Malware Activity
Colombian Energy Provider Empresas Públicas de Medellín Suffers ALPHV Ransomware Attack
Empresas Públicas de Medellín (EPM), one of Colombia's largest public energy, water, gas, sanitation, and telecommunication providers, suffered a ransomware attack on December 12, 2022, by the ALPHV ransomware group (otherwise known as BlackCat). The attack shut down their online services and disrupted operations. EPM is currently investigating what infrastructure/information was accessed during the ransomware attack and has yet to disclose the threat group responsible. Bleeping Computer, however, has reviewed the encryptor sample and ransom notes from the EPM attack and confirmed that ALPHV was responsible. The ransom note did not have any specifics about EPM data that may have been exfiltrated, presumptively because this threat actor typically does not convey the exact downloaded data in ransom notes. Security researcher Germán Fernández noted that a sample of "ExMatter", a tool utilized by ALPHV to exfiltrate data from corporate networks prior to encryption, was uploaded from Columbia to a malware analysis website on December 10, 2022. Fernández identified a remote server that was not secured and allowed users to view the data stored on it. At the time of his analysis, the server contained multiple folders beginning with "EPM-" and roughly forty (40) devices listed on the site. It is currently unclear how much data was exfiltrated by ALPHV during this attack, and EPM has yet to confirm further details about the attack overall. CTIX analysis will continue to monitor for attacks against critical infrastructure organizations and the activity of all groups that target the industry.
Threat Actor Activity
Threat Profile: Trident Ursa
Since the beginning of the Russia/Ukraine conflict, threat organizations have taken matters into their own hands and begun a cyber war between allies and foes. Threat actors from the Trident Ursa are no different, but rather are expanding their operations and changing their previously observed tactics, techniques, and procedures (TTPs). Trident Ursa, also tracked as Gamaredon, UAC-0010, and Primitive Bear, is one of the more active threat groups in Russia, as well as threat actors being attributed to the Russian Federal Security Service (FSB). Over the past months, threat actors from Trident Ursa launched an unsuccessful attack on a major petroleum refinery on a North Atlantic Treaty Organization (NATO) member back in August, threatened a Ukrainian cybersecurity researcher following a network intrusion, and altered their attack TTP's. Following a twitter post directed towards a Ukrainian cyber security researcher by an alleged Trident Ursa threat actor that stated "run, im coming for you" [sic], the same threat actor sent an ominous message to Shadow Chasers and TI Research stating "let's be friends. We do not want to fight, but we do it well". Aside from becoming more threatening on social media, Trident Ursa continues to launch simplistic cyber operations against their targets with the additions of new obfuscation techniques and tactics as needed. CTIX continues to monitor threat actors worldwide and will provide additional updates accordingly.
Vulnerabilities
A Critical macOS Vulnerability Dubbed "Achilles" Could Allow Malicious Applications to Bypass the Gatekeeper Security Feature
Apple has patched a critical vulnerability in their macOS product that could allow threat actors to bypass the Gatekeeper security feature, which ensures that only trusted software runs on Apple devices. When users install Mac applications from outside the App Store, macOS checks the Developer ID signature, verifying that the software is unaltered and doesn't contain known malware. Before opening downloaded software for the first time, macOS requests approval to ensure the user isn't misled into running potentially malicious software, by checking a very similar attribute to the Mark of the Web (MoTW) function in Windows called "com.apple.quarantine". The vulnerability, which has been dubbed "Achilles" (tracked as CVE-2022-42821) is described as a logic issue impacting Access Control Lists (ACLs) which attackers could exploit by sending maliciously crafted payloads to a vulnerable device. Successful exploitation would set restrictive ACL permissions blocking web browsers and downloaders from setting the "com.apple.quarantine" attribute for downloading a payload archived as a ZIP file. This would allow an attacker to download and deploy malicious applications which will execute without getting blocked by Gatekeeper. Apple has since patched the flaw in their Ventura, Monterey, and Big Sur operating systems, and CTIX analysts recommend that macOS users ensure they are running the most recent secure version of the software.
