Cyber Intel Brief: Jan 5 – 11, 2023

New Techniques

Are IcedID Cybercriminals Employing a New Technique to Spread Their Malware?

Impacted Industries: All

What You Need To Know:

Cyble has identified a social engineering campaign that delivers the IcedID malware through a website offering visitors the Zoom video conferencing software as a download. Cyble reports that this campaign is a change in tactics as IcedID cybercriminals usually spread the malware through spam emails with malicious attachments. The Adversary Tactics and Intelligence team has collected more and more open-source intelligence reporting on cybercriminals using social engineering sites, Google Ads, and blog posts to spread various malware families. Based on this, we hypothesize that the IcedID cybercriminals are responding to this trend by testing this tactic and others to deliver their malware. However, IcedID cybercriminals may already be using this tactic, which has never been reported before.


Malware

Common Initial Access Tactics Used by Kimsing Cryptoming Malware

Impacted Industries: All

What You Need To Know:

Microsoft detailed two common tactics to gain initial access to Kubernetes container environments used by Kinsing malware, a self-spreading cryptomining malware, to target Linux environments for cryptocurrency mining. The two methods involve exploiting vulnerable images and misconfigured PostgreSQL containers. We expect cybercriminals will continue deploying Kimsing malware by exploiting misconfigured PostgreSQL containers or vulnerabilities found in Kubernetes container environments as the number of available vulnerabilities and misconfigured containers is likely significant to warrant ongoing attempts.


Malware

Ursnif/Gozi/IFSB Malware Lead to Cobalt Strike & Data Exfiltration

Impacted Industries: All

What You Need To Know:

Cybercriminals will likely continue using Ursnif/Gozi/IFSB malware (one of the oldest banking malware families and now used as a backdoor) delivered through phishing emails or sites to gain initial access and deploy additional malware for data exfiltration and data encryption. However, nation-state-sponsored threat actors could use the malware to mask their activities to deploy other malware and tools to facilitate data exfiltration for espionage-related motives. We base this assessment on a recent The DFIR Report intrusion report that details an incident where a malicious ISO file was used as an entry point for Ursnif malware, resulting in a Cobalt Strike deployment. The cybercriminal connected to various hosts, including a backup server, where they reviewed backups and processes before exiting. The DFIR report also observed the cybercriminals exfiltrating data via HTTP post events to several domains, masquerading as image uploads.


Malware

IcedID Leads to Domain Compromise, Cobalt Strike, & Data Exfiltration

Impacted Industries: All

What You Need To Know:

Cybereason published a report about a recent investigation into an IcedID infection that ultimately led to data exfiltration. The initial infection method was an archive containing an ISO file with an LNK file. Throughout the attack, the cybercriminal followed a routine of executing discovery commands, credential theft, and lateral movement by abusing Windows protocols and running Cobalt Strike on the newly compromised host. Cybereason observed the cybercriminals used several TTPs, and tools that Conti, Lockbit, FiveHands, and others used in their attacks. The commonality across multiple groups could be because the cybercriminals read open-source reporting on their activity and other groups. By doing this, the cybercriminals may want to make attributing attacks to them harder or improve the success of their attacks. It’s not clear what, if any, activity occurred after the data exfiltration. Cybercriminals may have attempted to extort the victim by threatening to disclose the data stolen publicly, or the cybercriminals were nation-state-sponsored threat actors who stole the data to meet collection requirements for future espionage activity or knowledge.


Threat Actors

Lorenz Ransomware Group Uses 5-Month-Old Webshell to Gain Access

Impacted Industries: All

What You Need To Know:

S-RM’s incident response team found that the cybercriminal group known as Lorenz had used a 5-month-old web shell to gain access to a victim’s network and launch a ransomware attack. S-RM’s investigation revealed that the initial access vector was likely through the victim’s Mitel telephony infrastructure, as evidenced by the group’s previous exploitation of VoIP vulnerabilities, the ransomware binary’s name “VOIP.exe,” and the earliest identified malicious activity occurring on Mitel infrastructure. S-RM also discovered that the victim organization had patched the system with the most recent updates. However, the cybercriminals had exploited CVE-2022-29499 a week before the victim organization implemented the patch. The Lorenz cybercriminal group either uses an initial access broker who has an exploit for CVE-2022-29449 to help them facilitate their initial access, or the group can exploit the vulnerability themselves. Some open-source reports detail how long the group waits between gaining initial access to performing additional activities.


Threat Actors

Latest Additions to Ransomware and Data Extortion Leak Sites

Impacted Industries: All

What You Need To Know:

The Adversary Tactics and Intelligence Team builds a weekly picture of encryption and exfiltration-based data extortion activity by monitoring the information published on dark web extortion sites. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims. Over the past week, monitored threat groups added 25 victims to their leak sites. Of those listed, ten are US based, and the UK had four victims. The most popular industries were manufacturing, with seven, and finance and insurance, with four victims listed.


Exploited Vulnerabilities

CISA Adds CVE-2022-41080 & CVE-2023-21674 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2022-41080 & CVE-2023-21674 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Some of the software affected include Microsoft Windows and Exchange. The exploitation of publicly-facing applications is routinely reported as one of the top initial infection vectors by multiple sources. The vulnerabilities added this week could allow a cybercriminal to perform remote code execution (CVE-2022-41080) or escalate privileges (CVE-2022-21674).


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog