Cyber Intel Brief: May 12 – 18, 2022

Malware

FBI Releases Flash Alert for Credit Card Scraping

Key Points:

  • FBI released a Flash alert for an unknown threat actor inserting PHP code in an unnamed U.S. organization to scrape and exfiltrate customers’ credit card details and maintain persistence.
  • The threat actor was able to insert the code which allowed them to scrape and exfiltrate customer credit cards and other data from the organization’s shopping cart page to an actor-controlled server that spoofed a legitimate credit card processor’s domain.
  • Observation of this activity may be possible by monitoring for outbound traffic to http://authorizen.net. Additional observation opportunities can be found in the accompanying Observables page.

Deepwatch Assessment:

Mitigation recommendations include regularly scanning systems for vulnerabilities and patching systems as soon as possible with a priority placed on those internet-exposed systems focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog, changing default login credentials on all systems, segregating and segmenting network systems, implementing secure socket layer (SSL) protocol on all websites that transfer sensitive information, and finally, implementing a strong password management program and enforcing multi-factor authentication.


Malware

A Closer Look At Eternity Malware: Threat Actors Leveraging Telegram To Build Malware

Key Points:

  • Cyble discovered several malware available for sale on a TOR website and the binary’s can be built using a Telegram Bot that allows the threat actor to customize the binary to their needs.
  • Available malware include a stealer, ransomware, DDoS, cryptocurrency miner, clipper, and a worm.
  • Observation of this activity may be possible by monitoring for large increase in file read/write activity from one host and suspicious enumeration of shared network drives. Additional observation opportunities can be found in the accompanying Observables page.

Deepwatch Assessment:

Mitigation recommendations include providing user awareness training that informs employees on company policies and procedures on obtaining access to authorized software for cyber risk reduction purposes, ensuring all browsers and plugins are kept up to date, regularly scanning systems for vulnerabilities and patching those systems as soon as possible with a priority placed on those internet-exposed systems focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog, determining if certain websites or attachment types (ex: .iso, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, using an anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM).


Malware

Emotet Summary: November 2021 Through January 2022

Key Points:

  • Palo Alto’s Unit 42 recently detailed Emotet campaigns spanning from November 2021 to January 2022.
  • Emotet employs a method where each malware hash is different on each infected computer. The operators also employ additional tactics and techniques that frequently change domains and command and control IP addresses. Due to these tactics and techniques, any single list of observables like hashes, IP addresses, and domains, will not be useful.
  • Observation of this activity may be possible by monitoring for suspicious base64-encoded PowerShell commands. Additional observation opportunities can be found in the accompanying Observables page.

Deepwatch Assessment:

Mitigation recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, determining if certain websites or attachment types (ex: .iso, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, using anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM), restricting PowerShell execution policy to administrators when its use is necessary, and finally, using script blocking extensions to help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process.


Ransomware

What Malware to Look for if You Want to Prevent a Ransomware Attack

Key Points:

  • Intel 471 delves into the multiple types of malware that companies keep an eye on in order to avoid a ransomware attack.
  • Some of the malware identified being employed prior to ransomware deployment include but are not limited to Emotet, QbotIcedID, ZLoader, StealBit, and Cobalt Strike.
  • Observation of this activity may be possible by monitoring for email attachments spawning child processes (ex. regsvr32, psexec, msiexec). Additional observation opportunities can be found in the “Be on the Lookout” section.

Deepwatch Assessment:

Mitigation recommendations include implementing a phishing awareness training and simulation exercise program, determining if certain websites or attachment types (ex: .iso, .exe, .lnk, .cpl, etc.) are necessary for business operations, employing an anti-virus or EDR solution, and auditing domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.


Threat Actors

Wizard Spider In-Depth Analysis

Key Points:

  • PRODAFT Threat Intelligence Team recently published a 35-page report on the inner workings of Wizard Spider (Ryuk, Trickbot, and Conti).
  • The report covers the discovery of a hypervisor encryption server, Wizard Spider’s post-exploitation infrastructure and servers used for extortion as well as the custom-built tools the group uses.
  • Observation of this activity may be possible by monitoring for unexpected WireGuard installation/usage or the usage of tools like AnyDesk or Rclone. Additional observation opportunities can be found in the accompanying Observables page.

Deepwatch Assessment:

Mitigation recommendations include implementing a phishing awareness training and simulation exercise program, determining if certain websites or attachment types (ex: .iso, .exe, .lnk, .cpl, etc.) are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, employing an anti-virus or EDR solution can automatically quarantine suspicious files, auditing domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account, and regularly scanning systems for vulnerabilities and patch systems as soon as possible with a priority placed on those internet-exposed systems focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.


Research

Weak Security Controls and Practices Routinely Exploited for Initial Access

Key Points:

  • CISA, in coordination with cybersecurity authorities in partner countries, released a joint Cybersecurity Advisory identifying the most common controls and practices routinely abused by threat actors.
  • According to the advisory, the most common techniques employed by threat actors to gain initial access to a targeted organization are: abusing and exploiting public-facing applications, external remote services, trusted relationships, and valid accounts, and finally, sending phishing emails.

Deepwatch Assessment:

Mitigation recommendations include restricting local administrator accounts from using remote sessions, using dedicated workstations for administrators sessions, auditing physical and virtual workstations, including cloud-based, for open RDP ports (3389) and place those systems deemed necessary behind a firewall and require VPN use to access it, implementing multi-factor authentication, auditing and changing vendor-supplied default usernames and passwords, regularly scan systems for vulnerabilities and patch systems as soon as possible with a priority placed on those systems that are internet-exposed focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, determine if certain websites or attachment types (ex: .iso, .exe, .pif, .cpl, etc.) are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, and finally, implementing a phishing awareness training and simulation exercise program.


Exploited Vulnerabilities

CISA Adds Two Vulnerabilities to the Known Exploited Vulnerabilities Catalog

Key Points:

  • CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog based on reliable evidence that these vulnerabilities have been actively exploited in the wild.
  • The software affected includes Zyxel and Spring Cloud.

Deepwatch Assessment:

Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, as part of their vulnerability management process.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog