Cyber Intel Brief: April 27 – May 03, 2023

Malware

New Backdoor Discovered in Limited Attacks

Impacted Industries: All

What You Need To Know:

On 27 April 2023, IBM updated a report where they reported that they discovered a new backdoor malware family named MINODO used in campaigns since late February 2023. Little information has been reported about who has been infected with MINODO backdoor or PROJECT NEMESIS infostealer, and VirusTotal has low or no submissions for these files. Due to the limited reporting, we are assuming that all organizations likely fit the adversaries interest and make the likelihood of compromise higher than normal, whose impact will cause a moderate to considerable level of damage leading to data theft and disruption of operations. We assess that MINODO backdoor and PROJECT NEMESIS infostealer is a limited threat based on the fact that these pieces of malware are not frequently reported being observed in the wild.  Based on phishing or malvertising being potentially used as the initial infection vector, we assess that this threat is operating now. ATI recommends mitigative action occur within the normal business cycle, which includes incorporating the hashes and domains to your defense-in-depth strategy.


Malware

GitLab Repository Hosting ARESLOADER

Impacted Industries: All

What You Need To Know:

On 28 April 2023, Cyble reported that they had discovered a GitLab repository masquerading as “citrixchat-project/citrixproject.” The threat actor is likely targeting organizations who are wanting to download the Citrix Workspace application, based on a phishing website, which linked to the GitLab repository. Organizations who do not have Citrix deployed in their environments fit the adversaries interest, whose impact will cause a moderate to considerable level of damage leading to data theft, disruption of operations, and possibly financial theft. This threat is assessed to be limited in scope as very little open-source information exists about widespread efforts to distribute ARESLOADER. Due to the GitLab repository being frequently and routinely updated, we assess that this threat is operating now. ATI recommends mitigative action occur within the normal business cycle, which includes ensuring your Citrix admins are only using approved repositories.


Malware

Victim Specific APT35 Dropper Discovered

Impacted Industries: All

What You Need To Know:

On 26 April 2023, Bitdefender reported that they discovered a previously unreported malware called BELLACIAO attributed to APT35, an Iranian APT group linked to the Islamic Revolutionary Guard Corps. BELLACIAO dropper dumps a hardcoded webshell or a PowerShell web server and is tailored to each victim who is likely using vulnerable Microsoft Exchange servers. Organizations who use Microsoft Exchange likely fit APT35s interest and make the probability of compromise higher than normal, whose impact will cause a considerable to significant level of damage leading to data theft and/or encryption, disruption in operations, and significant financial loss. Due to each BELLACIAO sample being tailored to the victim, victim specific subdomains, and the targeting of Microsoft Exchange servers, we assess that the scope of BellaCiao infections is limited. APT35 is using the malware now and likely developing the necessary resources for future operations against targets of opportunity. ATI recommends mitigative action occur within the normal business cycle, which includes ensuring your Microsoft Exchange servers are up to date.


Exploited Vulnerabilities

APT28 Unlikely to be Actively Exploiting 2017 Cisco Router Vulnerability

Impacted Industries: Public administration and Ukrainian organizations

What You Need To Know:

On 28 April 2023, Censys added additional context to a recent joint Cybersecurity Advisory issued by the UK and US partner organizations by reporting that they discovered over 39,000 Cisco routers potentially vulnerable to CVE-2017-6742, of which over 4,800 are based in the US. Exploitation of CVE-2017-6742 impacted predominantly government and likely strategic targets of interest to Russia during their ongoing war with Ukraine. Organizations who have vulnerable or poorly configured routers using the public community string have a roughly even chance of being targeted, whose impact will cause a considerable level of damage leading to data theft and follow-on post exploitation activity. We assess that exploitation of CVE-2017-6742 is limited in scope based on the limited number of known victims and the threat actor must know the SNMP credentials or community string to successfully exploit the vulnerability. APT28 exploitation of CVE-2017-6742 has likely ceased as the only known reported exploitation occurred in 2021. No other reports highlight exploitation, and the threat actor must know the SNMP credentials or community string. ATI recommends mitigative action occur within the normal business cycle, which includes updating vulnerable devices or implementing the workarounds suggested in Cisco’s advisory.


Exploited Vulnerabilities

Malicious Activity Targeting Vulnerable Veeam Software Overlaps With FIN7

Impacted Industries: All

What You Need To Know:

On 28 April 2023, WithSecure updated a report where they identified two separate incidents of activity, which overlapped with tactics, techniques, and procedures used by FIN7, targeting vulnerable internet-facing Veeam Backup & Replication software. The cybercriminal was able to gather host and network information; maintain persistence; steal information, including passwords; and laterally move and transfer tools to remote hosts. The cybercriminals are likely targeting any organization with internet-exposed Veeam servers vulnerable to CVE-2023-27532. The cybercriminals will likely target those organizations with Veeam Backup & Replication software vulnerable to CVE-2023-27532, whose impact will cause a considerable to significant level of damage leading to data breach and theft, disruption of operations, and substantial financial loss. The scope of exploitation of CVE-2023-27532 is likely limited and operating now. However, there is a probability that due to the limited number of Veeam servers with TCP 9401 publicly exposed, the cybercriminals have switched to other initial access vectors. ATI recommends mitigative action occur within the normal business cycle, which includes following the recommendations and guidelines to patch and configure Veeam Backup & Replication servers as outlined in KB4424.


Exploited Vulnerabilities

CISA Adds 3 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

On 21 May 2023, CISA added three known exploited vulnerabilities to its catalog. The first vulnerability, CVE-2023-1389, is a Command Injection Vulnerability in TP-Link Archer AX21 that allows an attacker to inject commands without authentication. The second vulnerability, CVE-2021-45046, is a Deserialization of Untrusted Data Vulnerability in Apache Log4j2 that allows for information leakage and remote or local code execution. The third vulnerability, CVE-2023-21839, is an Unspecified Vulnerability in Oracle WebLogic Server that could allow unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CISA recommends that mitigation actions be taken before the due date of May 22, 2023, and welcomes any questions or feedback about this intelligence.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Educational Services, Manufacturing, Healthcare and Social Assistance, and Administrative and Support Services

What You Need To Know:

In the past week, monitored ransomware threat groups added 32 victims to their leak sites. Of those listed, 18 are based in the US. The most popular industry listed was educational services  with seven victims. Followed by four in manufacturing, healthcare and social assistance, and administrative and support services.This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog