WithSecure™ Labs: With great research comes great responsibility

The AWS S3 pre-sign URL functionality is pretty well documented. However, when combined with IAM role assumption, specifically with Service Roles, there are risks that present themselves that an average AWS admin might not be aware of.

Commercial and open-source command-and-control (C2) frameworks have become a staple in most adversary toolkits, with Cobalt Strike (CS) being one of the most popular. Such frameworks are often leveraged by threat actors to stage and conduct post-exploitation attacks in compromised client estates.

During our investigations through several human-operated intrusions that resembled precursors to ransomware deployments, we came across an interesting Cobalt Strike beacon loader that leveraged DLL side-loading, which we’re tracking as SILKLOADER. By taking a closer look at the loader, we found several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems. 

WithSecure™  discovered multiple issues with how a brand named Megafeis handles account and smart padlock management. By combining these issues, it is possible for an attacker within bluetooth range of one of the affected models of Megafeis smartlocks to take over and open a targeted lock armed only with its MAC address.

WithSecure™ Intelligence has discovered thousands of videos advertising fraudulent web-based apps that pose as USDT (Tether) investment schemes. These videos, hosted on YouTube, promise returns that scale on the amount of currency invested. YouTube channels with significant numbers of subscribers and view counts post new videos of this type on a daily basis. Some of the participating channels are even YouTube verified accounts.

During Q4 2022, WithSecure™ detected and responded to a cyber attack conducted by a threat actor that WithSecure™ have attributed with high confidence to an intrusion set referred to as Lazarus Group. Attribution with high confidence was based off of overlapping techniques tactics and procedures as well as an operational security mistake by the threat actor. Amongst technical indications, the incident observed by WithSecure™ also contains characteristics of recent campaigns attributed to Lazarus Group by other researchers.