Cyber Intel Brief: June 2 – 8, 2022
By Eric Ford,
APT LuoYu’s WinDealer Malware Now Can Conduct Man-on-the-Side Attacks
- Kaspersky published an analysis on the newest capability of APT group LuoYu’s WinDealer malware – a man-on-the-side-attack (where a threat actor sees a request for a specific resource on the network and attempts to reply to the request faster than the legitimate server). LuoYu currently targets foreign diplomatic organizations, the academic community, and companies from the defense, logistics and telecommunications sectors in China.
- Observation of this activity may be possible by monitoring for traffic relating to hxxp://www.baidu[.]com/status/windowsupdatedmq.exe or http://www[.]microsoftcom/status/getsign.asp.
Mitigation recommendations include employing an anti-virus or EDR solution that can automatically quarantine suspicious files, and where possible, only permit the execution of signed scripts. When PowerShell is necessary, restrict PowerShell execution policy to administrators, and employ script blocking extensions that can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process.
New Malware Discovered Being Spread via Malicious Office Documents
- HP has observed malicious Office Word documents using shellcode to drop SVCReady, a previously unknown malware family, in phishing campaigns since the end of April 2022. SVCReady can download and run a file, take a screenshot, run a shell command, check if it is running in a virtual machine, collect system information, and establish persistence through the creation of a scheduled task.
- Observation of this activity may be possible by monitoring for a copy of rundll32.exe in %Temp% or Roaming directory (note that it may be renamed).
Mitigations and recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, employing an anti-virus or EDR solution that can automatically quarantine suspicious files and a Secure Email Gateway (SEG) protection solution that can detect malicious attachments, and script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process.
The Reverse Text Phishing Attack
- Avanan recently observed threat actors employing reverse text to security solutions and regular text to recipients in phishing emails. This technique can bypass certain email security solutions, as they will perceive the email as legitimate because the natural language processing cannot read the gibberish text.
- Mitigation recommendations include incorporating the reverse text technique outlined in this report in your phishing awareness training and simulation exercise program, using anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM), and employing a web filtering protection solutions that could detect and block URLs that redirect to malicious phishing landing pages.
Due to the potential for success with bypassing email security solutions, customers may receive phishing emails that employ the reverse text technique. However, without knowing the specific victimology, i.e. was this a mass phishing campaign or more targeted to a specific organization or sector, the Threat Intel Team can not provide a more accurate estimate. Therefore, out of an abundance of caution, all customers should implement the recommended mitigations in their response to this threat.
Multi-day Attack Leads to Data Exfiltration After Exploitation of a Vulnerability in ManageEngine SupportCenter Plus
- A threat actor gained initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus (CVE-2021-44077) in a recent attack, according to DFIR Report. The threat actor used a web shell to identify files on the server and dump credentials, then used Plink and RDP to move laterally to important servers and exfiltrate sensitive information.
- Observation of this activity may be possible by monitoring for exploitation of ManageEngine (CVE-2021-44077) from a Tor Exit Node followed by the execution of a webshell extractor matching the name msiexec.exe.
Mitigations and recommendations include identifying all Zoho software and making sure the latest patches/upgrades are installed, assessing the business need and risk associated with any internet-facing Zoho products, and, lastly, reviewing all files created in ServiceDesk Plus directories since early October 2021. Additionally, employing an anti-virus or EDR solution that can automatically quarantine suspicious files; where possible, only permit the execution of signed scripts; when PowerShell is necessary, restrict PowerShell execution policy to administrators; and employing script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process.
UNC2165 (EvilCorp) Threat Group Shifts to Lockbit Ransomware to Evade Sanctions
- Mandiant assessed with high confidence that UNC2165, a financially motivated threat actor, has shifted away from using exclusive ransomware variants to Lockbit in their operations, likely to hinder attribution efforts in order to evade sanctions. This assessment is based on Mandiant’s investigation into numerous Lockbit ransomware operations where they observed UNC2165’s overlap with Evil Corp.
- Observation of this activity may be possible by monitoring for the creation of local users and adding them to local admin/RDP groups.
Mitigations and recommendations include ensuring employees are aware that all software update communications and actions will be coordinated by the organizational IT department, employing script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process, employing best practices for use of RDP and other remote desktop services, ensuring antivirus and anti-malware software and signatures are up to date, and deploying a multi-factor authentication solution for all services, especially for webmail, virtual private networks, and accounts that access critical systems.
VexTrio DDGA Domains Spread Adware, Spyware, and Scam Web Forms
- Infoblox’s Threat Intelligence Group has been tracking malicious campaigns that compromised vulnerable WordPress websites and redirected visitors through intermediary domains to land on a site that uses an algorithm to generate the domain name, and that runs scams and spreads riskware, spyware, adware, potentially unwanted programs, and pornographic content.
CISA Adds 37 Vulnerabilities to the Known Exploited Vulnerabilities Catalog
- CISA has added 37 vulnerabilities to its Known Exploited Vulnerabilities Catalog based on the vulnerabilities that have been assigned a CVE identifier, indicating reliable evidence that the vulnerability has been or is currently under active exploitation and that there is clear remediation guidance.
- Among the products with the most vulnerabilities listed include Adobe Acrobat and Reader, Google Chromium V8, Microsoft Office, and QNAP Photo Station.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog as part of their vulnerability management process.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.