Cyber Intel Brief: Jan 19 – 25, 2023

New Techniques

Cybercriminals Using HTML Attachments to Bypass Email Security

Impacted Industries: All

What You Need To Know:

Avanan discovered a cybercriminal bypassed email security solutions by using an HTML attachment containing a base64 encoded SVG image containing Javascript that redirects the recipient to a malicious URL when a target clicks on the attachment. Cybercriminals using HTML attachments with an SVG image with a Base64 encoded URL can bypass email security solutions allowing the email to arrive in target inboxes. This technique is similar to one Avanan covered in August 2019, where they detailed a similar HTML obfuscation technique called MetaMorph. We do not know how widespread this campaign is, but cybercriminals using phishing as an initial infection vector will likely adopt this technique to harvest credentials or deliver malware.


New Malware Discovered Specifically Designed for Fortinet Firewalls

Impacted Industries: All

What You Need To Know:

Mandiant discovered a new malware, tracked as Boldmove, when they investigated a China-nexus campaign they believed to have exploited the vulnerability, CVE-2022-42475, in Fortinet’s FortiOS SSL-VPN as a zero-day. Mandiant identified a Windows and a Linux variant designed to run on FortiGate Firewalls. According to Mandiant, the malware allows threat actors to control the file system, spawn a remote shell, or relay traffic via the infected host. The Linux variation has extended capabilities that enable threat actors to alter specific behaviors and functionality of Fortinet devices, namely FortiGate Firewalls. Chinese threat actors will continue targeting vulnerabilities in internet-facing and connected devices to conduct espionage and other malicious activities, continuing a long-running trend.

Exploited Vulnerabilities

CISA Adds CVE-2022-47966 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2022-47966 to its Known Exploited Vulnerabilities Catalog. The software affects multiple Zoho ManageEngine Products. The Adversary Tactics and Intelligence team released a Customer Advisory on 20 January, where Deepwatch observed circumstantial evidence of active exploitation. The vulnerability added this week could allow a cybercriminal to execute commands due to an outdated third-party dependency, Apache Santuario. Cybercriminals will likely ramp up exploitation efforts of the newly listed vulnerability within the next two weeks. However, we can not rule out the possibility that cybercriminals could switch to other tactics & techniques to gain initial access.

Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

The biggest data leak site news over the past week involved the FBI seizing Hive’s data leak site. In the past week, the monitored threat groups added 17 victims to their leak sites. Seven of those listed are US-based, and Canada and Australia had two victims each. The most popular industries were healthcare, construction, education, finance and insurance, and information, with two victims listed for each. Two victims operated in the other services industry.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog