Cyber Intel Brief: Aug 11 – 18, 2022

Threat Actors

Reservations Requested: TA558 Targets Hospitality and Travel

Impacted Industries: Hospitality and Travel

What You Need To Know:

Proofpoint published a comprehensive report on TA558, detailing activity conducted over four years that is still ongoing. TA558 targets hospitality, travel, and related industries. In 2022, TA558 has increased activity, shifted tactics, and began using URLs and container files to distribute malware.


“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches

Impacted Industries: Finance, Information, Legal, and Insurance; others to a lesser degree

What You Need To Know:

AdvIntel details the call-back phishing technique, AKA BazzarCall, a method where an adversary will send a phishing email asking the target to call a number. Once the victim calls the number, the threat actor will try and convince the caller to start a remote session. Once the victim allows a session, the threat actors infiltrate the victim’s computer using tools to enumerate the environment and install malware.

You can read the full report with associated observables from AdvIntel here.


Detecting a Rogue Domain Controller – DCShadow Attack

Impacted Industries: All

What You Need To Know:

SentinelOne recently detailed an attack technique where a threat actor with a domain or admin privileges can create a rogue DC in corporate networks. Once registered, a rogue DC is used to inject domain objects and replicate changes into AD infrastructure.

You can read SentinelOne’s full analysis of this technique here.


#StopRansomware: Zeppelin Ransomware

Impacted Industries:  Manufacturing, Education, Information, and Health Care

What You Need To Know:

The FBI and CISA have released a joint Cybersecurity Advisory to disseminate known observables and TTPs associated with the RaaS known as Zeppelin. The FBI has observed instances where Zeppelin affiliates executed the ransomware multiple times, creating different IDs or file extensions for each instance of an attack, resulting in the victim needing several unique decryption keys.

You can read CISAs full report with observables here.

Attack Surface

Exposed VNC A Major Threat To Critical Infrastructure Sectors

Impacted Industries: Critical Infrastructure

What You Need To Know:

Cyble researchers noticed a peak in attacks targeting Virtual Network Computing (VNC) port 5900. During their research, they identified over 9000 exposed VNC instances with authentication disabled, with China, Sweden, and the United States being among the top 5 countries with exposed VNCs over the internet.

You can read the full report from Cyble here.

Mobile Security

SOVA Malware is Back and Evolving Rapidly

Impacted Industries: Finance, Retail, and Individuals

What You Need To Know:

In July 2022, Cleafy discovered a new version of an Android banking trojan that presents new capabilities and targets more than 200 mobile applications, including banking and generic shopping apps. Furthermore, Cleafy observed in another version update while researching a previous update that the developers added a ransomware module that encrypts users’ devices.

You can read Cleafy’s full report with observables here.

Exploited Vulnerabilities

Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

Impacted Industries: All

What You Need To Know:

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) regarding the active exploitation of several vulnerabilities affecting Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. The CSA details four CVEs that pose a significant risk to organizations if left unmitigated.

You can read CISA’s full report with associated observables here.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog