Cyber Intel Brief: Mar 09 – 15, 2023

Ransomware

CatB Ransomware Also Acts as an InfoStealer

Impacted Industries: All

What You Need To Know:

SentinelOne has provided a technical analysis of the CatB ransomware, describing the tactics employed by the operators to evade detection, as well as the ransomware’s encryption behavior and attempts to steal both credentials and browser data. The CatB ransomware employs various techniques to avoid detection and analysis, including UPX-packing and DLL search order hijacking. Its abuse of the Microsoft Distributed Transaction Coordinator (MSDTC) service enables it to gain persistence on an infected host and evade detection. The ransomware encrypts files without changing post-encryption elements, such as adding a ransom note to the desktop, and requires victims to contact the operators via a proton email and uses a single Bitcoin wallet address. Additionally, it searches for and extracts sensitive information from multiple browsers and email clients, which may suggest the operators have multiple motives. Although there is a lack of activity on the Bitcoin address linked to the operators, it could still pose a significant threat to organizations if the operators continue to develop it and increase attack volume.


Phishing

Cybercriminals Exploiting SVB Collapse for Phishing Campaigns

Impacted Industries: All

What You Need To Know:

Cyble has discovered cybercriminals exploiting the collapse of Silicon Valley Bank through crypto phishing schemes. The fraudulent sites svb-usdc[.]com and svb-usdc[.]net offer victims a fake USD Coin reward program, leading them to click a button that displays a QR code. Scanning the QR code with any cryptocurrency wallet will compromise the wallet account. Additionally, phishing sites impersonating Circle and anonymous investment groups have emerged. Although Circle has resumed operations, the impersonation site, hxxps://circle-reserves[.]com still offers a USDC Airdrop Token to eligible holders through a QR code, leading to wallet compromise. Anonymous investment groups have also approached organizations affected by the SVB collapse and offered financial assistance through sites like hxxps[://]cash4svb[.]com, requiring users to provide personal information. Cybercriminals will likely continue to create similar schemes for financial gain by stealing cryptocurrency, delivering malware, and collecting credentials.


Threat Actors

Uncovering the Malware of North Korea’s UNC2970 (Part 1)

Impacted Industries: Western Media and Information; may target All

What You Need To Know:

A recent Mandiant report (Part one of a two-part report) details a phishing campaign that has targeted Western Media and Technology companies since June 2022, which is suspected to be conducted by the North Korean threat group UNC2970. During this operation, UNC2970 has leveraged new code families such as TOUCHMOVE, SIDESHOW, and TOUCHSHIFT and has used a wide range of custom, post-exploitation tooling to achieve its goals. One of their go-to tools is the dropper, TOUCHSHIFT, which masquerades as mscoree.dll or netplwix.dll. UNC2970 has also leveraged Microsoft’s endpoint management solution, Intune, to upload custom PowerShell scripts containing malicious code to various remote hosts. This latest activity may suggest a shift in strategy or an expansion of its operations as more of its targets move to cloud services.


Threat Actors

Uncovering the Malware of North Korea’s UNC2970 (Part 2)

Impacted Industries: Western Media and Information; may target All

What You Need To Know:

Part two of Mandiant’s report on UNC2970 reveals how UNC2970 used the Bring Your Own Vulnerable Device (BYOVD) technique to bypass kernel-level protections and facilitate their operations. The report provides detailed information on how UNC2970 abused legitimate, trusted, but vulnerable drivers to perform arbitrary read and write operations to kernel memory. Mandiant discovered that most of the original compromised hosts contained variations of the same file name and suspicious drivers, created around the same time on disk. Mandiant’s analysis of these files led to the discovery that UNC2970 utilized a small set of vulnerable drivers, including those found in the Kernel Driver Utility (KDU) toolkit Dell DBUtil 2.3 and the ENE Technology device drivers, to evade detection. Adversaries ranging from financial actors to espionage actors will likely continue to use the BYOVD technique and adapt it to their tooling, making attribution difficult.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

In the past week, monitored ransomware threat groups added 61 victims to their leak sites. Thirty of those listed are US-based. This was followed by five in Canada and four in Germany, and two each in Spain, Italy, France, Brazil, and Australia. The most popular industry listed was manufacturing, with 16 victims. They were followed by seven in professional services, five in construction, and three each in wholesale trade and support services. This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds 6 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

The Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities Catalog, affecting Adobe, Microsoft, Fortinet, Plex, and XStream products that could lead to remote code execution, privilege escalation, path traversal, or security feature bypass. These vulnerabilities can enable cybercriminals to compromise networks, steal sensitive information, and perform malicious activities. According to first.org’s Exploit Prediction Scoring System, cybercriminals will likely exploit several CVEs within the next thirty days, including OpenSSL, Joomla, Apache Tomcat, and ZOHO ManageEngine Netflow Analyzer. Although CISA has documented these vulnerabilities in its Known Exploited Vulnerabilities Catalog, cybercriminals may use other tactics and techniques to gain access, underscoring the importance of maintaining vigilance and following security best practices.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog