Cyber Intel Brief: April 21-27, 2022
By Eric Ford
TeamTNT targeting AWS, Alibaba
- Cisco Talos received several updated versions of scripts used by TeamTNT, a threat group who focuses mainly on cloud and container environments to deploy cryptocurrency mining malware, from a third-party intelligence partner.
- According to analysis of the malware, the scripts primarily target Amazon Web Services but could also work with on-premise, container, or other Linux instances.
To mitigate the risk posed by TeamTNT’s modified scripts, it is recommended that organizations reduce access to credentials with the requisite installation permissions, prevent the use of the account root user account, or provide users console access unless they need it and give high-privileged users the PowerUser policy rather than admin. Additionally, performing routine analytics on CPU usage and implementing measures to alert on excessive CPU usage could indicate cryptomining malware is present on the system.
Prynt Stealer: A New Info Stealer Performing Clipper And Keylogger Activities In The Wild
- A new infostealer, dubbed Prynt Stealer, was discovered being offered by on cybercrime forums for free by Cyble.
- Besides stealing data, the malware can collect and exfiltrate data from over 35 different browsers, VPN, FTP, messaging, and gaming applications.
Recommendations include Implementing cybersecurity awareness training and phishing simulation exercises, enforcing multi-factor authentication, monitoring for the creation and addition of folders and files in the AppData directory, and for the exfiltration of data outside the corporate network, finally, ensuring security protection systems such as Anti-Virus or End-point Detection and Response (EDR), are up to date and functioning properly.
Cisco Talos’ Threat Roundup for April 15 to April 22
- Cisco Talos summarized the most prevalent threats they observed between April 15 – 22, providing a brief description of each threat and their accompanying observables.
- The most prevalent threats covered include Zegost, Formbook, Cerber ransomware, Upatre dropper, Fareit infostealer, Banload trojan, and cryptominers.
Recommendations include, but are not limited to, following cybersecurity best practices like those featured by CISA, auditing logs for the observables provided by Cisco in their accompanying JSON file, and adding evaluated observables to your block list.
Emotet Tests New Delivery Techniques
- Proofpoint observed a low volume of emails distributing Emotet that drastically differed from typical Emotet threat techniques and procedures.
- The email subject lines were simple and contained one word such as “Salary” and the email bodies contained only OneDrive URLs and no other content. The OneDrive URLs contained a zip archive with XLL files. These files used the same lures as the email subjects, such as “Salary_new.zip” and “Salary_and_bonuses-04.01.2022.xll”.
To reduce the risk of future Emotet campaigns that may employ the techniques described by Proofpoint, it is advised to include the techniques observed by Proofpoint in your phishing awareness training and simulation exercises and add evaluated observables to your block list.
ALPHV: Breaking Down the Complexity of the Most Sophisticated Ransomware
- Forescout recently released a report detailing their investigation of files and tools utilized by an ALPHV ransomware affiliate during an attack on a VMware ESXi environment.
- Forescout revealed that the ransomware was delivered on March 17, 2022, and that the attack involved two different exploitations: infiltrating an Internet-exposed SonicWall firewall for initial access and encrypting a VMware ESXi virtual farm.
Of note is that the threat actors exploited a vulnerability that had its CVE identifier assigned on February 6, 2019 to gain initial access to the target network and was added to CISA’s Known Exploited Vulnerabilities Catalog on November 03, 2021 (this incident occurred four months after the vulnerability was added to the Catalog). This highlights the importance of updating systems as soon as possible with a focus on those devices that are internet-exposed and known to have been exploited. Additionally, recommendations include those featured in CISA’s Stop Ransomware website.
Quantum Ransomware: From Initial Access to Encryption in Under 4 Hours
- The DFIR Report details a ransomware case where the threat actor gained initial access to deploying the Quantum ransomware in under four hours.
- Initial access was gained when a user clicked on a phishing email link containing an ISO image file that dropped the IcedID malware and eventually a Cobalt Strike beacon. The threat actors were able to move laterally within the environment through the use of RDP connections using administrator accounts that were gathered through the dumping of LSASS memory.
Recommendations and guidance include implementing the techniques used in the phishing email in your phishing awareness and simulation exercises. Additionally, limiting Remote Desktop Access within your organizations environment to only source from a few systems rather than allowing Remote Desktop Access from all systems may reduce the risk of the threat actor achieving their objectives.
CISA Adds 7 Known Exploited Vulnerabilities to Catalog
- CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog based on reliable evidence that these vulnerabilities have been actively exploited in the wild.
- Notable software affected includes WSO2, Microsoft Windows, Linux, and Jenkins.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, as part of their vulnerability management process.
2021 Top Routinely Exploited Vulnerabilities
- In a joint Cybersecurity Advisory CISA, along with partner government organizations, identified the top 15 most exploited vulnerabilities observed in 2021.
- Notable software affected includes Log4j, Microsoft Exchange, Zoho ManageEngine, Confluence Server, Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s “2021 Top Routinely Exploited Vulnerabilities” advisory as part of their vulnerability management process.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.