infostealer infections are observed, its important to ensure all user credentials used in the browser are reset – this may require some inspection of browser-saved passwords. To lower the success rate of infostealers in the first place, it is strongly recommended that users avoid saving passwords in their browser, and instead use a password keeper – preferably one that doesn’t show up in the list of software targeted by Meduza.
TRU regularly analyzes and creates detections for infostealers.
Kyivstar Breach Details
Bottom Line: This is the first known case of destructive malware being successfully used to "completely destroy the core of a telecoms operator." According to a SBU spokesperson, the persistent pattern of Russian APT activity suggests that similar attacks will continue through 2024.
On January 4th , Illia Vitiuk, the cyber chief of the Security Service of Ukraine (SBU), disclosed additional details related to the December attack on Kyivstar, Ukraine’s largest telecommunications provider. Initial reporting from Kyivstar stated that the organization was impacted by a destructive attack on December 12th. The incident resulted in the destruction of thousands of virtual servers and PCs, leading to internet and phone outages for 24 million Ukrainians.
According to newly released details, the attack was carried out by the known Russian state-sponsored APT group Sandworm (ELECTRUM, BlackEnergy, Voodoo Bear, IRIDIUM). This group has previously targeted critical infrastructure in Ukraine with wiper malware. Sandworm gained initial access to Kyivstar in May 2023; they maintained persistence until December 12th, when destructive wiper malware was deployed. According to the SBU, Russian actors had been attempting to breach Kyivstar since March 2023.
It is unclear if data was stolen during the attack, but it is highly probable due to the long dwell time. Sandworm would have had access to a wide variety of information including access to Kyivstar customer personal information, phone locations, SMS-messages, and Telegram accounts.
This breach illustrates the sophistication of Advanced Persistent Threat (APT) groups, including long-term attacks and novel techniques. Technical details have not been shared publicly at this time, but the eSentire Threat Intelligence team continues to track the topic for additional information and detection opportunities.
eSentire Threat Intelligence Analysis:
The targeting of critical infrastructure is highly concerning; this attack disrupted communication across Ukraine for multiple days. eSentire Threat Intelligence assesses the chances as probable that any information stolen during the campaign, would give Russia a strategic advantage in the ongoing war. According to Illia Vitiuk, the attack included a separate goal; causing a psychological blow to Ukraine and proving Russian cyber-capabilities to Western governments. While this is the first wiper malware to impact core functionality of a telecommunication company, eSentire Threat Intelligence assesses with high confidence that similar attacks will occur against Ukrainian and allied telecommunication companies as the war continues. The Sandworm group has proven that these attacks can be successful, and as such, it is probable that other state-sponsored groups will re-create similar attacks in the future.
Wipers are not a new phenomenon. The Sandworm group has targeted Ukrainian critical energy infrastructure since at least 2015 with wiper malware, but previous attacks have had little to no impact. Since the Russia Ukraine conflict renewed in 2022, there has been a significant increase in wiper malware attacks; notably, these attacks are often used in tandem with kinetic attacks. Russia is not the only country known to employ destructive wiper malware. Israeli government and private organizations have recently been increasingly impacted by wiper malware, with threat actors claiming to be hacktivist groups, but suspected attribution falls on Iranian APT groups.
The tactic of claiming attacks publicly as a hacktivist group is used to avoid attribution back to the state. In the case of the Kyivstar breach, a group known as Solntsepyok claimed responsibility for the attack. The group claims to be a hacktivist collective, but they have previously been associated with the Sandworm APT. It is highly probable that Russian APTs carried out the attack and used the Solntsepyok name as cover.
While destructive wiper malware is relatively rare compared to other threats such as ransomware, it does need to be taken seriously due to its potential impact. It is critical that organizations have visibility and endpoint protection across their network to identify early signs of compromise. Additionally, ensuring a disaster recovery plan is in place and tested regularly is important to ensure any impacted data can be restored.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
