Cyber Intel Brief: April 19 – 26, 2023


Follow-on Implications of the 3CX Supply Chain Attack

Impacted Industries: Financial Services; Potentially All Customers Impacted by the 3CX Supply Chain Attack

What You Need To Know:

Mandiant found that a trading software installed on an 3CX employee’s personal computer contained a backdoor, enabling the threat actor to access 3CX’s corporate network. CISA analyzed the final stage of the supply chain attack, while Kaspersky reported that the attack targeted cryptocurrency companies. Volexity and Trend Micro focused on the ICONIC Stealer and found that it exfiltrates data using the main loader module in a POST request. We assess with moderate to high confidence that the 3CX supply chain attack was widespread. Threat actors are likely analyzing stealer logs of those organizations infected with the infostealer dropped in the 3CX supply chain attack. Those impacted customers will likely lead to follow-on attacks and cause a moderate to a significant level of damage. ATI recommends mitigative action occur within the normal business cycle. The compromise of 3CX highlights the importance for customers to evaluate the risk of allowing employees to use their personal computers to log in to the corporate network.


Container File Types Chained Together to Deliver Qakbot

Impacted Industries: All

What You Need To Know:

On 21 April 2023, Cyble reported that they observed cybercriminals using OneNote attachments with embedded .iso file, which contains a Microsoft Compiled HTML Help file (.chm), which includes a .htm file in phishing emails to deliver Qakbot malware. We assess with low confidence that the cybercriminals are likely targeting various organizations and industries. We assess with moderate confidence that all customers fit the cybercriminal’s interest and make the probability of compromise higher than normal, whose impact will cause a considerable to significant level of damage leading to data theft, disruption in operations, and financial loss. We further assess with moderate confidence that the threat of Qakbot delivered via OneNote attachments embedded with a .iso file containing a .chm file containing a .htm file is widespread. The cybercriminals behind this phishing campaign are likely still operating now. ATI recommends mitigative action occur within the next few weeks, which includes preventing users from launching embedded files in Microsoft OneNote files.


New Defense Evasion Tool Used by Ransomware Affiliate

Impacted Industries: Manufacturing, Education, and Professional Services

What You Need To Know:

On 19 April 2023, Sophos reported that they observed cybercriminals(s) use a new tool, dubbed AuKill, which installs, and abuses Microsoft’s Process Explorer driver to kill and prevent restarting of EDR processes. AuKill has been observed in Lockbit and Medusa Locker ransomware incidents, and organizations in the manufacturing, education, and professional services industries are listed the most often on ransomware leak sites. Customers in these industries have the highest probability of being compromised, whose impact will cause a significant level of damage leading to data theft, disruption of operations, and significant financial loss. We assess with moderate confidence that the use of AuKill is limited and, we assume, by the same affiliate. The cybercriminal behind AuKill is likely continuously developing the tool and using different variations depending on the environment and access to admin privileges. ATI recommends mitigative action occur within the normal business cycle, which includes implementing multi-factor authentication for administrative privileges.

Exploited Vulnerabilities

PaperCut Exploitation Leads to Truebot and Cryptomining

Impacted Industries: All customers running vulnerable PaperCut print management software

What You Need To Know:

On 21 April 2023, Huntress reported that they observed threat actors exploiting vulnerabilities in PaperCut MF/NG versions later than 8.0 that allow for unauthenticated remote code execution by bypassing authentication. The threat actors installed Atera and Syncro remote management and maintenance (RMM) software and the Truebot malware and another instance dropped a cryptominer. It is likely that the threat actors are targeting vulnerable PaperCut MF and NG versions later than 8.0 irrespective of the organization or industry. Customers who run vulnerable versions have a higher probability of compromise, whose impact will cause a considerable to significant level of damage. We assess with moderate confidence that the exploitation of PaperCut servers is limited and ongoing. These attempts are likely to continue for the next several weeks. ATI recommends mitigative action occur within the next few weeks, which includes upgrading the PaperCut server to a patched version by following the PaperCut advisory.

Exploited Vulnerabilities

CISA Adds 4 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

On 19 and 21 April, CISA added four CVEs to its Known Exploited Vulnerabilities Catalog. The vulnerabilities added this week are: MinIO Information Disclosure Vulnerability (CVE-2023-28432), PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350), Google Chrome Skia Integer Overflow Vulnerability (CVE-2023-2136), Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability (CVE-2017-6742), Users are advised to apply updates per vendor instructions for each vulnerability, with CISA recommending mitigation due dates ranging from May 10 to May 12 depending on the issue.

Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Manufacturing, Finance and Insurance, Information, Retail Trade, and Transportation and Warehousing

What You Need To Know:

In the past week, monitored ransomware threat groups added 62 victims to their leak sites. Of those listed, 40 are based in the US. The most popular industry listed was manufacturing  with 34 victims. Followed by 12 in the finance and insurance, nine each in information, seven in retail trade, and five in transportation and warehousing.This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog