Threat Actor
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
Impacted Industries: Public Administration, Manufacturing, Utilities, and Grantmaking and Giving Services
What You Need To Know:
Symantec discovered that an espionage group used new malware to attack targets, exploiting vulnerabilities to gain initial access, installing web shells, harvesting credentials, moving laterally across networks, and installing malware on other computers.
Threat Actor
DeftTorero: Tactics, Techniques and Procedures of Intrusions Revealed
Impacted Industries: All
What You Need To Know:
Kaspersky’s historical intrusions analysis of Lebanon-based APT suggests a TTP shift to more fileless/LOLBINS techniques and the use of familiar offensive tools publicly available. According to Kaspersky, the group gains initial access to web servers through exploitation or credential theft.
New TTPs
Investigating Novel Malware Persistence Within ESXi Hypervisors
Impacted Industries: Unknown
What You Need To Know:
Mandiant identified a threat actor using a technique they have not observed before, leveraging malicious vSphere Installation Bundles to install multiple backdoors on ESXi hypervisors.
Ransomware
Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group
Impacted Industries: All
What You Need To Know:
Sygnia asserts that a single threat group operates the Cheerscrypt and Night Sky ransomware, and are recent rebrands.
Malware
SmokeLoader Delivers the New Erbium Stealer
Impacted Industries: All
What You Need To Know:
Cyberint has discovered a new info stealer used in one campaign; the threat actors used SmokeLoader to infect targets. According to Cyberint, the malware focuses on crypto wallets and clients for Discord and Telegram. However, the malware can steal cookies, passwords, and other browser information.
Malware
Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
Impacted Industries: Defense Industrial Base
What You Need To Know:
During incident response engagement, CISA uncovered multiple APT groups likely compromised a Defense Industrial Base (DIB) sector organization’s network, and some APT actors had long-term access to the environment. CISA also discovered the threat actors using a custom data exfiltration tool to steal the victim’s sensitive data and implant 17 web shells.
Exploited Vulnerabilities
CISA Adds 3 Vulnerabilities to Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
Based on the evidence of active exploitation, CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes two vulnerabilities in Microsoft Exchange and one in Atlassian Bitbucket.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share