Cyber Intel Brief: April 14-20, 2022
By Eric Ford,
New DDoS Botnet Fodcha Attacks More Than 100 Victims Each Day
- Cyber Intel Magazine covered the recent discovery of a new distributed denial of service botnet, dubbed Fodcha, by Qihoo’s 360netlab and CNCERT.
- Between March 29 and April 10, the Fodcha infected nearly 62,000 devices and targeted 100 victims per day, with 360netlab linking almost 10,000 IP addresses to the botnet.
Recommended mitigations and guidance include updating devices with the latest patches with the focus on internet-exposed known exploited vulnerabilities, implement multi-factor authentication, and consider employing a third-party DDoS mitigation solution. Additionally, identifying all internet-exposed Internet of Things devices and taking proper risk reduction and security measures is another recommendation.
Threat Spotlight: “Haskers Gang” Introduces New ZingoStealer
- CISA Cisco Talos recently discovered “ZingoStealer,” a new information stealer that targets Windows operating systems and is offered for free by a threat actor known as the Haskers Gang.
- ZingoStealer frequently distributes additional malware to victims, such as RedLine Stealer and the XMRig cryptocurrency mining malware, and is capable of exfiltrating sensitive information such as credentials and cryptocurrency wallet information, in addition to mining cryptocurrency on victims’ systems.
To reduce the risk of this threat it is recommended is to implement phishing awareness and simulation exercises in end-user awareness training, implementing an enterprise-wide browser management policy that restricts or blocks non-approved browser extensions, and prevent users from storing passwords or secrets in any applications, such as: browsers, FTP/SSH clients, and cryptocurrency wallets. Additionally, developing and communicating an Acceptable Use Policy that instructs end-users to only install authorized programs provided by the IT department may reduce the risks associated with ZingoStealer.
CISA Adds 13 Known Exploited Vulnerabilities to Catalog
- CISA has added 13 vulnerabilities to its Known Exploited Vulnerabilities Catalog based on reliable evidence that these vulnerabilities have been actively exploited in the wild.
- Notable software affected includes VMware Workspace ONE Access and Identity Manager, Chrome, Ubiquiti, and Microsoft Windows.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, as part of their vulnerability management process.
Karakurt Revealed as Data Extortion Arm of Conti Cybercrime Syndicate
- A Bleeping Computer article covers a recent report by Infinitum IT, a Turkish cybersecurity consultancy firm, where they were able to identify the data extortion threat actor Karakurt as a member of the ransomware group Conti.
- Infinitum IT compromised accounts believed to belong to a “key member” of the Conti ransomware group which allowed them access to their email and online file storage accounts. Additionally, Infinitum IT exploited an unpatched vulnerability in FileZilla that allowed them access to a command and control server used in attacks and the web server used for their data leak website. Their analysis revealed that Conti members have access to Karakurt’s infrastructure and identifies the open-source tools that Karakurt uses in attacks.
Recommendations and guidance include implementing phishing simulation and awareness training, patch systems (with a focus on known exploited vulnerabilities on internet-exposed systems), implementing a multi-factor authentication solution, and monitoring for the use of RClone. Implementing a network segmentation architecture and monitoring for in-network abnormal behavior are some additional protective measures.
FBI Says BlackCat/ALPHV Compromised 60 Organizations
- The FBI publishes the known tactics, techniques, procedures, and observables for the BlackCat/ALPHV ransomware group in a recent FBI FLASH advisory.
- According to FBI data, BlackCat/ALPHV has compromised 60 organizations and uses previously compromised credentials for initial access. Once the threat actors have access, the actors use PowerShell scripts, Cobalt Strike, and the creation of Group Policy Objects to deploy the ransomware.
Recommended mitigation steps and guidance include monitoring Windows administrative and Microsoft Sysinternals tools usage and the creation of Group Policy Objects, implement multi-factor authentication, monitoring for the exfiltration of files, and patch known exploited vulnerabilities. Additionally, exploring the resources set forth in CISA’s Stop Ransomware website may help to reduce and prevent any ransomware attack.
Check Point Identifies Most Imitated Brands in its Q1 Phishing Report
- In Check Point’s Q1 Brand Phishing Report, Check Point identified the top 10 brands that threat actors imitate in their phishing campaigns.
- According to Check Point’s telemetry, LinkedIn was the most impersonated brand, accounting for 52% of phishing attempts, shipping giant DHL came in second with 14%, and Google rounded out the top three at 7%.
To mitigate the risk associated with brand impersonating phishing campaigns it is recommended to incorporate brand impersonation in phishing simulation exercises.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.