Exploited Vulnerabilities
CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware
Key Points:
- Trend Micro has observed threat actors exploiting Spring4Shell, CVE-2022-22965, to infect devices with the Mirai botnet.
- According to Trend Micro, the earliest known exploitation occurred on March 31 in Trend Micro’s honeypots. Active exploitation occurred in the beginning of April and analysis revealed that actors were downloading the Mirai botnet to the “/tmp” folder and executing it after changing permissions using “chmod”.
Deepwatch Assessment:
Deepwatch Threat Intel Team assesses with high confidence that threat actors will continue to exploit critical vulnerabilities, like Spring4Shell and Log4Shell, to facilitate their activities due to exploitation opportunities and the ability to send exploit payloads directly to Internet facing applications/systems. Therefore, it is recommended that organizations upgrade Spring Framework to versions 5.3.18+ and 5.2.20+ and Spring Boot to versions 2.6.6+ and 2.5.12+, details are available here. Additionally Trend Micro provides some mitigation guidance in the interim here.
Exploited Vulnerabilities
CISA Adds 18 Known Exploited Vulnerabilities to Catalog
Key Points:
- CISA has added 18 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Notable software affected includes WatchGuard Firebox, Microsoft, Linux, Adobe Flash Player, and QNAP.
- Threat actors frequently use these vulnerabilities as an attack vector, posing a serious threat to organizations.
Deepwatch Assessment:
Deepwatch Threat Intel Team urges all organizations to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog as part of their vulnerability management process.
Malware
Tarrask Malware Uses Scheduled Tasks for Defense Evasion
Key Points:
- Microsoft recently published an investigation on how the threat actor Hafnium used the Tarrask malware to create hidden scheduled tasks.
- Hafnium conducted a multi-stage attack that included exploiting the authentication bypass vulnerability in Zoho Manage Engine to implant a web shell (Godzilla) and discovered them using malware (Tarrask) that creates hidden scheduled tasks.
Deepwatch Assessment:
Deepwatch Threat Intel Team assesses with high confidence that threat actors are highly likely to hide scheduled tasks to evade defensive measures to maintain persistence. The techniques used by the actor and described in Microsoft’s report can be mitigated or observed by following Microsoft’s recommendations.
Malware
New Meta Information Stealer Distributed in Malspam Campaign
Key Points:
- Bleeping Computer covered a recent report by a SANS ISC handler regarding a new spam phishing campaign that is spreading the new META info stealer malware. META steals credentials and cryptocurrency wallets stored in popular web browsers and is offered for sale at $125 for a monthly subscription or $1,000 for lifetime access.
- In this particular campaign, a spam phishing email is sent that contains a malicious Excel file that masquerades as a DocuSign document and attempts to trick users into enabling macros. Once macros have been enabled the infection follows a seven-step process that culminates in command and control traffic.
Deepwatch Assessment:
Deepwatch Threat Intel Team assesses with moderate confidence that the prevalence of META Stealer is likely to increase given its low cost of 125 for a monthly subscription or $1,000 for lifetime access. To reduce the risk of this threat, Deepwatch Threat Intel Team recommends organizations implement the tactics, techniques, and procedures outlined in this report as part of their phishing awareness and simulation exercises. Additionally, monitoring for web traffic to the URLs listed in the Observables section along with the presence of other observables may indicate a system has been compromised. Another recommended mitigation measure is to prevent employees from storing credentials in web browsers by implementing an enterprise-wide web browser management policy.
Ransomware
A Bad Luck BlackCat
Key Points:
- Kaspersky investigated two recent BlackCat (ALPHV) ransomware incidents and concluded that at least some members of BlackCat have ties to the BlackMatter ransomware group.
- BlackCat has been observed reusing a data exfiltration tool, Fendr, that has only previously been observed in BlackMatter incidents. Additionally, BlackCat has modified the data exfiltration tool to include additional file extensions that are used in industrial design applications, making it more appealing to the sectors they have recently been targeting.
Deepwatch Assessment:
Deepwatch Threat Intel Team assesses with moderate confidence that BlackMatter (ALPHV) will likely target organizations in the industrial sector due to the industrial design application file extensions recently added to their data exfiltration tool Fendr. To reduce the risk of a BlackCat ransomware incident it is recommended that organizations implement multi-factor authentication, monitor the exfiltration of files, patch known exploited vulnerabilities, and implement a phishing awareness and simulation program.
Ransomware
Ransomware Tracker: The Latest Figures [April 2022]
Key Points:
- The Record, a Recorded Future company, released its latest figures for ransomware trends for the month of March. The tracker is updated on the 10th of every month.
- Victim data released on ransomware sites has increased over February’s figures Conti and Lockbit continue to be the “Most Prolific Ransomware Groups”; finally, ransomware incidents against the healthcare and education sectors remained steady.
Deepwatch Assessment:
Deepwatch Threat Intel Team assesses with moderate confidence that Conti and LockBit will continue to remain the top two most observed ransomware variants in the near future. In addition, it is expected that the total amount of victim data released on ransomware extortion sites will increase in the near future. As previously assessed by the Deepwatch Threat Intel Team, the ransomware threat against critical infrastructure, including healthcare service providers, will remain moderate as threat actors may begin to target financial institutions as a reprisal for sanctions imposed on Russia due to the ongoing Ukraine-Russia conflict.
Techniques
Parrot TDS Takes Over Web Servers and Threatens Millions
Key points:
- Avast has discovered various web servers, hosting over 16,000 websites, infected with a new traffic direction system, dubbed Parrot, that redirects website visitors to malicious webpages.
- The most prevalent campaign identified is the “FakeUpdate” (SocGholish) campaign. This campaign attempts to trick users into updating software, like Google Chrome, but instead actually downloads the remote access tool NetSupport. The “FakeUpdate” campaign configuration uses “unique URLs that deliver malicious content to only one specific user”.
Deepwatch Assessment:
Deepwatch Threat Intel Team estimates with moderate confidence that the threat actors behind the Parrot TDS campaign are targeting poorly configured web servers or those with weak admin credentials to compromise. To prevent end-users from inadvertently downloading malicious files, inform employees that all software updates will be coordinated by IT and instruct them to immediately contact the help desk for assistance if they come across any pages like the one seen in this report. Additionally, for organizations to reduce the risk of their web servers being compromised, it is recommended to scan all web server files with an anti-virus solution; implement a routine system to monitor and replace all JavaScript and PHP files with original ones; routinely update your CMS and installed plugins with the latest patches; monitor and inspect all automatically running tasks(like cron jobs); and finally, implement multi-factor authentication and monitor for the creation and misuse of admin accounts.
Mobile Malware
Android Banking Malware Octo Allows Remote Control on Infected Devices
Key Points:
- SOCRadar discovered a new mobile malware, dubbed Octo, that gives threat actors remote access to infected devices.
- In addition to remote access, threat actors can monitor all activity conducted on the device, including all logged-in accounts and sensitive data. Several apps, available on the Google Play Store, have been downloaded over 50,000 times.
Deepwatch Assessment:
Deepwatch Threat Intel Team estimates with moderate confidence that threat actors will continue to target mobile devices with new malware and develop and refine their TTPs to increase their chances of success. Therefore, it is recommended that organizations employ a mobile threat defense and device management platform. Additionally, instructing or requiring users to implement mobile security best practices like those recommended here(PDF) by the National Security Agency.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share