Cyber Intel Brief: June 29 – July 05, 2023

Welcome to our weekly open-source Cyber Intel Brief! As a premier Managed Detection and Response (MDR) provider, we stand at the forefront of delivering actionable intelligence to keep pace with the ever-evolving threat landscape. This blog post peels back the veil of our weekly briefings reserved for our customers. We aim to arm your organization with essential knowledge, giving you the power to proactively spot and neutralize risks, amplify your security protocols, and shield your financial stability.

This week’s edition shines a light on a spectrum of cyber threats. We’re examining crypters—programs that encode and disguise malware—linking several ransomware families to the now-dismantled Conti group. The discovery of malware exploiting DNS TXT records for execution and a new publicly released tool for sending phishing messages to Microsoft Teams users. Stay up to date on dark web data leak sites with our analysis and acquaint yourself with the newest entries in CISA’s Known Exploited Vulnerabilities Catalog. Understanding these threats and taking action on our suggested mitigation strategies will prepare you to bolster your organization’s defenses.

Dive in with us, and unearth strategies to harden your defenses against these threats. By adopting our recommendations, you’ll safeguard your organization’s critical assets and foster a sense of security in this ever-changing and unpredictable threat landscape. The first step in a resilient cybersecurity program is staying abreast of the threat landscape and forecasting and defending against the latest threats before they take shape. Join us as we explore the latest cyber threats, gather insights, and equip your organization with actionable intelligence. Let’s begin this journey of foresight and prevention together!

This Week’s Source Material

  • IBM Security X-Force’s blog post detailing the crypters that tie several ransomware families together.
  • Uptycs’ blog post regarding their analysis of Meduza Stealer.
  • Deep Instinct’s blog post detailing their analysis of the Iranian group MuddyWater and its Command and Control (C2) framework, PhonyC2.
  • AhnLab blog post concerning the discovery of malware being executed through DNS TXT records.
  • The public release of a tool that facilitates sending phishing messages to Microsoft Teams users on GitHub.
  • CISA Adds10 CVEs to its Known Exploited Vulnerabilities Catalog
  • Latest Additions to Dark Web Data Leak Sites

From Conti to Quantum, Royal, Zeon, and BlackBasta: The Shared Crypter Threat

Targeted Industries: All

With the shutdown of the infamous Conti ransomware group, new entities such as Quantum, Royal, Zeon, and BlackBasta have emerged, perpetuating the significant cyber risks that organizations across the globe face daily. But what ties these seemingly disparate threat actors together, and how can you fortify your organization’s defenses?

The Legacy of Conti Lives On

The ties that bind these groups originate from their shared past – the Conti ransomware group, or ITG23. IBM Security X-Force has found that these emerging groups continue to use several crypters originally developed by Conti. These crypters encrypt malware, allowing the threat groups to evade antivirus scanners and analysis, thereby increasing the risk of successful cyber attacks.

Even more damning, previous research has traced Bitcoin wallets connected to Royal, Quantum, and Karakurt back to the former Conti ransomware head, Stern. The conclusion? These new groups are not new after all, but offshoots of the notorious Conti, perpetuating its infamous legacy.

The Continued Threat of Conti-affiliated Actors

The ongoing risk from Conti-affiliated groups is severe. Their evolved tactics and adaptability can result in potential data breaches, financial loss, disruption of services, and potential regulatory implications. The fact that these groups consistently evolve their crypters and associated tactics indicates an ongoing threat.

Defending Against Crypter Threats: A Call to Action

To effectively combat the risk posed by these crypters and their associated threat groups, your organization needs to take a proactive, multi-faceted approach:

  • Policy Updates and Reviews: Regular reviews and updates of cybersecurity policies are critical. Ensure that your policies reflect current threats and best practices in cybersecurity.
  • Continuous Employee Training: Your team members are the first line of defense against cyber threats. Regular training to help them understand, recognize, and respond to these threats is crucial.
  • Implement Advanced Cybersecurity Measures: Invest in cutting-edge cybersecurity technology that can help detect, prevent, and respond to threats.

The Rise of Meduza Stealer: Protecting Your Business From This Potent Infostealer

Targeted Industries: All

With the rise of digital transactions and online activities, cybersecurity threats continue to evolve rapidly. One such emerging threat is Meduza Stealer, a powerful infostealer that targets browser cookies, histories, and, most significantly, crypto wallet information. It’s a pervasive threat that businesses across industries must prepare for – especially those heavily reliant on digital transactions.

Unmasking Meduza Stealer

First discovered in November 2021, Meduza Stealer is a highly potent malware designed to extract a wide range of sensitive data from infected machines. This malware poses a significant threat, particularly to organizations involved in the cryptocurrency sector.

The primary objective of threat actors using Meduza Stealer is likely financial gain, as evidenced by the malware’s specific targeting of cryptocurrency wallet information. Once this data is compromised, unauthorized access to sensitive accounts can lead to financial theft and significant business disruption.

Why Meduza Stealer Matters

The threat posed by Meduza Stealer is more than just a passing concern. The stealer’s versatile data extraction capabilities and broad distribution methods make it a highly effective tool for cybercriminals. As digital transactions and online activities continue to rise, Meduza Stealer’s attractiveness to threat actors will only escalate, especially given the growing popularity and value of cryptocurrencies.

Safeguarding Your Business

Despite the growing threat, organizations can take robust measures to mitigate the risk and impact of Meduza Stealer:

  • Regular Updates: Keep your systems and security tools updated to counter evolving threats effectively.
  • Email Security: Strengthen your email security to prevent spam emails, the primary distribution method for Meduza Stealer.
  • User Education: Empower your team members with knowledge about this threat, including how to recognize and respond to potential attacks.
  • Strong Passwords: Implement a strong password policy across your organization.
  • Two-Factor Authentication: Use two-factor authentication for an added layer of security.

Navigating MuddyWaters: Deciphering Iran’s APT Group and Safeguarding Your Organization

Targeted Industries: Public Administration; Information; Professional, Scientific, and Technical Services; Utilities; and Manufacturing

In the intricate world of cybersecurity, understanding and responding to threats is crucial. One such eminent threat is the MuddyWater Advanced Persistent Threat (APT) group. Active since 2017 and suspected to be Iran-based, this group has emerged as a formidable force in cyber espionage, predominantly targeting sectors aligning with Iran’s strategic interests. The threat is real, but so are the solutions – and our goal is to help you implement them.

Who is MuddyWater?

MuddyWater’s hallmark lies in its high level of technical capability, continually evolving tools, and tactics. Central to its operations is the malicious Command and Control (C2) framework, PhonyC2, a flexible, potent tool used for controlling compromised systems, exfiltrating data, and conducting further malicious activities.

Primarily, MuddyWater’s motivations are espionage and information theft. The group has been persistent in targeting organizations in sectors that align with Iran’s strategic interests, signifying a focus on collecting intelligence to bolster these interests.

The Risks You Face

The risk from MuddyWater is significant, particularly for organizations within the group’s targeted sectors and regions. If you fall within their radar, you could face substantial data breaches, operational disruptions, potential reputation damage, and a loss of customer trust.

The aftermath of a MuddyWater attack can be devastating – sensitive data theft could result in a loss of competitive advantage and regulatory penalties, while operational disruptions could lead to substantial downtime and financial losses.

Steer Clear of the MuddyWaters

The MuddyWater threat is significant, but it’s not insurmountable. Here are some robust measures to protect your organization:

  • Limit the use of PowerShell to necessary cases and monitor its usage closely. 
  • Evaluate current intrusion detection systems (IDS) to verify it can identify the custom encoding schemes used by MuddyWater. 
  •  Evaluate security solutions to verify it can detect and block attempts to modify registry keys and startup folders.

A New Threat Horizon: Understanding Hagga’s Innovative Malware Execution Method

Targeted Industries: All

In the complex realm of cybersecurity, threat actors continue to evolve their techniques, making it an ever-challenging task for organizations to stay one step ahead. One such groundbreaking innovation in the world of cyber threats has been the recent usage of DNS TXT records for malware execution by the Hagga hacking group. This sophisticated method threatens organizations globally, but with the right defensive measures and a vigilant cybersecurity posture, the threat can be effectively managed.

Who Is Hagga, and What’s Their Modus Operandi?

Known for their innovative thinking and high technical expertise, the Hagga hacking group has devised a novel method to bypass traditional detection methods. By using DNS TXT records to execute malware, the group has showcased an ability to develop and implement unique attack strategies.

Their apparent intention is to evade detection by anti-malware products, possibly indicating a persistent and stealthy approach toward espionage or theft. The sophistication of this method poses significant risks, including the compromise of sensitive information, operational disruptions, financial losses, and reputational damage to organizations worldwide.

Anticipating the Future Threat Landscape

Considering the innovative nature of the Hagga group, the threat posed by the utilization of DNS TXT records for malware execution is expected to evolve and adapt continually. Therefore, organizations must continuously enhance their defensive measures and stay prepared for the threat actor’s escalating sophistication and potential integration of new attack techniques.

Ensuring Your Cyber Defense Is Up to the Challenge

Protecting your organization against such a multifaceted threat requires a multi-layered approach. Here are some key recommendations to fortify your defenses:

  • Email Security: Enhance email security controls to prevent spear-phishing attacks.
  • DNS Traffic Monitoring: Invest in systems that monitor and analyze DNS traffic to detect anomalies and potential threats.
  • Endpoint Security Controls: Implement robust endpoint security controls to block malicious software execution.
  • Patch Management: Regularly patch and update your systems to minimize vulnerabilities.
  • Security Awareness Training: Conduct regular training to help employees recognize and report potential cyber threats.

The New Red Team Tool Targeting Your Microsoft Teams: Mitigating the Potential Abuse of TeamsPhisher

Targeted Industries: All

As remote work communication platforms–like Microsoft Teams–have become indispensable in the corporate world, ensuring security and privacy is a challenge that has never been more critical. Now, a new red team tool, TeamsPhisher, is raising the stakes, potentially posing a significant risk to businesses heavily reliant on Microsoft Teams for their external communications. Here’s what you need to know about TeamsPhisher and how to protect your organization.

The Rise of TeamsPhisher

TeamsPhisher, created by Navy Red Team member Alex Reid and publicly available on GitHub, is a program designed to deliver phishing messages and attachments to unsuspecting Microsoft Teams users. Its accessibility on GitHub increases its potential for adoption by threat actors, making it an accessible tool for even the least technically-skilled threat actors.

What makes TeamsPhisher particularly dangerous is its ability to confirm that the target user exists and can receive external messages. It then sends a phishing message and a link to an attachment in SharePoint. With TeamsPhisher, threat actors can create highly personalized messages, making their phishing attempts seem more legitimate and thereby increasing the likelihood of users falling prey to them.

The Risks and Implications

The implications of TeamsPhisher are severe. Successful exploitation can lead to unauthorized access, data theft, and other malicious activities. The potential consequences include significant data loss, financial costs, operational disruptions, and significant damage to your organization’s reputation.

With its increasing accessibility and the potential for continuous improvement by threat actors, we expect the threat posed by TeamsPhisher to escalate. Especially for organizations that rely on Microsoft Teams for external communications, the risk is significant and ever-growing.

Guarding Your Organization Against TeamsPhisher

The rise of TeamsPhisher underscores the urgency of implementing robust cybersecurity measures within your organization. Here’s where to start:

  • User Training and Awareness: Your employees are the first line of defense against phishing threats. Invest in comprehensive training programs that educate users about the risks and signs of phishing attacks.
  • Restrict External Communications: Limit the ability of external parties to send messages and files to your Teams’ users. While this might not be feasible for all organizations, it can significantly reduce the potential attack surface.

In the face of the TeamsPhisher threat, taking proactive measures is crucial. But remember: cybersecurity is an ongoing journey. Stay informed, stay vigilant, and your organization will be better prepared to face the ever-evolving landscape of cyber threats.

CISA Adds 8 CVEs to its Known Exploited Vulnerabilities Catalog

In the ever-evolving threat landscape, it is crucial to stay informed about the latest exploited vulnerabilities that pose a significant risk to organizations. In this report we highlight the recent additions to CISA’s Known Exploited Vulnerabilities Catalog. These vulnerabilities impact products from D-Link and Samsung mobile devices. Understanding these vulnerabilities and taking immediate action can fortify your systems and protect your organization from potential attacks. Read on to discover key insights and recommended mitigative actions.

The Exploited Vulnerabilities

CISA’s recent update to the Known Exploited Vulnerabilities Catalog has identified 8 critical CVEs that affect a range of products and projects. These vulnerabilities affect products from D-Link and Samsung’s Mobile Devices. The vulnerabilities range from command execution vulnerabilities in the UPnP endpoint URL and the Web interface of D-Link products, to out-of-bounds read, improper input validation, race condition, and unspecified vulnerabilities in Samsung Mobile Devices.

Latest CVEs

  • CVE-2019-17621: D-Link DIR-859 router contains a command execution vulnerability in the UPnP endpoint URL, /gena.cgi.
  • CVE-2019-20500: D-Link DWL-2600AP access point contains an authenticated command injection vulnerability via the Save Configuration functionality in the Web interface.
  • CVE-2021-25487: Samsung mobile devices contain an out-of-bounds read vulnerability within the modem interface driver.
  • CVE-2021-25489: Samsung mobile devices contain an improper input validation vulnerability within the modem interface driver.
  • CVE-2021-25394: Samsung mobile devices contain a race condition vulnerability within the MFC charger driver.
  • CVE-2021-25395: Samsung mobile devices contain a race condition vulnerability within the MFC charger driver.
  • CVE-2021-25371: Samsung mobile devices contain an unspecified vulnerability within DSP driver that allows attackers to load ELF libraries inside DSP.
  • CVE-2021-25372: Samsung mobile devices contain an improper boundary check vulnerability within DSP driver that allows for out-of-bounds memory access.

Remaining Vigilant

The threat landscape continuously evolves, and cybercriminals quickly exploit newly discovered vulnerabilities. It is vital to stay informed and implement a robust vulnerability management program. Regularly update your systems, apply patches promptly, and monitor emerging threats to protect your organization from potential attacks.

The Latest Additions to Data Leak Sites

In the challenging world of cybersecurity, ransomware, and data extortion threats continue to surge. Over the past week alone, monitored threat groups added 86 victims to their leak sites, underscoring the evolving and relentless nature of these cyber threats. While this statistic is alarming, understanding the nature of these attacks and implementing robust cybersecurity measures can significantly mitigate your organization’s risks.

The Current Threat Landscape

More than half of the 86 listed victims were based in the United States. By industry, Manufacturing was the most targeted, with 21 victims. This was followed by 13 in Finance and Insurance, 11 in Professional, Scientific, and Technical Services, 9 in Information, and 7 in Health Care and Social Assistance.

Victims listed on data leak sites typically choose not to negotiate or pay a ransom. However, the validity of these claims made by cybercriminals is yet to be confirmed. Despite this, the figures paint a compelling picture of the increased threat organizations face, regardless of their industry or size.

Rising to the Challenge

Such an extensive and sophisticated threat landscape can be daunting, but robust defensive measures can protect your organization. Here are some key areas to focus on:

  • Threat Awareness: Understanding the nature of ransomware and data extortion threats is the first step towards safeguarding your organization. Regular threat intelligence briefings and updates can keep your team informed about the latest threats and their modus operandi.
  • Proactive Defense: Deploy robust cybersecurity solutions, including advanced threat detection tools, data encryption, firewalls, and endpoint protection. These systems can help identify and neutralize threats before they can cause significant damage.
  • Incident Response Planning: Have a detailed incident response plan in place. This plan should outline the steps to be taken in case of a breach, including identifying the breach’s scope, isolating affected systems, and notifying relevant authorities.
  • Employee Training: Regularly train your employees to recognize potential threats and follow best cybersecurity practices. Remember, your team members can be your best defense – or your weakest link.
  • Backup and Recovery: Regularly back up critical data and ensure that it can be quickly recovered in the event of a ransomware attack. This measure can minimize the potential impact of a data breach and enable your operations to recover swiftly.

Let’s Secure Your Organization’s Future Together

At Deepwatch, we are committed to helping organizations like yours navigate the intricate world of cyber threats. Our cybersecurity solutions are designed to stay ahead of the curve, providing you with the proactive defenses needed to protect your organization from threats such as the exploitation of Telerik UI.

Our team of cybersecurity professionals is ready to evaluate your systems, provide actionable insights, and implement robust security measures tailored to your needs.

Don’t wait for a cyber threat to disrupt your operations. Contact us today and take the first step towards a more secure future for your organization. Together, we can outsmart the threats and secure your digital frontier.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog