Viktoria Austin is joined by Adam Cook and Phil Dohetry this week in the London office to talk about the top story this week: Metasploit Project publishes exploit for Bluekeep bug. Our Photon Research Team tested the Metasploit exploit in their lab environment and has successfully exploited an unpatched Windows 7 machine. “The exploit not only gives the attacker remote access to a target system, but also gives the attacker the highest level of privilege on the target.” – Dr. Richard Gold
The team then shares updates around APT3 and the Silence cybercrime group.
Listen below 👇👇👇
Updates from this week’s Intelligence Summary
- In the spotlight this week: Following reports that “APT3” used Equation Group tools prior to their public leak by the “Shadow Brokers” in 2016, cyber security researchers have provided additional analysis on one of the tools, dubbed Bemstour. Their findings have raised questions regarding the attribution and connectedness of nation-state–associated activity.
- Weekly highlights include: A new ransomware variant, “Lilocked”, has been identified in the wild; Rapid7’s Metasploit “BlueKeep” exploit module has been updated; and details were released of the ongoing activity of a relatively under-reported Chinese-state–linked threat actor called Thrip.
China’s APT3 said to have recreated Equation Group tool
During 2019 cyber security researchers reported on the activities of the People’s Republic of China (PRC)-linked threat group APT3, including their use of tools associated with other nation-states (namely, the United States). Reportedly APT3 used some of these tools prior to the tools being famously leaked by the Shadow Brokers threat group in 2016, raising questions about how APT3 acquired them. APT3’s tool set includes the remote code execution tool Bemstour, which was used to secure initial access to a targeted system and remotely inject custom scripts for APT3 to use in subsequent attacks. Bemstour contained exploits previously associated with the United States National Security Agency (NSA)-associated Equation Group, as well as primary-sourced zero-day vulnerabilities.
Newly reported Lilocked ransomware compromises Exim
A newly reported ransomware variant named Lilocked has been identified in attacks compromising more than 6,700 Linux-based web servers since July 2019. The methods used to access and compromise these servers remains unknown, but there is a realistic possibility that Lilocked operators have been targeting systems that use the outdated Exim email software. Lilocked is relatively discriminative compared to ransomware that encrypts all exposed files, as it selects those of particular types: HTML, SHTML, JS, CSS, PHP, INI, and other image formats. Lilocked is one of a recent spate of new (not updated) ransomware that has cropped up since the reported demise of the “GandCrab” ransomware operator “Pacha Group”.
Rapid7 release of Metasploit exploit module may lure threat actors
On 06 Sep 2019 a cyber security researcher with software company Rapid7 added the BlueKeep (CVE-2019-0708) exploit module to the legitimate Metasploit penetration testing framework. This could allow a threat actor with access to the Metasploit framework to propagate their attacks across vulnerable systems―so far, 64-bit versions of Windows 7 and Windows Server 2008 R2. The addition of the BlueKeep module will likely gain attention from the many threat actors using Metasploit. However, given that it has not been widely exploited, and a patch for BlueKeep has been released, it is unclear whether this module will have a significant impact on the success of attacks.
Activity of elusive Chinese threat group Thrip uncovered
The PRC-associated Thrip (aka APT30) threat group has targeted multiple sectors and geographies in at least 12 highly targeted attacks throughout Central and Southeast Asia, since 2018. Compared to other high-profile PRC-associated threat groups, like APT10, Thrip’s activity has been relatively under reported; this is likely due to the group’s obfuscation capabilities, rather than a lack of activity. In recent attacks, APT30 reportedly used tools, infrastructure, and code thought to be solely affiliated with “Lotus Blossom” (aka Billbug, Spring Dragon), suggesting that the groups may be linked. However, as the Chinese threat landscape is so interconnected, these indicators could have been shared among other threat groups and used to hinder attribution for these attacks.
For more details, read the full Weekly Intelligence Summary here: