Cyber Intel Brief: Oct 13 – 19, 2022

Ransomware

Cuba Ransomware Incident Analysis

Impacted Industries: Financial and Insurance, Public Administration, Manufacturing, and Professional, Scientific, and Technical Services

What You Need To Know:

Microsoft provides a detailed account of a recent Cuba ransomware incident in which the threat actors used a collection of commodity tools and techniques before and after the deployment of the ransomware. According to Mandiant, UNC2596 is the only group that deploys Cuba ransomware. 

The threat actors used Cobalt Strike, Impacket’s WMI modules, RDP, PsExec.exe, 7-Zip, PuTTY Secure Copy, created multiple scheduled tasks and services, installed OpenSSH, abused WDigest, disabled Windows Defender, and abused a vulnerability in Avast anti-rootkit driver during the incident.


Threat Actor

APT27 Exploits Log4J Vulnerabilities Against a US State Legislature

Impacted Industries: Manufacturing, Public Administration

What You Need To Know:

Symantec reports that APT27 (Budworm) has exploited Log4j vulnerabilities recently, targeting the government of a Middle Eastern country, a multinational electronics manufacturer, and a US state legislature. However, Symantec does not provide details of the US state legislature incident or how they linked it to APT27.

The report also stated that APT27 used Virtual Private Servers (VPS) hosted on Vultr and Telstra as C2 servers and used CyberArk Viewfinity in recent attacks, an endpoint privilege management software, to perform DLL side-loading. They usually rename the binary to masquerade as a more innocuous file like securityhealthservice.exe, secu.exe, vfhost.exe, vxhost.exe, vx.exe, and v.exe. In other cases, Budworm loaded the HyperBro backdoor with its own loader (file names: peloader.exe, 12.exe).


Threat Actor

8220 Gang Changed Infrastructure; Continues to Exploit Clouse Hosts

Impacted Industries: All

What You Need To Know:

SentinelOne has recently observed the 8220 Gang continue absorbing hosts in their botnet at a pace consistent with their previous reporting. Most targets operate outdated or misconfigured versions of Docker, Apache, WebLogic, and various Log4J vulnerable services. Additionally, the 8220 Gang used the PureCrypter Malware-as-a-service to target Windows systems through the group’s traditional C2 infrastructure. In early September 2022, the 8220 Gang rotated its infrastructure, assigning new IP addresses to two previously reported domains. The group also uses a miner proxy that acts as a pool to combine the infected host’s resources and avoid analysis of their cumulative mining metrics. 


Malware

New Attack Framework Discovered; Researchers Say It’s Being Used in the Wild

Impacted Industries:  All

What You Need To Know:

Cisco Talos discovered a new attack framework, including a C2 tool called “Alchimist” and a new malware, “Insekt,” with remote administration capabilities. The framework targets Windows, Linux, and Mac machines. It can generate a configured payload and deploy it to framework clients, establish remote sessions, capture screenshots, perform remote shellcode execution and run arbitrary commands. Cisco Talos said they assess with moderate to high confidence that threat actors are using the framework in the wild; however, the report does not identify incidents or campaigns attributed to the framework or the custom RAT implant, Insekt.


Malware

New Phishing Sites Discovered

Impacted Industries: All

What You Need To Know:

Cyble Research and Intelligence Labs (CRIL) discovered two phishing websites impersonating AnyDesk and Convertio’s websites. The impersonated Anydesk phishing website downloads the information stealer Mitsu Stealer and the impersonated Convertio’s phishing site downloads RedLine Stealer. Both information stealers collects victim’s sensitive information, such as usernames, passwords, cookies, auto-fills, and user profiles from the installed browser’s directories.


Malware

New PowerShell Backdoor Discovered

Impacted Industries: Professional, Scientific, and Technical Services, possibly all industries

What You Need To Know:

SafeBreach discovered a malicious Word document that includes a macro code that creates two PowerShell scripts and a scheduled task. One of the scripts discovered is a new powershell backdoor that leverages a novel approach of disguising itself as part of the Windows update process. SafeBreach could not link the tool and the associated C2 commands to any known threat actor, and they assessed that the threat actor had targeted approximately 100 victims. One script sends GET and POST requests, returning commands and a victim ID and the other script executes the commands received.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog