Cyber Intel Brief: April 7-13, 2022
By Eric Ford,
CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware
- Trend Micro has observed threat actors exploiting Spring4Shell, CVE-2022-22965, to infect devices with the Mirai botnet.
- According to Trend Micro, the earliest known exploitation occurred on March 31 in Trend Micro’s honeypots. Active exploitation occurred in the beginning of April and analysis revealed that actors were downloading the Mirai botnet to the “/tmp” folder and executing it after changing permissions using “chmod”.
Deepwatch Threat Intel Team assesses with high conﬁdence that threat actors will continue to exploit critical vulnerabilities, like Spring4Shell and Log4Shell, to facilitate their activities due to exploitation opportunities and the ability to send exploit payloads directly to Internet facing applications/systems. Therefore, it is recommended that organizations upgrade Spring Framework to versions 5.3.18+ and 5.2.20+ and Spring Boot to versions 2.6.6+ and 2.5.12+, details are available here. Additionally Trend Micro provides some mitigation guidance in the interim here.
CISA Adds 18 Known Exploited Vulnerabilities to Catalog
- CISA has added 18 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Notable software affected includes WatchGuard Firebox, Microsoft, Linux, Adobe Flash Player, and QNAP.
- Threat actors frequently use these vulnerabilities as an attack vector, posing a serious threat to organizations.
Deepwatch Threat Intel Team urges all organizations to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog as part of their vulnerability management process.
Tarrask Malware Uses Scheduled Tasks for Defense Evasion
- Microsoft recently published an investigation on how the threat actor Hafnium used the Tarrask malware to create hidden scheduled tasks.
- Hafnium conducted a multi-stage attack that included exploiting the authentication bypass vulnerability in Zoho Manage Engine to implant a web shell (Godzilla) and discovered them using malware (Tarrask) that creates hidden scheduled tasks.
Deepwatch Threat Intel Team assesses with high conﬁdence that threat actors are highly likely to hide scheduled tasks to evade defensive measures to maintain persistence. The techniques used by the actor and described in Microsoft’s report can be mitigated or observed by following Microsoft’s recommendations.
New Meta Information Stealer Distributed in Malspam Campaign
- Bleeping Computer covered a recent report by a SANS ISC handler regarding a new spam phishing campaign that is spreading the new META info stealer malware. META steals credentials and cryptocurrency wallets stored in popular web browsers and is offered for sale at $125 for a monthly subscription or $1,000 for lifetime access.
- In this particular campaign, a spam phishing email is sent that contains a malicious Excel ﬁle that masquerades as a DocuSign document and attempts to trick users into enabling macros. Once macros have been enabled the infection follows a seven-step process that culminates in command and control traffic.
Deepwatch Threat Intel Team assesses with moderate confidence that the prevalence of META Stealer is likely to increase given its low cost of 125 for a monthly subscription or $1,000 for lifetime access. To reduce the risk of this threat, Deepwatch Threat Intel Team recommends organizations implement the tactics, techniques, and procedures outlined in this report as part of their phishing awareness and simulation exercises. Additionally, monitoring for web traffic to the URLs listed in the Observables section along with the presence of other observables may indicate a system has been compromised. Another recommended mitigation measure is to prevent employees from storing credentials in web browsers by implementing an enterprise-wide web browser management policy.
A Bad Luck BlackCat
- Kaspersky investigated two recent BlackCat (ALPHV) ransomware incidents and concluded that at least some members of BlackCat have ties to the BlackMatter ransomware group.
- BlackCat has been observed reusing a data exﬁltration tool, Fendr, that has only previously been observed in BlackMatter incidents. Additionally, BlackCat has modiﬁed the data exﬁltration tool to include additional ﬁle extensions that are used in industrial design applications, making it more appealing to the sectors they have recently been targeting.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that BlackMatter (ALPHV) will likely target organizations in the industrial sector due to the industrial design application ﬁle extensions recently added to their data exﬁltration tool Fendr. To reduce the risk of a BlackCat ransomware incident it is recommended that organizations implement multi-factor authentication, monitor the exﬁltration of ﬁles, patch known exploited vulnerabilities, and implement a phishing awareness and simulation program.
Ransomware Tracker: The Latest Figures [April 2022]
- The Record, a Recorded Future company, released its latest ﬁgures for ransomware trends for the month of March. The tracker is updated on the 10th of every month.
- Victim data released on ransomware sites has increased over February’s ﬁgures Conti and Lockbit continue to be the “Most Proliﬁc Ransomware Groups”; ﬁnally, ransomware incidents against the healthcare and education sectors remained steady.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that Conti and LockBit will continue to remain the top two most observed ransomware variants in the near future. In addition, it is expected that the total amount of victim data released on ransomware extortion sites will increase in the near future. As previously assessed by the Deepwatch Threat Intel Team, the ransomware threat against critical infrastructure, including healthcare service providers, will remain moderate as threat actors may begin to target ﬁnancial institutions as a reprisal for sanctions imposed on Russia due to the ongoing Ukraine-Russia conﬂict.
Parrot TDS Takes Over Web Servers and Threatens Millions
- Avast has discovered various web servers, hosting over 16,000 websites, infected with a new traffic direction system, dubbed Parrot, that redirects website visitors to malicious webpages.
- The most prevalent campaign identiﬁed is the “FakeUpdate” (SocGholish) campaign. This campaign attempts to trick users into updating software, like Google Chrome, but instead actually downloads the remote access tool NetSupport. The “FakeUpdate” campaign conﬁguration uses “unique URLs that deliver malicious content to only one speciﬁc user”.
Android Banking Malware Octo Allows Remote Control on Infected Devices
- SOCRadar discovered a new mobile malware, dubbed Octo, that gives threat actors remote access to infected devices.
- In addition to remote access, threat actors can monitor all activity conducted on the device, including all logged-in accounts and sensitive data. Several apps, available on the Google Play Store, have been downloaded over 50,000 times.
Deepwatch Threat Intel Team estimates with moderate conﬁdence that threat actors will continue to target mobile devices with new malware and develop and reﬁne their TTPs to increase their chances of success. Therefore, it is recommended that organizations employ a mobile threat defense and device management platform. Additionally, instructing or requiring users to implement mobile security best practices like those recommended here(PDF) by the National Security Agency.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.