Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions

Read Time:6 Minute, 3 Second

Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.

The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.

A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.

A HIVE ransomware chat page for a specific victim (redacted).

On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.

As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.

Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.

A message Conti posted to its dark web blog on May 20.

On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.

“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.

THE NAME GAME DISTRACTION

Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.

Conti’s threatening message this week regarding international interference in Ukraine.

Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.

Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.

But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.

“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”

Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis

ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.

Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.

ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.

Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive and claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.

Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.

But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Columbia, four in Ecuador and three in Chile.

A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.

“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”

Read More

USN-5454-2: CUPS vulnerabilities

Read Time:35 Second

USN-5454-1 fixed several vulnerabilities in CUPS. This update provides
the corresponding update for Ubuntu 16.04 ESM.

Original advisory details:

Joshua Mason discovered that CUPS incorrectly handled the secret key used
to access the administrative web interface. A remote attacker could
possibly use this issue to open a session as an administrator and execute
arbitrary code. (CVE-2022-26691)

It was discovered that CUPS incorrectly handled certain memory operations
when handling IPP printing. A remote attacker could possibly use this issue
to cause CUPS to crash, leading to a denial of service, or obtain sensitive
information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04
LTS. (CVE-2019-8842, CVE-2020-10001)

Read More

Microsoft gives mitigation advice for Follina vulnerability exploitable via Office apps

Read Time:35 Second

Attackers are actively exploiting an unpatched remote code execution (RCE) vulnerability in a Windows component called the Microsoft Support Diagnostic Tool (MSDT) through weaponized Word documents. Microsoft has responded with mitigation advice that can be used to block the attacks until a permanent patch is released.

An exploit for the vulnerability, now tracked as CVE-2022-30190, was found in the wild by an independent security research team dubbed nao_sec, which spotted a malicious Word document uploaded to VirusTotal from an IP in Belarus. However, more malicious samples dating from April have also been found, suggesting the vulnerability has been exploited for over a month.

To read this article in full, please click here

Read More

Follina: 0-day Windows MSDT Vulnerability (CVE-2022-30190) Exploited In The Wild

Read Time:2 Minute, 30 Second

FortiGuard Labs is aware that a 0-day vulnerability in Microsoft Support Diagnostic Tool is being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Assigned CVE-2022-30190, successful exploitation allows an attacker to run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.Why is the Significant?This is significant because the vulnerability is a 0-day vulnerability in Microsoft Support Diagnostic Tool that allows remote code execution and is being exploited in the wild.What is CVE-2022-30190?The vulnerability is a remote code execution vulnerability that was named “Follina” by a security researcher Kevin Beaumont. The name “Follina” was derived from the 0-day code referencing “0438”, which is the area code of Follina, Italy. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application such as Word. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.A malicious Word file that is widely discussed online abuses the remote template feature in Microsoft Word and retrieves a remote HTML file. The retrieved HTML file uses the “ms-msdt” MSProtocol URI scheme load and execute the PowerShell payload. Note that ms-msdt refers to “Microsoft Support Diagnostic Tool”, which a legitimate Microsoft tool collects and sends system information back to the Microsoft for problem diagnostic.What is concerning is that the vulnerability reportedly can be exploited if even if macros, one of the most prevalent ways to deliver malware via Microsoft Office files, are disabled. Also, if the document file is changed to RTF form, even previewing the document the vulnerability in Windows Explorer can trigged the exploit.How Widespread is this?While the attack that leverages the vulnerability does not appear to be widespread, however more attacks are expected as Proof-of-Concept code is available and a patch has not yet been released. Does the Vulnerability Have CVE Number?CVE-2022-30190 has been assigned to the vulnerability.Has Microsoft Released an Advisory?Yes. See the Appendix for a link to ” Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability”.Has Microsoft Released a Patch?No, Microsoft has not released a patch yet.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the known sample that are associated with CVE-2022-30190:MSWord/Agent.2E52!tr.dldrKnown network IOCs for CVE-2022-30190 are blocked by the WebFiltering client.FortiGuard Labs is currently investigating for additional coverage against CVE-2022-30190. This Threat Signal will be updated when additional information becomes available.Any Suggested Mitigation?Microsoft released an official blog on CVE-2022-30190 that includes mitigation information. See the Appendix for a link to “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability”.

Read More

CVE-2022-30190: Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild

Read Time:3 Minute, 26 Second

CVE-2022-30190: Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild

Microsoft confirms remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool that has been exploited in the wild since at least April.

Background

On May 27, a security researcher going by nao_sec posted on Twitter about an “interesting” document they found on VirusTotal that was used to execute PowerShell code. Because this was a zero-day at the time, researchers referred to it as “Follina,” pending the assignment of a CVE number.

Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

Over the weekend, researchers in the cybersecurity community did further analysis of the malicious file and discovered it was exploiting a zero day vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). Several researchers were able to reproduce the exploit and Huntress Labs was able to produce a zero click version, in which the targeted user would only need to select the malicious file to trigger the exploit.

In his analysis, Kevin Beaumont was able to trace the exploitation of this vulnerability back to April in attacks against targets in Russia. The original VirusTotal submission indicates that it may have also been used against targets in Belarus.

Analysis

CVE-2022-30190 is a remote code execution vulnerability in MSDT that impacts several versions of Microsoft Office, including patched versions of Office 2019 and 2021. The vulnerability exists due to the way MSDT is called using the URL protocol from certain applications. Because of the way this vulnerability is exploited, Microsoft lists the attack vector as “local,” but an attacker leveraging this flaw would likely be remote. Microsoft explains, “The word Remote in the title refers to the location of the attacker […] The attack itself is carried out locally.”

An attacker would craft a malicious document, Microsoft Word is common, and send it to their target via email. By exploiting this vulnerability, an attacker can execute commands with the permissions of the application used to open the malicious document. According to Microsoft, attackers can “install programs, view, change, or delete data, or create new accounts.” The attacks observed in April executed PowerShell code.

Huntress Labs and Kevin Beaumont both discovered that rich text format (RTF) circumvents Protected View, a key defense against malicious documents in Microsoft Office highlighted in Microsoft’s mitigation guidance. If the malicious file is in RTF, once the target selects the malicious file in Windows Explorer, the exploit will trigger.

Researchers have compared CVE-2022-31090 to CVE-2021-40444, which has been widely exploited. Given that, and the availability of exploit code, we expect to see broader attacks targeting CVE-2022-31090 in the near future.

Proof of concept

Huntress Labs has released a detailed technical breakdown of the vulnerability and other researchers have published proofs-of-concept on GitHub.

Vendor response

It was also reported over the weekend that this vulnerability was disclosed to, and dismissed by, Microsoft in April by the Shadow Chaser Group. On May 30, Microsoft released mitigation guidance for this vulnerability and assigned it CVE-2022-30190. Microsoft’s advisory confirms that the vulnerability was disclosed by a member of the Shadow Chaser Group.

Solution

At the time this blog post was published, Microsoft has not released patches for CVE-2022-30190. However, Microsoft has published a workaround and detection information. Microsoft recommends disabling the MSDT URL protocol however, it is not yet clear what the impact of disabling this may be.

Identifying affected systems

A list of Tenable plugins to detect the workaround for this vulnerability can be found here.

Get more information

Microsoft Security Update Guide for CVE-2022-30190
Microsoft Mitigation Guidance
Huntress Labs Technical Analysis

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More