Malware
Decoding QakBot: A Comprehensive Analysis of Its C2 Infrastructure and Operational Tactics
Targeted Industries: All
What You Need To Know:
Based on a report from Team Cymru, our analysis reveals that QakBot, a banking Trojan that has been active since 2007, utilizes a robust and resilient C2 infrastructure that continues to communicate with upstream servers even months after being used in campaigns. The infrastructure exhibits notable trends and anomalies, including three upstream servers in Russia, and employs affiliate IDs to track multiple simultaneous campaigns. The analysis also highlights dynamic changes in traffic volume, spikes occurring when an upstream C2 server goes down, and consistent decreases over weekends. These findings underscore the sophistication and resilience of the QakBot infrastructure, emphasizing the need for robust defensive measures.
Ransomware
IcedID Malware and Nokoyawa Ransomware: Techniques, Impact, and Mitigation Strategies
Targeted Industries: All
What You Need To Know:
Based on findings from The DFIR Report, our analysis of an IcedID malware’s operation identifies the techniques employed by threat actors to gain initial access, maintain persistence, and execute the ransomware. Furthermore, the report assesses the impact of the Nokoyawa ransomware on targeted organizations, although specific details regarding data recovery and ransom payment are unavailable. The analysis concludes with key judgments and provides practical recommendations for implementing mitigation measures to prevent similar incidents in organizational environments. The source, The DFIR Report, is a reputable blog known for its detailed and insightful analysis of cyber threat incidents, ensuring the credibility and reliability of the information presented.
Ransomware
Countering BlackByte NT: Exploitation Techniques and Mitigation Measures
Targeted Industries: All
What You Need To Know:
Based on a report from Cluster25, our analysis reveals that the BlackByte Ransomware-as-a-Service (RaaS) group has developed a sophisticated new variant of their malware, BlackByte NT. The group employs advanced tactics, techniques, and procedures (TTPs), including phishing, exploitation for privilege escalation, and multiple defense evasion techniques. BlackByte NT exploits specific drivers and uses syscalls to bypass user-mode hooks, posing significant security challenges. Our key judgment is that organizations should implement robust email security measures immediately within the normal business cycle to thwart phishing attacks, a primary initial access technique employed by the BlackByte RaaS group. The analysis also underscores the need for regular system patching, enhanced syscall activity monitoring, and maintaining up-to-date drivers to effectively mitigate potential infections.
Tactics, Techniques, and Proceedures
Understanding the Universal Threat of URL Obfuscation Across Industries
Targeted Industries: All
What You Need To Know:
Based on a report from Mandiant, our analysis shows that URL obfuscation schema abuse is a prevalent and effective technique in the current cyber threat landscape. Threat actors use this technique to distribute various malware variants, including SMOKELOADER, LOKIBOT, MATIEX, FORMBOOK, and AGENTTESLA. This technique poses a universal threat across various sectors, without targeting any specific industries. The potential impacts of URL obfuscation schema abuse are substantial, including an increased likelihood of successful phishing attacks and the potential to bypass network defense tools. To mitigate this threat, we recommend that organizations update their security tooling and logging systems within the normal business cycle to effectively detect, identify, and parse obfuscated URLs. Furthermore, organizations should ensure that domain extraction tools do not cause errors when encountering URL schema obfuscation. The ATI team has added observables to their indicator feeds and conducts further detection assessment and threat hunting based on the data reported in this intelligence report.
Tools
Brute Ratel Threat Analysis: Deployment Methods, Vulnerabilities, and Defense Strategies
Targeted Industries: All
What You Need To Know:
Based on a report from Sophos, our analysis shows that Brute Ratel is commonly deployed through email attachments and by exploiting vulnerabilities in Internet-exposed servers. To mitigate the risk, organizations should prioritize email filtering, vulnerability assessments, and prompt patching. Addressing unpatched vulnerabilities, misconfigurations, weak authentication, and social engineering tactics is crucial to mitigate initial access vectors. Further research is required to understand the nuances of Brute Ratel and Cobalt Strike. Implementing tailored file and behavioral rules, strong security controls, and conducting awareness training enhances defense. Continuous monitoring, threat hunting, and leveraging managed detection and response services are recommended. Detection of Brute Ratel requires monitoring for anomalous behavior and patterns. ATI recommends implementing email filtering and security awareness training within the normal business cycle to mitigate the intrusion risk of Brute Ratel.
Threat Actors
Latest Additions to Data Leak Sites
Targeted Industries: Manufacturing, Information, Educational Services, Professional, Scientific, and Technical Services, and Health Care and Social Services
What You Need To Know:
In the past week, monitored ransomware threat groups added 59 victims to their leak sites. Of those listed, 29 are based in the US. The most popular industry listed was Manufacturing, with 11 victims. Followed by five each in Information and Educational Services, and four each in Professional, Scientific, and Technical Services and Health Care and Social Services. This information represents victims whom cybercriminals may have successfully compromised but opted not to negotiate or pay a ransom. However, we cannot confirm the validity of the cybercriminals’ claims.
Exploited Vulnerabilities
CISA Adds 6 CVEs to its Known Exploited Vulnerabilities Catalog
Targeted Industries: All
What You Need To Know:
On 19 and 22 May 2023, CISA added six critical vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities pose a significant risk to organizations utilizing Apple Webkit, Cisco IOS, IOS XR, IOS XE, and Samsung Mobile Devices. The vulnerabilities include sandbox escape, out-of-bounds read, use-after-free, denial-of-service, information disclosure, and sensitive information insertion into log file issues. The assigned CVEs for these vulnerabilities are CVE-2023-32409, CVE-2023-28204, CVE-2023-32373, CVE-2004-1464, CVE-2016-6415, and CVE-2023-21492. To mitigate these vulnerabilities, immediate action is required, such as applying updates or following vendor instructions. The CISA has set due dates for addressing these vulnerabilities, with 9 June 2023 recommended for the Cisco and Samsung vulnerabilities and 12 June 2023 for the Apple vulnerabilities. It is crucial for organizations to prioritize these mitigative actions to protect their systems and data from potential exploitation.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share