Cyber Intel Brief: May 24 – 31, 2023

Malware

Protect Your Cryptocurrency Transactions: Mitigating the Bandit Stealer Threat

Targeted Industries: Finance, potential for all

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed a recent blog post from Trend Micro revealing the emergence of the Bandit Stealer malware, raising significant concerns within the cybersecurity community, particularly for entities engaged in cryptocurrency transactions. This advanced Go-based malware targets multiple browsers and cryptocurrency wallets, aiming to steal sensitive data. By implementing the suggested measures, you can safeguard your financial transactions and protect your valuable assets from this evolving cyber threat.


Malware

Protect Your IoT Devices: Defend Against Mirai Variant IZ1H9

Targeted Industries: All sectors are at risk, with a particular emphasis on industries heavily reliant on IoT devices.

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed a recent blog post from Palo Alto’s Unit 42 revealing the Mirai variant IZ1H9 poses a significant threat to IoT devices across all sectors. In this blog post, we will highlight the tactics used by threat actors, vulnerabilities exploited, and the potential impact of their campaign. Immediate action is crucial to mitigate the risks posed by this sophisticated threat. By implementing our recommended measures, you can safeguard your IoT devices and maintain a secure network environment.


Phishing

Defend Against .ZIP Domain Phishing Attacks

Targeted Industries: All

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed recent blog posts from Bitdefender and mr. d0x revealing how cybercriminals could abuse the newly created Google top level domain .ZIP to carry out phishing attacks that mimic file archiver software. By taking immediate action and implementing these measures, you can defend against .ZIP domain phishing attacks and safeguard your sensitive information.


Threat Actors

Protect Against Volt Typhoon: Critical Infrastructure Threat

Targeted Industries: All, with a focus on critical infrastructure sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed recent blog posts from Microsoft and CISA revealing Volt Typhoon, a highly sophisticated state-sponsored threat actor from China, poses a severe risk to organizations, particularly in critical infrastructure sectors. This blog post highlights the tactics, techniques, and potential impacts of their cyber espionage campaign. We provide key insights and recommend immediate preventive measures to mitigate this significant threat. By promptly implementing the recommended actions, organizations can defend against Volt Typhoon and safeguard their sensitive information.


Threat Actors

Void Rabisu: Escalating Geopolitical Threat Demands Immediate Action

Targeted Industries: Public Administration, Utilities, and Finance and Insurance are at high risk. IT service providers in Europe and the US, European parliament members, and the general financial and energy sectors also face potential threats.

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed a recent blog post from Trend Micro revealing Void Rabisu, a highly sophisticated threat actor group with ties to Cuba Ransomware, has recently shifted its focus from financial motives to geopolitical motivations. This blog post provides a detailed analysis of their adaptive tactics and evolving RomCom 3.0 backdoor. Industries with geopolitical significance, particularly public administration and utilities sectors, are at high risk. We outline their techniques, potential impacts, and recommend immediate preventive measures to mitigate this severe threat. By implementing the recommended actions promptly, organizations can defend against Void Rabisu and protect their sensitive information.


Exploited Vulnerabilities

Urgent Alert: Zero-Day Exploit in Barracuda Email Security Gateway Appliances

Targeted Industries: All

What You Need To Know:

The Adversary Tactics and Intelligence Team analyzed recent blog posts from Barracuda and Bleeping Computer highlighting a critical cyber threat involving the exploitation of a zero-day vulnerability in Barracuda ESG appliances. The threat actor’s advanced capabilities and custom malware pose significant risks to organizations across all industries. Prompt mitigation through the application of the provided security patch is crucial to protect against potential financial losses, reputational damage, and regulatory penalties. Decision-makers must prioritize the urgency of applying the patch and take immediate action to defend against this severe threat.


Exploited Vulnerabilities

Latest Additions to Data Leak Sites

Targeted Industries: Manufacturing, Information, Health Care and Social Services, Professional Services, and Finance and Insurance

What You Need To Know:

In the past week, monitored ransomware threat groups added 82 victims to their leak sites. Of those listed, 47 are based in the US. The most popular industry listed was Manufacturing, with 16 victims. Followed by seven each in Information and Health Care and Social Assistance, six each in Professional Services, and Finance and Insurance. This information represents victims whom cybercriminals may have successfully compromised but opted not to negotiate or pay a ransom. However, we cannot confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds 2 CVEs to its Known Exploited Vulnerabilities Catalog

Targeted Industries: All

What You Need To Know:

On 26 and 31 May 2023, CISA added 2 CVEs to its Known Exploited Vulnerabilities Catalog. These vulnerabilities affect products from Zyxel and Barracuda Networks. The vulnerabilities range from OS and remote command injection. The Common Vulnerabilities and Exposures (CVE) identifiers assigned to these vulnerabilities are CVE-2023-28771 and CVE-2023-2868. It is crucial to apply updates or follow vendor instructions promptly to mitigate these vulnerabilities, with a CISA due date set for 21 and 16 June respectively.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog