BazarCall, Yanluowang, BumbleBee: Cyber Threat Intelligence Roundup

In this week’s recap, we explore how the BazarCall callback phishing technique is being leveraged by at least three separate threat groups. Next, technology giant Cisco recently confirmed it suffered a May 2022 cyberattack. Plus, CTI examines the DFIR Report’s latest analysis of an attack featuring BumbleBee malware, which went undetected for 11 days.

1. AdvIntel issues BazarCall advisory following attacks on Twilio and Cloudflare

AdvIntel published a blog post detailing the most recent cybercriminal activity to leverage BazarCall (a.k.a. BazaCall), a dangerous and effective callback phishing scheme.

BazarCall first emerged in 2020  as part of Ryuk’s toolkit, a notorious ransomware gang which was later rebranded as Conti. AdvIntel’s research asserts that three separate and unrelated threat groups have since adopted and refined their own phishing tactics derived from the methodology: Silent Ransom, Quantum, and Roy/Zeon.

More recently, Cloudflare and Twilio both experienced similar attacks involving phishing by an advanced threat actor in possession of home phone numbers of employees and their families.

Impact on the landscape

BazarCall is notable for flipping the script on the typical phishing operation by instead leveraging an advanced knowledge of social engineering and targeted phishing (spear phishing) to enter victim networks.

The use of social engineering via phone — as opposed to complex, technical hacking operations — is a phenomenon that has clearly gained traction and been embraced by threat actors of all stripes, but by none more so than ransomware and extortion actors. For example, we saw the relatively unsophisticated Lapsus$ group take down some giants in the cyber industry, and it appears that some of their peers are attempting to do the same, as evidenced by the recent attacks on Cloudflare and Twilio referenced above.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Silent Ransom — which, like the other two groups specified above, is composed of former high-ranking Conti members — is clearly no longer the only threat group utilizing the highly specified phishing operations that they pioneered. Nor are they the only group to leverage the use of voice phishing or ‘vishing,’ as evidenced by the recent attacks referenced herein. Other threat groups, seeing the success, efficiency, and targeting capabilities of these tactics have begun using reversed phishing campaigns as a base methodology and developing the infection vector into an attack style of their own.

This trend is likely to continue, and if it does, more victims are likely to come forward in the vein of Cloudflare and Twilio. In a strange way, it’s almost as if the tactics employed by hackers have come full circle. The seeds of “hacking” as we know it were planted during the phone-phreaking days of Kevin Mitnick — the world’s most notorious hacker — and his peers, where they had nothing but their wits, quick thinking, a knowledge of target systems, and most importantly, their voices to rely upon. Threat actors seem to have finally realized the potential of advanced social engineering tactics. This spells trouble for all of us, as phishing operations become more elaborate and difficult to differentiate from legitimate communications.”

2. Cisco hacked by Yanluowang ransomware gang

Cisco recently confirmed that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under threat of leaking stolen files online. According to Cisco, the company immediately took action to eliminate the threat.

The company claims that the attackers were only able to make off with non-sensitive data from a Box folder linked to the account of a compromised employee.

“Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations,” the company said in a statement. “On August 10, the bad actors published a list of files from this security incident to the dark web.”

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen – @sergheihttps://t.co/mvLvHV5Csk

— BleepingComputer (@BleepinComputer) August 10, 2022

The response provides a link to a detailed analysis from Cisco Talos, which provides insights related to the attack. In a commendable display of transparency, Cisco Talos’ report goes into a surprising level of detail regarding the various phases of the attack chain.

Key takeaways

The following list is by no means an exhaustive compilation of all the notable aspects of this attack, but rather a few items of interest that help to characterize the incident:

• Attempts to exfiltrate information were observed throughout the attack.
• The attacker repeatedly targeted weak password rotation hygiene following mandated employee password resets, targeting users they apparently believed made a single character change to a previous password.
• The attacker leveraged traffic anonymization services such as Tor.
• Upon being expelled from the environment, the attacker repeatedly attempted email communication with executives – but did not make any specific threats or extortion demands.

Throughout the attack, the adversary also dropped a series of payloads onto systems. Many of these are still being analyzed, but at least a few have been examined and their purposes identified. Among them is a simple backdoor designed to receive and execute – via the Windows Command Processor – instructions from a C2 server sent in the form of JSON blobs.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Cisco should be commended for the transparency with which the company has described the events of the attack. Information sharing of this depth and detail may help prevent similar attacks from impacting other organizations going forward. 

Yanluowang ransomware first surfaced around October 2021, when it was deployed in targeted attacks on enterprise networks. In that wave of attacks, the attackers were often discovered when analysts detected suspicious activity following the use of legitimate tools, such as the AdFind Active Directory query tool. By April 2022, Kaspersky had announced that it had discovered vulnerabilities in the ransomware’s encryption algorithm, making it possible to recover files it had encrypted. Kaspersky released a free decryptor for Yanluowang victims shortly after.

It may be a telling sign that no ransomware payloads were discovered during Cisco’s investigation. The same is true of the fact that much of the attack — if not all — appeared to be human-operated. Yanluowang may just be another ransomware gang to shift to an encryption-free extortion model, similar in nature to their friends Lapsus$. If this turns out to be the case, Yanluowang should be considered no less of a threat.”

3. BumbleBee malware attack goes undetected for 11 days

The DFIR Report offers a deep technical analysis of BumbleBee malware and the part it played in a recent intrusion in which the threat actors operated within a target network for 11 days without detection.

“During this intrusion, the threat actors gained access using an ISO and LNK file, used several lateral movement techniques, dumped credentials three different ways, kerberoasted a domain admin account and dropped/executed a bespoke tool for discovering privilege escalation paths,” explains DFIR.

BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDeskhttps://t.co/zDF16kr4lU

— The DFIR Report (@TheDFIRReport) August 8, 2022

DFIR researchers did not observe any exfiltration, data encryption, or destruction during this intrusion. However, the TTPs observed do show “common cybercrime threat actors’ tradecraft which may have led to domain-wide ransomware had the threat actors had enough time.”

CTI previously reported on BumbleBee malware, which is a malware loader first reported on and observed in March 2022 by Google’s Threat Analysis Group (TAG). Google attributes this malware to an initial access broker (IAB) called Exotic Lily.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The DFIR Report is known for its incredibly thorough analysis, and this instance is no exception.  CTI recommends looking at the full report for additional technical details. 

BumbleBee malware seemed to be all the rage when it was first seen earlier this year, with researchers describing it as the next BazarLoader, while also making much of its apparent associations with organized syndicates comprised of initial-access-brokers (IABs). 

BumbleBee-related activity seemed to drop off since its emergence, but the malware has recently re-emerged and taken up its former title as a serious and successful avenue of delivery for ransomware and other payloads. The malware is being increasingly adopted by threat actors, and easy to see why. BumbleBee is quite sophisticated, with an emphasis on detection evasion. In fact, BumbleBee is so adept at evading traditional defense solutions, it enabled the threat actors behind the intrusion analyzed above to remain undetected for 11 days. This may not sound like a long time, but think of it this way: Would you want a burglar skulking around in your house for 11 days?”

Next: Visit the Tanium Community

Do you have questions or insights about these emerging issues? Head over to our user community to participate in discussion forums and catch up on our latest cybersecurity best practices.

You’re also welcome to take Tanium for a test spin and experience how our Converged Endpoint Management (XEM) solution can keep your business safe from sophisticated threats. Try a free trial.

Explore our recent security recaps

August 9: Ransomware gangs are exploiting macros, threat actors are leveraging the Dark Utilities C2 as-a-service platform, and LockBit ransomware is abusing Windows Defender for Cobalt Strike attacks

August 2: Top incident response trends from Q2, the latest on the new ‘CosmicStrand’ UEFI rootkit, and Censys discovers evidence of Russia-based ransomware network gaining traction in the U.S.

July 27: New strategies from Russian APT29 hackers, the latest on CloudMensis spyware, and an update on Lightning Framework Linux malware