Cyber Intel Brief: July 06 – 12, 2023

Welcome to our weekly open-source Cyber Intel Brief! As a premier Managed Detection and Response (MDR) provider, we stand at the forefront of delivering actionable intelligence to keep pace with the ever-evolving threat landscape. This blog post peels back the veil of our weekly briefings reserved for our customers. We aim to arm your organization with essential knowledge, giving you the power to proactively spot and neutralize risks, amplify your security protocols, and shield your financial stability.

This week’s edition shines a light on a range of cyber threats. We’re examining several threat actors, including TA453’s cyber espionage campaign, Storm-0987’s exploitation of a Microsoft vulnerability in their cyber espionage campaign, and Kimsuky’s abuse of Chrome Remote Desktop. The discovery of a new trojan dubbed TOITOIN. Our analysis of our data set for the last 6 months of dark web data leak sites and acquaint yourself with the latest entries in CISA’s Known Exploited Vulnerabilities Catalog. Understanding these threats and taking action on our suggested mitigation strategies will prepare you to bolster your organization’s defenses.

Dive in with us, and unearth strategies to harden your defenses against these threats. By adopting our recommendations, you’ll safeguard your organization’s critical assets and foster a sense of security in this ever-changing and unpredictable threat landscape. The first step in a resilient cybersecurity program is staying abreast of the threat landscape and forecasting and defending against the latest threats before they take shape. Join us as we explore the latest cyber threats, gather insights, and equip your organization with actionable intelligence. Let’s begin this journey of foresight and prevention together!

This Week’s Source Material

Decode TA453’s Cyber Espionage: Get Ahead of Emerging Cyber Threats

Threat actors like TA453 are evolving tactics, adapting to new operating systems, and becoming more persistent in focusing on targets of strategic geopolitical interest. Let’s take a deep dive into the latest tactics of TA453, its impact, and how your organization can stay one step ahead.

The Emerging Threat of TA453

Sourced from an exclusive report by Proofpoint, TA453 has been observed deploying novel file types and targeting Mac users, a move away from the traditional targets of Windows-based systems. The group has replaced the common tactic of Microsoft Word documents with macros with LNK infection chains, demonstrating an alarming versatility and adaptability.

The risk posed by TA453 is considerable, given their state sponsorship and sophisticated tactics. The group is currently honing in on experts in Middle Eastern affairs and nuclear security, indicative of their strategy to gather intelligence that will serve strategic geopolitical interests.

The Intel and Implications

The implications of these activities are potentially far-reaching. TA453’s actions appear to be providing Iran with an advantage in the ongoing Joint Comprehensive Plan of Action (JCPOA) negotiations. This group has the resources to adapt and modify existing malware to target new operating systems, demonstrating a willingness to evolve techniques to increase their success rate and evade detection.

While the focus of TA453 is currently on Middle Eastern affairs and nuclear security, the group’s direction will likely change in response to geopolitical shifts. Once the JCPOA negotiations end, we predict a change in TA453’s focus in line with Iran’s foreign policy initiatives.

Staying Ahead of the Threat

Understanding the evolving landscape of cyber threats is essential in maintaining your organization’s security. Recommended defense strategies include user awareness training, advanced email security solutions, endpoint detection, and response solutions, and restrictive PowerShell execution policies.

Confronting the Truebot Malware Surge: How to Protect Your Business

In an era of rapidly evolving cybersecurity threats, vigilance is crucial. The Cybersecurity and Infrastructure Security Agency (CISA) recently reported a surge in Truebot malware activity. This dangerous and pervasive malware is also known as Silence.Downloader has been wreaking havoc, particularly on organizations in the United States and Canada. Today, we delve into the threat posed by Truebot, its risks, impact, and future outlook, and how your organization can stay ahead.

Unmasking the Truebot Threat

Truebot is malware employed by cybercriminal groups such as the CL0P Ransomware threat actors. The malware aims to collect and exfiltrate sensitive data from targeted organizations, leading to significant financial gains for the attackers.

Recently, these cybercriminals have evolved their delivery methods, using a two-pronged attack strategy involving phishing emails and exploiting a remote code execution vulnerability (CVE-2022-31199) in the Netwrix Auditor application.

Risks and Impact of Truebot

The reach of Truebot can be widespread and devastating. Once in a network, it rapidly propagates, executing various malicious activities. These include data exfiltration, deploying post-exploitation tools like FlawedGrace and Cobalt Strike beacons, and spreading ransomware. The resulting operational disruptions, financial losses, and reputational damage can be significant.

Moreover, threat actors behind Truebot show no signs of stopping. They are likely to refine their tactics and explore other vulnerabilities in a relentless pursuit of their objectives.

Outlook and Mitigation Strategies

Given Truebot’s adaptive nature, we anticipate the threat actors will continue to evolve, potentially exploring additional vulnerabilities beyond Netwrix Auditor. However, businesses are not defenseless.

Organizations are advised to implement a range of protective measures to counteract this threat. Regular patching is essential, as is restricting the use of RDP and other remote desktop services. The restriction of PowerShell use via Group Policy can also add an extra layer of security.

Navigating the Evolution of Kimsuky: The Rise of Chrome Remote Desktop in Cyber Espionage

In the sophisticated landscape of cyber threats, adaptability is critical – and the North Korean state-sponsored cyber espionage group, Kimsuky, is no exception. Renowned for their sophisticated tactics and relentless approach, the group has recently integrated a new tool into their arsenal: Chrome Remote Desktop. Let’s delve into the implications of this new tactic and explore how your organization can stay a step ahead.

Kimsuky APT Group: An Evolving Threat

An analysis of the Kimsuky APT group’s activities, drawn from a recent blog post by AhnLab, reveals an array of sophisticated tactics. These include spear phishing emails, custom-developed AppleSeed malware, Meterpreter, and their latest addition, Chrome Remote Desktop.

The use of Chrome Remote Desktop demonstrates a strategic evolution in Kimsuky’s approach, giving them enhanced control and access. This tool allows them to execute their objectives, stay undetected, and maintain persistent access to compromised systems.

Implications and Risks for Targeted Industries

The implications of Kimsuky’s recent activities are significant, particularly for organizations within the education, public administration, professional services, and research sectors. Kimsuky’s strategic advancements pose substantial risks of data exfiltration and long-term system exploitation. As Kimsuky consistently refines its tactics and techniques, it’s clear that the group is likely to continue leveraging and evolving these tools, heightening the risk for targeted industries.

Staying Ahead: Mitigation Strategies

To mitigate these evolving risks, organizations must stay vigilant and proactive. Recommendations include:

  • User awareness training.
  • Robust email security measures.
  • Advanced threat protection solutions.
  • Network segmentation.
  • Disabling unnecessary services.

These measures are crucial in forming a robust defense against the Kimsuky APT group.

Countering BlackByte Affiliate Intrusion: A Comprehensive Five-Day Case Study and Security Recommendations

In an era where cyber threats evolve almost as quickly as the technologies they exploit, staying ahead of the curve is paramount. A recent analysis of a Microsoft Incident Response blog post gives us an illustrative case study of a sophisticated BlackByte ransomware attack. This swift and ruthless attack, infiltrating an organization in just five days, emphasizes the urgency for comprehensive, cutting-edge cybersecurity measures.

Inside the Attack: The Sophisticated Threat Actor

The BlackByte affiliate attack displayed an alarming level of sophistication and adaptability. The threat actors exploited ProxyShell vulnerabilities for initial access, cleverly used various tools for persistence and lateral movement and ultimately deployed BlackByte 2.0 ransomware, which is capable of bypassing antivirus software and modifying system settings.

One of the significant factors that made this attack so elusive was the affiliates’ use of legitimate tools and services, such as AnyDesk for remote access and NetScan and AdFind for network reconnaissance. This camouflaging approach helps the malicious activity to blend with regular network operations, making detection more challenging.

The Aftermath and Implications

The impact of a BlackByte ransomware attack is far-reaching. The affected organization faced significant operational disruptions, financial loss, and reputational damage. The rapid intrusion timeline, paired with the destructive capabilities of the ransomware, presents an increased risk of successful attacks.

Considering the advanced capabilities of these threat actors, it is highly likely they will continue to adapt and evolve their techniques to outpace defensive measures, implying a continually escalating threat landscape.

Proactive Measures: Recommendations for Robust Security

To combat sophisticated and evolving threats like BlackByte ransomware, organizations must maintain a multi-faceted approach to their cybersecurity measures. Recommendations include:

  • Regular system updates.
  • Limiting the use of scripting languages.
  • Implementing multi-factor authentication.
  • Regular security awareness training.

This combination of proactive measures can greatly enhance an organization’s ability to detect and thwart these attacks.

The TOITOIN Trojan Threat: Proactive Cybersecurity for the Financial Sector

As the global financial sector accelerates its digital transformation, the threat landscape has broadened, inviting increasingly sophisticated cyber threats. One such new and complex multi-stage threat is the TOITOIN Trojan, which has been observed zeroing in on Latin American financial institutions. This insidious Trojan leverages spear-phishing emails for its initial payload delivery and manipulates legitimate system processes to maintain its grip on the compromised system.

The Trojan’s Path: Intrusion and Persistence

The threat actors behind the TOITOIN Trojan use spear-phishing emails as their primary mode of attack. By exploiting human vulnerabilities, they trick victims into downloading an initial payload, setting the stage for the intrusion. Once a system is infiltrated, the Trojan executes a PowerShell script to download additional payloads while also misusing system processes to persist undetected.

These advanced tactics, techniques, and procedures (TTPs) pose a significant risk to the financial sector. The consequences of a successful attack could span significant financial losses, regulatory penalties, and reputational damage for institutions. Individual customers could also be exposed to identity theft, financial loss, and privacy violation.

The adaptive nature of the TOITOIN Trojan’s operators suggests that their TTPs will evolve, increasing the urgency for proactive and adaptive defensive measures.

Protective Measures: Ensuring Robust Cybersecurity

In the face of such sophisticated threats, proactive cybersecurity measures are crucial. Recommendations for mitigating the TOITOIN Trojan threat include:

  • Increasing security awareness training to enhance resilience against spear-phishing attacks
  • Implementing robust email filtering to flag suspicious emails
  • Improving endpoint detection and response (EDR) to identify and halt unauthorized system process exploitation swiftly
  • Enforcing the principle of least privilege (PoLP) to restrict potential system access points for the Trojan

Unveiling Storm-0978: Cyber-Espionage and Its Impact on Geopolitical Landscape

The cyber-espionage arena has always been a sophisticated and fluid environment. One group that has captured the attention of cybersecurity experts is Storm-0978, also known as RomCom. This threat group’s activities, targeting public administration and educational services – specifically those involved in international affairs and global policy-making, have underscored the increasing convergence of cybercrime and geopolitics.

The Method and Objective: Stealth and Influence

Storm-0978 exhibits a blend of advanced social engineering skills and high technical capability. They leverage spear-phishing emails with links to malicious Word documents for initial access, exploiting the remote code execution vulnerability (CVE-2023-36884) even before Microsoft was aware of it. The group’s objective is not merely to siphon off sensitive intelligence but to disrupt geopolitical dialogues, specifically Ukraine’s NATO membership discussions.

The Potential Impact: Data Breach and Geopolitical Instability

Storm-0978’s activities bear significant implications, primarily the risk of substantial data breaches. This risk is not limited to the leakage of sensitive information but extends to the potential for geopolitical instability. The targeted organizations – especially those instrumental in international affairs and global policy-making – stand on the brink of these risks.

The Mitigation: Proactive Defense Measures

Given Storm-0978’s advanced TTPs, organizations need to elevate their cybersecurity posture. Some recommended countermeasures include:

  • Enhancing email security measures to filter out malicious content
  • Implementing multi-factor authentication to secure access points
  • Regular system patching to mitigate vulnerabilities
  • Training staff to recognize and report phishing attempts

Unmasking the Cyber Threat Landscape: Data Leak Sites – A 6-Month Analysis

Data leaks and ransomware attacks are unfortunate for many industries in today’s digital world. A comprehensive understanding of these cyber threats is the first step toward effective cybersecurity measures. Let’s look at our findings from our analysis of data leak and ransomware sites over the past six months.

The Top Targets: Manufacturing, Professional Services, and Finance

Our analysis reveals that the manufacturing industry experienced the highest number of data leak incidents, accounting for 22.83% of all incidents. Professional, scientific, and technical services (13.82%) and finance and insurance (8.81%) followed closely behind. What is the reasoning behind this trend? Ransomware affiliates and operators likely perceive these sectors as wanting and needing to restore operations and capable of meeting ransom demands, providing a quick payoff, and causing potential reputational damage or regulatory fines.

The Perpetrators: Lockbit, CL0P, and ALPHV

Among the array of ransomware groups, Lockbit stood out as the most prevalent, accounting for 30% of total incidents. CL0P, ALPHV, BlackBasta, and Royal completed the top five, responsible for 76% of listings.

These groups primarily targeted victims in the manufacturing industry, with Lockbit, ALPHV, and BlackBasta directing 27%, 22%, and 35% of their attacks, respectively, in this sector. Royal also listed manufacturing as its top industry target. CL0P, on the other hand, showed a distinct focus on the finance and insurance industry.

Geographic Distribution: The United States on Top

Geographically, the United States was the most targeted country, with 52% of all listings originating from there. France, Canada, Germany, Italy, and the United Kingdom were also recurrently listed.

Strengthening Cybersecurity Across Industries

Our analysis underscores the importance of robust cybersecurity measures, particularly in the manufacturing, professional services, and finance sectors. However, industries with fewer incidents should not disregard the threat. Cybersecurity is no longer an optional luxury but an essential component of business operations across all sectors.

CISA Adds 5 CVEs to its Known Exploited Vulnerabilities Catalog

In the dynamic landscape of cybersecurity, staying informed is key to safeguarding your business. The Cybersecurity & Infrastructure Security Agency (CISA) frequently updates its Known Exploited Vulnerabilities Catalog, providing essential insights for industries across the board. On June 11, CISA added five new Common Vulnerabilities and Exposures (CVEs) to its catalog, all of which are critical to address. This blog post explores these vulnerabilities and offers insights on how [Your Company Name] can help you respond effectively.

The New CVEs: What’s at Risk?

These five vulnerabilities affect widely used products from Microsoft and Netwrix. They range from privilege escalation in Microsoft’s Windows MSHTML Platform and Windows Error Reporting Service to bypassing security features in Windows Defender SmartScreen and Microsoft Outlook. For Netwrix, the Auditor User Activity Video Recording component carries an insecure objection deserialization vulnerability.

The implication? Potential unauthorized access, bypass of security measures, and unauthenticated code execution. In other words, these vulnerabilities provide opportunities for attackers to gain illicit access to your systems and data, an unacceptable risk in any business setting.

The CISA Due Date: What You Need to Do

CISA has recommended that these vulnerabilities be addressed by August 1, 2023. This timeline isn’t just a suggestion—it’s a crucial deadline for protecting your business. If left unattended, these vulnerabilities could become the open-door attackers need to infiltrate your systems.

Let’s Secure Your Organization’s Future Together

At Deepwatch, we are committed to helping organizations like yours navigate the intricate world of cyber threats. Our cybersecurity solutions are designed to stay ahead of the curve, providing you with the proactive defenses needed to protect your organization from threats such as the exploitation of Telerik UI.

Our team of cybersecurity professionals is ready to evaluate your systems, provide actionable insights, and implement robust security measures tailored to your needs.

Don’t wait for a cyber threat to disrupt your operations. Contact us today and take the first step towards a more secure future for your organization. Together, we can outsmart the threats and secure your digital frontier.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog