Cyber Intel Brief: Jan 12 – 18, 2023

Malware

New Information-Stealing Malware Discovered Spreading Through Phishing Emails and Sites

Impacted Industries: All

What You Need To Know:

Cyble recently discovered a new strain of information-stealing malware called “Rhadamanthys Stealer,” spreading through phishing emails and websites promoted through Google Ads, targeting various system information and browser-related files. The stealer targets multiple applications such as FTP clients, email clients, file managers, password managers, VPN services, and messaging applications. The impact of these types of malware can lead to a cybercriminal accessing the corporate network, such as the Cisco data breach in May 2022, where an employee’s personal Google account was compromised–likely from information-stealing malware–giving initial access to the Cisco VPN. With more employees accessing corporate resources from home, cybercriminals will likely see internet-facing login portals and systems, personal accounts, and home devices as attractive entry points into corporate networks resulting in increasing use of information-stealing malware to obtain credentials.


Malware

Trend Micro Analysis of Q4 2022 Batloader Campaigns

Impacted Industries: All

What You Need To Know:

Trend Micro observed several Batloader campaigns in the 4th quarter of 2022 where the cybercriminals abused Google Ads and the legitimate Keitaro Traffic Direction System (TDS) to redirect victims into downloading Batloader malware by impersonating legitimate software and application websites in their campaigns, including Adobe, Google Editor, Grammarly, Slack, Zoom, and TeamViewer, amongst others. According to Trend Micro’s data, most Batloader infections are in the US, with some occurring in Canada and Germany. Microsoft has observed Batloader infections delivering Cobalt Strike beacons, resulting in Royal ransomware deployment. The cybercriminals will likely continue to target remote employees and small to medium-sized businesses (SMBs) via malicious advertising by creating phishing websites that impersonate popular software applications used by SMBs and remote employees like Slack, Zoom, Google Editor, and Grammarly.


New Techniques

Lorenz Ransomware Group Uses Same Extortion Tactic Employed by ALPHV

Impacted Industries: All

What You Need To Know:

Cyble discovered the Lorenz ransomware group used an extortion technique first employed by the ALPHV (BlackCat) ransomware group, where they created a dedicated website to leak the stolen data of their victim. We expect this trend to continue in 2023. In addition to making the dedicated leak site, the group also leaked the victim’s negotiation chats and contacted the victim’s clients and employees regarding the ransomware attack. We expect cybercriminal groups will likely employ tactics and techniques to bring additional publicity to these leaks and seek out sensitive data that may be embarrassing or confidential operational plans to force the victim further to pay the ransom.


Data Breach

CircleCI Discloses Engineer’s Laptop Was Infected With Infostealing Malware

Impacted Industries: All

What You Need To Know:

CircleCI published an incident report for a late December data breach that disclosed that an engineer’s laptop was infected with information-stealing malware, which stole a valid, 2FA-backed SSO session cookie, enabling a cybercriminal to access and exfiltrate data from several databases and stores, including customer environment variables, tokens, and keys. At this time, CircleCI has not disclosed details regarding which infostealer malware family or how the CircleCI engineer’s laptop was infected. Cybercriminals, who have read CircleCI’s incident report, will likely attempt to infect developers’ systems with infostealer malware to steal session cookies to access sensitive data and steal secrets to gain access to their customer base or extort victims for ransom.


Exploited Vulnerabilities

Exploit Code for Vulnerabilities in 3 WordPress Plugins Released

Impacted Industries: All

What You Need To Know:

Tenable Research has discovered multiple SQL injection vulnerabilities in three WordPress plugins–Paid Memberships Pro (CVE-2023-23488), Easy Digital Downloads (CVE-2023-23489), and Survey Maker (CVE-2023-23490)–publishing proof-of-concept exploit code for each vulnerability. With the release of the exploit code, cybercriminals will likely target vulnerable instances to spread malware, infect websites with credit card skimming scripts, or post-infection activity.


Exploited Vulnerabilities

ICYMI: Unknown Vulnerability in SugarCRM has Exploit Code Released

Impacted Industries: All

What You Need To Know:

Cybercriminals are highly likely to attempt to exploit an, at the time, unknown vulnerability, now tracked as CVE-2023-22952, in SugarCRM Sell, Serve, Enterprise, Professional, and Ultimate software solutions due to exploit code being published through multiple outlets. The Adversary Tactics and Intelligence team (ATI) is aware of one report of active exploitation. However, ATI cannot verify the source’s reliability or credibility, and CISA has not added this vulnerability to its Known Exploited Vulnerabilities Catalog. Censys identified 3,059 instances of SugarCRM on the internet and 354 unique IP addresses containing the exploit’s installed webshell. According to their data, most infected hosts are located in the US, accounting for 32.5%, and Germany is the second most infected country, accounting for 21.3% of all infected hosts.


Exploited Vulnerabilities

CISA Adds CVE-2022-44877 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2022-44877 to its Known Exploited Vulnerabilities Catalog. The software affected is Control Web Panel (formerly CentOS Web Panel). Multiple sources routinely report the exploitation of publicly-facing applications as one of the top initial infection vectors. The vulnerability added this week could allow a cybercriminal to execute commands via shell metacharacters in the login parameter. Cybercriminals will likely ramp up exploitation efforts of the newly listed vulnerability within the next two weeks. However, we can not rule out the possibility that cybercriminals could switch to other tactics & techniques to gain initial access. We base this assessment on CISA documenting the vulnerabilities in their Exploited Vulnerabilities Catalog and the likelihood that organizations will prioritize remediation of these vulnerabilities.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

The Adversary Tactics and Intelligence Team builds a weekly picture of encryption and exfiltration-based data extortion activity by monitoring the information published on dark web extortion sites. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims. Over the past week, monitored threat groups added 30 victims to their leak sites. Eight of those listed are US-based, and six victims are in the UK. The most popular industries were manufacturing, with seven victims; educational services and professional, scientific, and technical services had five victims each. The wholesale trade had three victims.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog