Welcome to our weekly open-source Cyber Intel Brief! As a premier Managed Detection and Response (MDR) provider, we stand at the forefront of delivering actionable intelligence to keep pace with the ever-evolving threat landscape. This blog post peels back the veil of our weekly briefings reserved for our customers. We aim to arm your organization with essential knowledge, giving you the power to proactively spot and neutralize risks, amplify your security protocols, and shield your financial stability.
This week’s edition shines a light on a spectrum of cyber threats. We’re examining:
- A new campaign targeting cloud infrastructure.
- We look at how a threat actor accessed Outlook emails.
- The re-emergence of RedCurl.
- An incident involving Noberus ransomware.
- The latest additions to dark web data leak sites.
- The newest entries in CISA’s Known Exploited Vulnerabilities Catalog.
Understanding these threats and taking action on our suggested mitigation strategies will prepare you to bolster your organization’s defenses.
Dive in with us, and unearth strategies to harden your defenses against these threats. By adopting our recommendations, you’ll safeguard your organization’s critical assets and foster a sense of security in this ever-changing and unpredictable threat landscape. The first step in a resilient cybersecurity program is staying abreast of the threat landscape and forecasting and defending against the latest threats before they take shape. Join us as we explore the latest cyber threats, gather insights, and equip your organization with actionable intelligence. Let’s begin this journey of foresight and prevention together!
This Week’s Source Material
- AquaSec: Part 1 Anatomy of Silentbob’s Cloud Attack
- AquaSec Part 2: TeamTNT Reemerged with New Aggressive Cloud Campaign
- SentinelOne: AWS-Targeting Cred Stealer Expands to Azure, GCP
- Permiso: Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead
- Microsoft Threat Intelligence: Analysis of Storm-0558 techniques for unauthorized email access
- CISA: Enhanced Monitoring to Detect APT Activity Targeting Outlook Online
- EclecticIQ: Spear Phishing Campaign Targets Zimbra Webmail Portals of Government Organizations
- F.A.C.C.T.: Curls become familiar: cyberspies from RedCurl attacked the bank on behalf of the popular marketplace (https://www.facct[.]ru/blog/redcurl-2023/ [Russian])
- Symantec: FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
- Latest Additions to Dark Web Data Leak Sites
- CISA Adds 4 CVEs to its Known Exploited Vulnerabilities Catalog
Is Your Cloud Infrastructure Under Siege? Here’s What You Need to Know
The allure of cloud computing has become undeniable as organizations across industries embrace its myriad benefits. From fostering innovation to driving cost efficiencies, the cloud is transforming how businesses operate. However, it also opens up a new world of security threats. One that demands our immediate attention is a multi-cloud threat campaign that targets leading cloud services, including AWS, Azure, and Google Cloud Platform (GCP).
Unveiling a Multi-Cloud Threat Campaign
Recently, a comprehensive analysis unveiled a nefarious campaign targeting cloud infrastructure, potentially orchestrated by the group known as TeamTNT. Based on the analysis from four recent blog posts, the threat actors primarily focus on various cloud services to gain initial access, deploying malicious scripts for credential harvesting and cryptomining.
This campaign isn’t just a fly-by-night operation; it exhibits a high level of technical knowledge and adaptability, with the broadening of the attack surface and evolving tactics presenting a severe risk to organizations. Unauthorized access to cloud environments can lead to credential theft and substantial resource consumption through cryptominers, potentially disrupting services and impacting business operations.
Implications for Your Business
What makes this threat particularly concerning is that it puts your cloud environments and the sensitive data stored within them at high risk. With the threat actors continuing to evolve their methods to stay ahead of security measures, the future could see them targeting other popular cloud platforms and incorporating the exploitation of vulnerabilities.
No organization, irrespective of its industry, is exempt from this threat. It’s time for all of us to recognize the implications of these growing threats and work toward fortifying our defenses.
Next Steps for Your Organization
To counter this threat, it’s critical to implement a multi-layered security strategy. This includes setting robust security configurations, conducting continuous monitoring for unusual activity, and engaging in regular security training for your staff. In this cybersecurity arms race, the ability to anticipate and adapt to these changing threats will set the winners apart.
Securing Your Digital Frontiers: The Urgency of Guarding Against Cyber Espionage
In the high-stakes world of cybersecurity, the landscape is constantly evolving, pushing organizations to stay on their toes. Storm-0558, a China-based entity known for its technical prowess and operational security, is one threat actor making headlines. The actor has been linked to a cyber-espionage campaign that leverages acquired Microsoft account consumer signing keys to gain unauthorized access to Azure AD enterprise.
Unmasking the Tactics of Storm-0558
Our in-depth analysis of Storm-0558’s tactics, techniques, and procedures (TTPs) reveals a malicious campaign targeting various industries and organizations. The actor forges authentication tokens, focusing on accessing and exfiltrating email data from targeted users.
Storm-0558’s tradecraft demonstrates a deep understanding of the target’s environment, logging policies, and authentication requirements. Its sophisticated approach includes gaining access to the Outlook Web Access (OWA) API, retrieving a token for Exchange Online, and using these tokens to access mail messages.
The Threat Radar: Who is at Risk?
The implications of this threat actor’s activities are far-reaching, particularly for US and European diplomatic, economic, and legislative governing bodies, individuals connected to Taiwan and Uyghur geopolitical interests, media companies, think tanks, and telecommunications equipment and service providers. The likelihood of these entities being affected by Storm-0558’s activities is moderate to high.
Looking ahead, Storm-0558 is likely to focus on cloud-based systems, telecommunications networks, and government systems. The actors may exploit vulnerabilities in these systems to gain unauthorized access, disrupt operations, or steal sensitive data.
Your Next Steps: Fortifying Defenses
Given this landscape, organizations must adopt a proactive stance and deploy comprehensive mitigation strategies. These include separating administrator accounts from user accounts, enhancing logging, and hardening cloud environments.
Preventing Email Exploitation: Is Your Organization Prepared for Spear Phishing Attacks?
The world of cyber threats has taken a new turn, with spear phishing campaigns becoming more focused and sophisticated. These threats are primarily targeted at government organizations, think tanks, research centers, and educational institutions, exploiting vulnerabilities in widely used email servers like Zimbra and Roundcube.
Unmasking the Threat
According to a comprehensive analysis from EclecticIQ, threat actors have been actively exploiting vulnerabilities in Zimbra and Roundcube email servers since January 2023. These servers, belonging to entities in Ukraine, Spain, Indonesia, and France, have been compromised and used to send spear phishing emails. The end game? Stealing email credentials, most likely for cyber espionage purposes.
Who’s at Risk?
The likelihood of organizations being affected by this threat is high, especially if they are using Zimbra and Roundcube email servers in public administration, think tanks, research centers, and educational institutions. The critical assets at risk include the email servers and the users’ email credentials. This could potentially lead to the theft of sensitive data, a significant concern for all organizations.
What’s Next?
Given the success of this spear phishing campaign, the threat actors are likely to continue to target similar organizations using Zimbra and Roundcube email servers. They might also seek to exploit other vulnerabilities in these or other email servers and use similar services that can be abused for collecting stolen credentials.
How Can You Protect Your Organization?
To counter the identified threat actor’s behavior and techniques, organizations must take immediate mitigation actions, such as patching and updating software and systems, implementing two-factor authentication (2FA), and educating users about the risks of spear phishing.
Deciphering RedCurl’s Cyber Espionage Tactics: Is Your Business Prepared?
The increasingly intricate world of corporate cyber espionage is a significant threat, particularly for businesses operating in the Financial Services; Professional, Scientific, and Technical Services; and Information industries. Among the myriad threat actors, RedCurl has been stepping up, calling for urgent and effective countermeasures to protect sensitive data.
Decoding RedCurl’s Tactics
First discovered in 2020, RedCurl specializes in corporate espionage, employing sophisticated spear phishing campaigns and advanced malware. They’ve shown a knack for deception, sending phishing emails disguised as HR departments and hiding malicious links within innocent-looking emails related to employee benefits.
Two recent intrusions in November 2022 and May 2023 highlight this group’s evolving tactics, techniques, and procedures (TTPs). RedCurl targeted third-party suppliers to infect shared network drives with malware, with a clear objective: access and exfiltrate sensitive data.
Evaluating the Threat
RedCurl poses a substantial threat to any organization with valuable commercial data. The damage goes beyond data theft; a successful RedCurl attack can lead to reputational damage, financial loss, and a breach of trust with clients, customers, and employees. Moreover, such attacks could potentially disrupt business operations and result in resource-intensive incident response and investigations.
As we consider RedCurl’s continuous improvement in techniques and tools, we can anticipate further enhancements in their phishing strategies, more sophisticated malware, and innovative ways to evade detection.
Prioritizing Protection
To protect your organization from RedCurl, robust email security, advanced endpoint detection, and regular employee training on cybersecurity are crucial.
Riding the Cyber Storm: Decoding the Revamped Tactics of Syssphinx (FIN8)
Today, hospitality, retail, entertainment, insurance, technology, chemicals, and finance industries face a heightened threat landscape. Syssphinx (FIN8), a cybercrime group known for its financially driven cyber-espionage activities, has made a disturbing shift in their modus operandi. As analyzed by Symantec, the group is now deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware, indicating a diversification in their focus to extract maximum profits from compromised organizations.
Deciphering Syssphinx’s Modus Operandi
The group has shown a tendency to experiment, using various ransomware families in their attacks, including Ragnar Locker, White Rabbit, and Noberus. This suggests they are continuously testing and adopting new tools to increase the success rate of their attacks and evade detection.
Syssphinx’s shift from point-of-sale attacks to ransomware deployment represents a strategic move to increase profits. As such, any organization with valuable data can potentially fall into their crosshairs. The threat posed by Syssphinx is high and evolving, making it a matter of utmost importance for organizations to review their cyber defenses.
Bolstering Your Cyber Defense
In the face of this increasing threat, organizations must implement robust endpoint protection, enhance email security measures, educate employees about phishing risks, and maintain strong access controls. Regularly backing up sensitive data is another key step toward ensuring business continuity in the face of a ransomware attack.
The Rising Tide of Data Leaks: Protect Your Organization Now
Data is the new oil in the digital age – an invaluable asset that drives your business and innovation. However, the ever-increasing value of data has not gone unnoticed by cybercriminals. Data breaches and leaks are becoming increasingly common, leaving organizations across various sectors scrambling to protect sensitive information.
The Latest on Data Leak Sites
Over the past week, monitored data extortion and ransomware threat groups added 83 victims to their data leak sites, with the majority of these being based in the US. The manufacturing industry was hit the hardest, with 20 victims and 11 victims in the Information sector. There were nine in the Professional, Scientific, and Technical Services and seven in Health Care and Social Assistance, Administrative and Support, and Waste Management and Remediation Services.
This paints a sobering picture, underscoring the need for robust cybersecurity measures. It’s worth noting that this data represents victims who may have been successfully compromised by cybercriminals but have chosen not to negotiate or pay a ransom. However, the validity of these claims made by cybercriminals remains unconfirmed.
Protecting Your Data: An Imperative
Securing your data in this daunting threat landscape should be a top priority. In addition to industry compliance and regulatory requirements, protecting your data is critical for maintaining customer trust and brand reputation.
Act Now: CISA Adds Four New Vulnerabilities to Exploited Vulnerabilities Catalog
Keeping your organization safe in today’s interconnected digital landscape requires constant vigilance. Cybercriminals are discovering and exploiting new vulnerabilities every day, and staying ahead of these threats is a monumental task. That’s why the updates from the Cybersecurity and Infrastructure Security Agency (CISA) are essential in our ongoing efforts to defend against these cyber threats.
Unveiling the Threat
CISA added four new Common Vulnerabilities and Exposures (CVEs) to its Known Exploited Vulnerabilities Catalog in the past week. These include vulnerabilities in products from vendors such as Citrix, Microsoft, SolarView, and Apple. These weaknesses could allow for code execution or command injection, giving cybercriminals potential control over your systems and sensitive data.
The CVE identifiers assigned to these vulnerabilities are CVE-2022-29303, CVE-2023-37450, CVE-2023-36884, and CVE-2023-3519. CISA has set a due date for addressing these vulnerabilities from August 3rd to August 9th, 2023.
Mitigation is Key
Given the potential impact of these vulnerabilities, your organization must act swiftly and apply the necessary updates or follow vendor instructions to mitigate these risks.
Let’s Secure Your Organization’s Future Together
At Deepwatch, we are committed to helping organizations like yours navigate the intricate world of cyber threats. Our cybersecurity solutions are designed to stay ahead of the curve, providing you with the proactive defenses needed to protect your organization from threats such as Storm-0558 and RedCurl.
Our team of cybersecurity professionals is ready to evaluate your systems, provide actionable insights, and implement robust security measures tailored to your needs.
Don’t wait for a cyber threat to disrupt your operations. Contact us today and take the first step towards a more secure future for your organization. Together, we can outsmart the threats and secure your digital frontier.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share