Cyber Intel Brief: June 9 – 15, 2022

Malware

Symbiote: A New, Nearly Impossible-to-Detect Linux Threat

What You Need To Know:

A new malware, dubbed Symbiote, was recently analyzed in a joint effort by the Blackberry Research and Intelligence Team and Intezer. In their analysis, it was determined that the malware is used to harvest credentials and provide remote access to Linux systems, where it infects all running processes and hides its own files, processes, and network communications from discovery. For command and control communications, the malware uses domains that impersonate several Latin American banks. Unfortunately, the report does not disclose how the malware was discovered nor does it identify the attack chain to include initial access and details about the victim(s), if any.

Deepwatch Assessment:

  • To infect machines, Symbiote is a shared object library that is loaded into all running processes. To reduce risk, use an application control solution that is capable of blocking the loading of libraries.

Malware

Lyceum .NET DNS Backdoor

What You Need To Know:

Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group, an Iranian state-sponsored APT known for targeting energy and telecommunication organizations in the Middle East, utilized a modified open-source DNS backdoor. The backdoor was delivered via a malicious website that entices visitors to download a Word document intended to look like a news report with the headline “Iran Deploys Drones To Target Internal Threat, Protect External Interests.” The malware leverages “DNS Hijacking,” in which a threat actor-controlled DNS server manipulates the response of DNS queries and resolves them with actor specified commands, which include “downloaddd” (downloads file from server),  “uploaddd” (uploads file to server), or “cmd.exe /c <txt_record_response_command>” (executes commands and sends the output back to the C2 server in the form of DNS A Records).

Deepwatch Assessment:

  • Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Additionally, resolving DNS requests with on-premise/proxy servers may also disrupt threat actor attempts to conceal data within DNS packets.
  • Employ an anti-virus or EDR solution that can automatically quarantine suspicious files.
  • Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
  • Inform employees on best practices for identifying legitimate websites.

Malware

GALLIUM Expands Targeting Across Telecommunications, Government, and Finance Sectors With New PingPull Tool

What You Need To Know:

Unit 42 recently analyzed a remote access trojan, dubbed PingPull, being used by Gallium (Softcell), likely a Chinese APT group. They are  known to target telecommunications companies operating in Southeast Asia, Europe, and Africa. However, the group has recently expanded its targeting to include companies in the financial and government sectors. PingPull has three variants that use different C2 communications (ICMP, HTTP(S), and raw TCP), and allows threat actors to run commands, access a reverse shell on a compromised host, and install itself as a service.

Deepwatch Assessment:

  • Ensure that permissions prevent users with lower permission levels from creating or interacting with services that run at a higher permission level.
  • Ensure that service binaries with high permission levels can’t be changed or modified by users with lower permission levels.
  • Users should not be able to install their own launch agents or launch daemons.

Malware

Technical Analysis of PureCrypter

What You Need To Know:

Zscaler recently published their technical analysis of a loader called PureCrypt that is offered for sale through the developer’s website for $59. Once purchased, the website offers a builder that allows the customization of the malware, including determining the injection type (process hollowing, shellcode, and assembly loading), persistence mechanism, and defense measures. The website also provides the option to build an Office macro and downloader. Furthermore, Zscaler has observed numerous information stealers and remote access trojans (RATs), including AgentTesla, RedLineStealer, and SnakeKeylogger amongst others, deployed by PureCrypt.

Deepwatch Assessment:

  • Provide user awareness training that informs employees on company policies and procedures to obtain access to authorized software for cyber risk reduction purposes.
  • Inform employees about the dangers of enabling macros in Office documents in your phishing awareness training and simulation exercise program.
  • Some endpoint security solutions can be configured to block certain types of process injection based on common sequences of behavior that occur during the injection process.

Ransomware

LockBit 2.0: How This RaaS Operates and How to Protect Against It

What You Need To Know:

Palo Alto’s threat intelligence and research team, Unit 42, recently detailed the Ransomware-as-a-Service threat group LockBit’s victimology, TTPs, leak site data, how the ransomware operates, the latest iteration, LockBit 3.0 (LockBit Black), and the actions you need to take to reduce the risk of this ransomware operator.

Deepwatch Assessment:

  • Regularly scan systems for vulnerabilities and patch systems as soon as possible, prioritizing those internet-exposed systems with a focus on known exploited vulnerabilities.
  • Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM.
  • Enable Attack Surface Reduction (ASR) rules on Windows 10 to secure LSASS and prevent credential stealing. Additionally, consider the risk of storing credentials in password stores and web browsers.
  • Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
  • Use application control to mitigate installation and use of unapproved software that can be used for remote access.

Ransomware

Exposing HelloXD Ransomware and x4k

What You Need To Know:

Palo Alto’s Unit 42 recently analyzed the HelloXD ransomware. The analysis revealed that the ransomware has fundamental functionality comparable to the leaked Babuk/Babyk source code. In addition, MicroBackdoor, an open-source backdoor that allows the threat actor to enumerate the file system, upload and download files, execute commands, and delete itself from the machine, was also observed to be deployed by one sample of the ransomware. The backdoors infrastructure allowed Unit 42 to potentially link the developer of the ransomware to a threat actor known as x4k (L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme).

Deepwatch Assessment:


Ransomware

The Many Lives of BlackCat Ransomware

What You Need To Know:

Microsoft recently provided details about BlackCat Ransomware’s techniques and capabilities. They also detail two case studies, Exchange exploitation and credential compromise, leading to a BlackCat deployment. Additionally, Microsoft provides details on two affiliates they are tracking, DEV-0237 (FIN12) and DEV-0504, that have been observed deploying BlackCat in recent incidents. Finally, best practices and recommendations are provided, including Microsoft 365 Defender-specific mitigations and hunting queries.

Deepwatch Assessment:

  • Customers should implement the guidance and recommendations in CISA’s “Ransomware Prevention Best Practices (PDF).”
  • Regularly scan systems for vulnerabilities and patch systems as soon as possible, prioritizing those internet-exposed systems focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.
  • Use multi-factor authentication where possible, also enable multi-factor authentication on externally facing services.

Exploited Vulnerabilities

CISA Adds 4 Vulnerabilities to it’s Known Exploited Vulnerabilities Catalog

What You Need To Know:

Based on evidence of active exploitation, CISA has added the four vulnerabilities listed on the next page to its Known Exploited Vulnerabilities Catalog. Of the four vulnerabilities added, three affect SAP’s application integration and server software NetWeaver. Threat actors frequently use these vulnerabilities as an attack vector, posing a serious threat to organizations. Additionally, the Threat Intel Team at Deepwatch will continue to monitor new vulnerabilities added to the Catalog and keep these updated via the weekly Cyber Intel Brief.

Deepwatch Assessment:

  • Regularly scan systems for vulnerabilities and patch systems as soon as possible. Prioritization should be placed on those systems that are internet-exposed with a focus on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.
  • Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
  • Use least privilege for service accounts. This will limit what permissions the exploited process gets on the rest of the system.
  • Isolate applications. This will limit what other processes and system features the exploited target can access.
  • Implement a web application firewall. Thereby limiting the exposure of applications to prevent exploit traffic from reaching the application.
  • Use least privilege for service accounts. This will limit what permissions the exploited process gets on the rest of the system.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog