Cyber Intel Brief: Feb 15 – 22, 2023

Ransomware

TZW Ransomware is a Variant of GlobeImposter

Impacted Industries: All

What You Need To Know:

SentinelOne’s analysis of a ransomware sample dubbed by AhnLab as TZW ransomware reveals it’s a variant of the GlobeImposter ransomware family and uses the same infrastructure to host the TOR website. Additionally, the code and functionality are essentially the same.


Malware

OneNote Drops Batch, Jscript, & HTML File Types to Deliver QakBot

Impacted Industries: All

What You Need To Know:

Cyble has observed multiple file types dropped by OneNote attachments, leading to QakBot infections. The techniques observed include using OneNote attachments that drop batch files (.bat), Jscript (.jse), HTML application files (.hta), and zip attachments containing Windows Script Files (.wsf). Over the last 30 days, Deepwatch has observed command line activity dropping .cmd, .jpg, and .png files executed with CMD.exe or RUNDLL32.exe with the parent or grandparent process of ONENOTE.exe.


Malware

Darkcloud Stealer Utilizes Various Data Exfiltration Techniques

Impacted Industries: All

What You Need To Know:

Cyble has observed a noticeable increase in the prevalence of Darkcloud Stealer malware, an information stealer that can be used to gather passwords, credit card numbers, social security numbers, and personal and financial information. Threat Actors are sending out numerous spam campaigns to disseminate this malware throughout the world. This malware has been identified as highly sophisticated and has the ability to customize its payload to target different applications, making it highly adaptable.


Threat Landscape

GoDaddy Discloses Multi-Year Cyber Attack Campaign

Impacted Industries: All

What You Need To Know:

GoDaddy recently disclosed three cyber incidents in its annual 10-k filing with the SEC, stating that a cybercriminal compromised the hosting login credentials of approximately 28,000 hosting customers in March 2020. In November 2021, a cybercriminal accessed the provisioning system in their legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million customers. In December 2022, a cybercriminal accessed their cPanel hosting servers, installing malware that intermittently redirected GoDaddy-hosted websites to malicious sites. Based on their investigation, they assess these incidents are part of a multi-year campaign by a sophisticated cybercriminal group.


Phishing

Cybercriminals Use Free Services to Create Credential Harvesting Web Pages

Impacted Industries: All

What You Need To Know:

A recent SANS Infosec Handlers Diary entry details a phishing campaign where cybercriminals used publicly available and free services to create webpages that collect credentials. The phishing web pages display a login screen overlaid on top of a website that matches the target’s email domain. The login popup features the email domain logo and favicon.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Manufacturing, Wholesale and Retail Trade, Professional Services, and Construction

What You Need To Know:

In the past week, monitored threat groups added 63 victims to their leak sites. Thirty-four of those listed are US-based. The United Kingdom had four and Canada had three victims each listed. The most popular industries were manufacturing with 18 victims; and wholesale and retail trade, professional services, and construction with four victims each. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds Four CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added four CVEs (listed below) to its Known Exploited Vulnerabilities Catalog. Some of the software affected include IBM Aspera Faspex, Mitel MiVoice Connect, Apple, and Microsoft. Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors.

  • CVE-2022-46169 – Cacti 
  • CVE-2022-40765 & CVE-2022-41223 – Mitel MiVoice Connect
  • CVE-2022-47986 – IBM Aspera Faspex

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog