Malware
New IcedID Variant Discovered
Impacted Industries: All
What You Need To Know:
Proofpoint has discovered a new variation of the IcedID malware called “Forked” IcedID, which has minimal functionality compared to the standard variant delivered by TA581, an unattributed activity cluster that Proofpoint has been tracking since 2022. The campaign began on February 3rd, and TA581 sent over 13,000 phishing emails that TA581 personalized to the intended targets. The emails contained a OneNote attachment that, when opened, instructed the recipient to double-click the “Open Document with Secure View” button, which concealed an HTML Application (HTA) file. Once clicked, it would invoke a PowerShell command that downloaded and executed a “forked” IcedID loader and a decoy PDF document. Proofpoint detected a second campaign from February 20th through 23rd, consisting of over 200 emails with two lures: a fake recall notice and a false violation with a .url attachment that downloads a batch file if opened. The batch file contains a command that downloads and executes a “forked” IcedID loader. TA581 is likely an emerging “loader-as-a-service” operator capable of conducting mass targeting. However, it is unclear what additional malware this new IcedID variant loads as ATI lacks visibility into post-exploitation activity.
Malware
The InfoStealer Lifecycle
Impacted Industries: All
What You Need To Know:
Cyberint has observed infostealer malware as becoming more prevalent and being used more and more by cybercriminals. Two developments have led to their increase: cyber crime marketplaces and the malware-as-a-service model. Common delivery methods include phishing emails and websites. Infostealers are used to steal sensitive information such as login credentials, session IDs, and cookies. Cybercriminals then sell the stolen data on cyber crime marketplaces for as little as $10. Cybercriminals can use the stolen cookies or session IDs to bypass multi-factor authentication. ATI assesses that cybercriminals are highly likely to increase their use of infostealers to collect sensitive data like login credentials, session IDs, and cookies to sell on cybercrime marketplaces.
Threat Actors
Incidents by Financially Motivated UNC961
Impacted Industries: All
What You Need To Know:
Mandiant published details regarding three UNC961 (a cyber threat group that targets organizations in North America) intrusions that occurred between December 2021 and July 2022. Mandiant believes UNC961 is financially motivated and their primary objectives are to steal sensitive data and provide access to ransomware-affiliated cybercriminals. The group focuses on exploiting vulnerable Internet-facing servers when vulnerabilities are discovered, including Atlassian Confluence, Citrix ADC, Oracle WebLogic, and Gitlab. During one incident that lasted, at least, 146 days, UNC961 was observed passing off access to another threat actor, UNC3966, at day 63. UNC961 will likely continue to utilize vulnerabilities that are related to vulnerable web applications and Internet-facing servers.
Threat Actors
Latest Additions to Data Leak Sites
Impacted Industries: Information, administration and support services, manufacturing
What You Need To Know:
In the past week, the biggest news for data leak sites has been CL0P and their exploitation of a vulnerability in Fortra GoAnyWhere MFT tracked as CVE-2023-0669. According to their leak site, CL0P added 70 new victims. However, we can not confirm the exploitation of GoAnywhere for all newly listed victims. The victims do include some prominent names in their industries, like Saks Fifth Avenue, Scholastic, Plurasight, Hormel, and Proctor and Gamble. Overall, CL0P added 30 victims who are headquartered in the US. The top industries were information and administrative, and support services.
Exploited Vulnerabilities
NTLM Hash Relay Attack Used in Exchange Server Exploitation
Impacted Industries: Public administration, transportation, and utilities. Potential to affect all
What You Need To Know:
Microsoft has reported on post-exploitation activity targeting Microsoft Exchange Servers following the exploitation of CVE-2023-23397. The observed activity includes using an NTLM Hash Relay attack and the Exchange Web Services API to gain persistent access to user mailboxes, forward malicious emails, and collect additional credentials. Microsoft has provided threat-hunting guidance to identify events and activities related to exploitation. The IP addresses associated with the exploitation are assessed to be compromised infrastructure, with targets including public administration and critical infrastructure entities in Ukraine, Romania, Jordan, Australia, and a defense contractor in Turkey. The threat actors are assessed to conduct espionage-related cyber operations and are likely to continue targeting similar entities. However, ransomware operators, affiliates, and initial access brokers may also employ these techniques for financial gain.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share