Cyber Intel Brief: June 14 – 21, 2023

In the ever-shifting arena of cyber threats, organizations find themselves in a perpetual cat-and-mouse game with cybercriminals and harmful actors. The gravity of active network surveillance and cyber defense strategies is undeniable, serving as the shield against loss of confidential data, operational disruptions, and potential harm to your organization’s standing.

As a leader in Managed Detection and Response (MDR), we acknowledge the essential need for actionable intelligence to counter emerging threats. This blog post provides an inside look at our weekly Cyber Intel Brief exclusive to our customers. Our objective is to arm your organization with this indispensable knowledge, enabling you to proactively identify and curb risks, reinforce your security mechanisms, and safeguard your financial stability.

In this edition, we spotlight an assortment of cyber threats, including the discovery of a new infostealer, Skuld Infostealer, the Lace Tempest, and Storm-1167 threat groups, alongside the latest updates on dark web data leak sites and the latest entries in CISA’s Known Exploited Vulnerabilities Catalog. By understanding these threats and implementing the recommended mitigation strategies, you’ll be well-positioned to reinforce your organization’s defenses.

We welcome you to continue reading and uncover strategies to fortify your defenses against these escalating threats. By implementing the strategies and recommendations outlined, you can secure your organization’s vital assets and attain tranquility in this dynamic and uncertain threat environment.

Remember, a powerful cybersecurity approach isn’t just about reacting but predicting and preventing them before they occur. Let’s dive into the most recent cyber threats, gather invaluable insights, and arm your organization with actionable intelligence.

This Week’s Source Material

  • Bitdefender’s blog post concerning the discovery of RDStealer.
  • Mandiant’s blog post regarding a Chinese state-sponsored actor, UNC3886, exploiting a VMware ESXi zero-day vulnerability.
  • Mandiant’s blog post regarding a Chinese state-sponsored actor, UNC4841, exploiting a zero-day vulnerability in Barracuda Email Security Gateway appliances.
  • Microsoft Threat Intelligence’s blog post concerning the promotion of DEV-0586 to the named actor Cadet Blizzard.
  • A joint Cybersecurity Advisory concerning multiple threat actors who exploited vulnerabilities in Telerik UI on Microsoft IIS servers within US Government agencies.
  • Latest Additions to Dark Web Data Leak Sites

Battling the Beast: RDStealer – Your Guide to Protecting RDP Workloads

Targeted Industries: Information; Potential for all

Suspected Chinese state-sponsored threat actors deployed an advanced info-stealing malware, RDStealer, to attack remote desktop protocol (RDP) workloads. This sophisticated actor has shown enormous technical knowledge and resources. One known target is an organization in the Information sector operating in the East Asia region, posing a substantial risk to any organization heavily dependent on RDP.

RDStealer: The Advanced Info-Stealer

RDStealer displays alarming capabilities. It employs a complex DLL sideloading chain, exploits the Client Drive Mapping (CDM) feature in RDP workloads, and deploys the Logutil backdoor. This allows the threat actor a persistent network presence and the ability to exfiltrate data stealthily.

The malware is suspected of having its roots in China, aligning with interests common to threat actors based in the region and pointing towards a potential state-sponsored cyber espionage operation. But the repercussions of RDStealer’s activities aren’t limited to the Information sector. Organizations across the board, especially those heavily reliant on RDP for remote work, face a significant risk.

RDStealer’s capabilities lead to the theft of credentials, private keys, and intellectual property. It maintains a persistent network presence, enabling advanced data exfiltration and challenges detection and mitigation.

The potential for prolonged, undetected intrusion could disrupt organizations’ operations, leading to significant financial losses. Businesses that depend on RDP with CDM enabled need to be especially vigilant as they could be in the crosshairs of RDStealer’s relentless activities.

Safeguarding Your RDP Workloads

While the threat is formidable, it’s not undefeatable. Timely action can significantly mitigate the risk.

  1. Evaluate RDP Features: Limit your RDP features to what is necessary for your operation, minimizing potential points of exploitation.
  2. Secure RDP Configurations: Maintain strong, secure configurations for your RDP services to avoid leaving any openings for threat actors.
  3. Regular Software Updates: Ensure your systems are regularly updated. Many successful attacks exploit known vulnerabilities that patches would have fixed.
  4. Employee Training: Invest in regular cybersecurity training for your employees. Human error is a significant factor in many cyberattacks, and informed employees are your first line of defense.

Given the evolution and persistence of threats like RDStealer, organizations must be prepared for an ongoing battle against these info-stealers. Taking a proactive stance against these threats is the best way to protect your valuable digital assets.

RDStealer is just a fragment of the larger cybersecurity landscape that organizations today must navigate. Stay ahead of the curve and protect your business from such advanced info-stealers by implementing robust cybersecurity measures and instilling a culture of cyber vigilance.

Navigating the Cyber Threat Landscape: Decoding UNC3886, UNC4841, and Cadet Blizzard

Targeted Industries: Public Administration and Education Services, Professional, Scientific, and Technical Services, Information and Manufacturing

Today, we’re shining a light on three state-sponsored threat actors – UNC3886, UNC4841, and Cadet Blizzard – posing significant threats across multiple industries.

The Chinese Threat: UNC3886 and UNC4841

UNC3886 and UNC4841, originating from China, are showing high sophistication and capabilities, using advanced tactics, techniques, and procedures (TTPs) to target specific industries for espionage.

UNC3886 – Exploiting VMware ESXi Zero-Day

UNC3886 exploited a zero-day vulnerability in VMware’s ESXi platform. The primary targets are defense, technology, and telecommunications organizations within the US and Asia-Pacific region. Potential impacts include unauthorized system access, compromised proprietary information, data breaches, and operational disruptions.

UNC4841 – Global Espionage Campaign

UNC4841’s global espionage campaign has taken a more pointed approach. Government entities, foreign trade offices, academic research organizations, and entities of political or strategic interest to China face the highest risk.

In both cases, proactive mitigation actions are crucial, including evaluating your systems, prioritizing patching within the normal business cycle, and replacing impacted Barracuda ESG appliances.

The Russian Threat: Cadet Blizzard

State-sponsored Russian threat actor Cadet Blizzard has emerged as a significant player in the cyber threat landscape. Primarily targeting Public Administration and Utilities sectors, Cadet Blizzard poses a high risk, particularly to those associated with critical infrastructure.

With advanced TTPs, this group has demonstrated adaptability and proficiency in evading detection. Risks include data breaches, disruption of critical infrastructure, and potential national security implications.

Immediate action is advised to mitigate these risks for organizations considered highly valuable to Russian national interest, including prioritizing patching vulnerabilities that allow actors to escalate privileges, execute arbitrary code, or impersonate other entities within a system or network.

Cybersecurity is a Necessity, Not a Luxury

With state-sponsored threat actors like UNC3886, UNC4841, and Cadet Blizzard in play, it’s more important than ever to stay informed and proactive. Your first step should be understanding the threats and their potential impact on your organization. From there, taking action to mitigate the risks is crucial.

If you’re unsure about your organization’s security posture or require expert assistance, Deepwatch is here to help. Our dedicated team of cybersecurity professionals is well-versed in helping organizations like yours navigate the intricate world of cyber threats.

Don’t leave your organization’s safety to chance. Contact us today to discuss how we can help strengthen your defenses and prepare for the unpredictable world of cyber threats. Together, we can build a more secure future.

Stay One Step Ahead With Our Data Leak Site Analysis

Data Extortion: An Ongoing Threat

Monitored data extortion and ransomware groups are persistent and increasingly brazen in their attempts to compromise and exploit sensitive organizational data. Over the past week, an unsettling total of 90 victims were added to their leak sites, 56 of which are based in the US.

The sectors most affected were manufacturing, with 23 victims, closely followed by finance and insurance, with 22 victims; educational services, with nine victims; and professional, scientific, and technical services and information, each with six victims.

It’s important to note that these figures represent organizations that may have been successfully compromised yet chose not to negotiate or pay a ransom. The cybercriminals’ claims, while intimidating, cannot be independently confirmed in every case.

Outsmarting the Cyber Threats

Despite the threats posed by data leak sites, there are steps your organization can take to mitigate the risks. A robust defensive posture includes:

  • Regular security assessments.
  • Maintaining up-to-date software.
  • Using strong, unique passwords.
  • Implementing multi-factor authentication.
  • A robust backup and recovery plan in place.

Deepwatch: Your Partner in Cybersecurity

At Deepwatch, we understand the challenges your organization faces in maintaining the security of its data. Our mission is to help you navigate these complex threats and safeguard your invaluable digital assets.

Our cybersecurity experts can work with you to assess your current security posture, identify potential vulnerabilities, and implement a robust, tailored strategy that aligns with your business needs. With our support, you can minimize the risk of falling victim to data leak sites and other cyber threats.

Don’t wait until you’re on the back foot. Contact us today, and let’s ensure your organization is proactively protected from the ever-evolving world of cyber threats.

Safeguarding Your Digital Fortress: Protecting Against Telerik UI Exploitation

Targeted Industries: Public Information; Potential for all

Staying one step ahead is more than a goal – it’s necessary. The recent exploitation of Telerik UI on US Government IIS servers is a stark reminder. While the Public Administration sector is primarily at risk, every organization should take note. Today, we dive deep into the analysis of this threat and share proactive strategies you can implement right now to protect your digital assets.

The Telerik UI Exploits: Unpacking the Threat

Recently, threat actors have exploited the Telerik UI for ASP.NET AJAX, focusing their attacks on US Government IIS servers. The potential consequences of these actions are severe, leading to unauthorized system access, data theft, compromised delivery of critical services, reputational damage, and legal repercussions.

The threat actors exploited two specific vulnerabilities – CVE-2017-9248 and CVE-2019-18935 – to infiltrate systems. By uploading and executing malicious DLL files, they gained unauthorized access, likely for cyber espionage purposes. Even more alarming, vulnerability scanners failed to detect these threats due to unconventional installation paths.

These actions represent a substantial risk, particularly for the Public Administration sector and organizations holding government contracts. Furthermore, there is a likelihood that these actors will continue to focus their efforts on targeting the Telerik UI for ASP.NET AJAX, using similar tactics, techniques, and procedures (TTPs) in future campaigns.

Proactive Mitigation: Your Best Defense

The most effective approach to combating threats like the Telerik UI exploits is a proactive one.

First, enforce multi-factor authentication across your systems. This simple step adds an extra layer of security, making it significantly harder for threat actors to gain unauthorized access.

Second, evaluate user permissions. Only necessary users should have administrative rights, and these should be regularly audited to ensure no unnecessary access exists.Third, limit public internet exposure to necessary assets. Any digital asset that can be accessed from the internet can potentially be exploited.

Let’s Secure Your Organization’s Future Together

At Deepwatch, we are committed to helping organizations like yours navigate the intricate world of cyber threats. Our cybersecurity solutions are designed to stay ahead of the curve, providing you with the proactive defenses needed to protect your organization from threats such as the exploitation of Telerik UI.

Our team of cybersecurity professionals is ready to evaluate your systems, provide actionable insights, and implement robust security measures tailored to your needs.

Don’t wait for a cyber threat to disrupt your operations. Contact us today and take the first step towards a more secure future for your organization. Together, we can outsmart the threats and secure your digital frontier.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog