Cyber Intel Brief: Mar 30 – April 05, 2023

Malware

Another InfoStealer Discovered

Impacted Industries: All

What You Need To Know:

On 29 March 2023, Cyble reported that they discovered a new InfoStealer titled Creal, whose source code and builder are publicly accessible. The stealer has been observed delivered via phishing websites and collects login credentials and cookies from various browsers, with data exfiltration occurring via Discord or through various file hosting and sharing services. This threat is highly likely operating now, which we assume has a roughly even chance of targeting customers whose impact could cause a moderate to a considerable level of damage. The threat is reported as limited, but we assume that reporting of the public availability will likely cause the threat to become widespread, which will likely see customers fit an adversary’s interest and make the likelihood of compromise consistent or higher than normal. ATI recommends mitigative action occur within the normal business cycle, which includes blocking certain websites or attachment types (such as DropBox, Telegram, Discord, .lnk, and .iso.) if they are not necessary for business operations.


Malware

Gopuram Deployed within 3CX Attack

Impacted Industries: Financial Services

What You Need To Know:

On 3 April 2023, Kaspersky reported that the 3CX supply chain attack dropped the Gopuram backdoor. Kaspersky discovered that the threat actor specifically targeted cryptocurrency companies, in addition to dropping the infostealer, they also dropped two files on infected machines, which loads Gopuram’s main module. Kaspersky has attributed the 3CX campaign to the Lazarus threat actor with medium to high confidence. This is an advanced threat likely operating now, targeting cryptocurrency organizations. Even though the initial compromise was widespread, actual post-exploitation infections are currently reported as limited and customers do not fit the adversary’s interest and makes the likelihood of compromise lower than normal. ATI recommends mitigative action occur within the normal business cycle, which includes incorporating the hashes in your defense-in-depth-strategy and updating or uninstalling the 3CX desktop client.


Ransomware

Ransomware Attack Began with IcedID

Impacted Industries: All

What You Need To Know:

On 3 April 2023, The DFIR Report reported a Quantum ransomware intrusion initiated with IcedID  delivered via an ISO file. Threat actors deployed multiple open-source tools and used scripts for discovery, lateral movement, and data exfiltration. The threat actors exploited CVE-2020-1472 (ZeroLogon) to elevate privileges after a previous technique was blocked. This is an advanced threat likely operating now, targeting organizations that are similar to our customers whose impact could cause a significant level of damage. The threat is currently reported as limited, but customers fit the adversary’s interest and makes the likelihood of compromise higher than normal. ATI recommends mitigative actions occur within the next three months, which includes preventing end-users from receiving .ISO, .one, and .url files in emails.


Ransomware

Fastest Ransomware Discovered

Impacted Industries: All

What You Need To Know:

On 04 April 2023, Check Point and Group-IB reported the discovery of an unknown ransomware dubbed Rorschach/BabLock respectively, which has one of the fastest encryption routines. The ransomware has been active since June 2022 and has attacked a US-based company, as well as organizations in Asia, the Middle East, and Europe. The ransomware operators use sophisticated tactics such as DLL side-loading, CVE exploitation, and anti-analysis and detect evasion techniques. This advanced threat is operating now, which is likely targeting organizations that are similar to our customers whose impact could cause a significant level of damage. The threat is reported as limited and all customers fit the adversary’s interest, which makes the likelihood of compromise higher than normal. ATI recommends mitigative action occur within the normal business cycle, which includes ensuring Zimbra Collaboration software is up to date as a vulnerability in versions 8.8.15 and 9.0 allowed the threat actors to remotely execute arbitrary code.


Threat Landscape

Combosquatting: A Big Threat

Impacted Industries: All

What You Need To Know:

On 29 March 2023, Akamai reported the most frequently observed cybersquatting type generating the most DNS queries is combosquatting, which is when another word is added to the impersonated domain. There are seven variants of cybersquatting that Akamai has identified: combosquatting, typosquatting, bitsquatting, IDN homograph, soundsquatting, and dotsquatting. This threat is highly likely operating now, targeting organizations that are similar to our customers whose impact could cause a moderate level of damage. The threat is currently reported as widespread and all customers fit the adversary’s interest and makes the likelihood of compromise higher than normal. ATI recommends mitigative actions occur within the next few weeks, which includes blocking or registering domains using Akamai’s Top 50 Combosquatted Keyword list, available here, as well as other cybersquatting types.


Threat Actors

New Infrastructure of RedGolf Identified

Impacted Industries: Transportation, Manufacturing, Education, Public Administration, Information, and Other Services

What You Need To Know:

On 30 March 2023, Recorded Future reported they identified new infrastructure associated with the KEYPLUG malware used by the threat actor RedGolf, a Chinese state-sponsored group. This is an advanced threat highly likely operating now, which is likely targeting customers in sectors related to aviation, automotive, education, public administration, media, information technology, and religious organizations. The impact of this threat actor could cause a significant level of damage. The threat is highly active and various customers fit the adversary’s interest and makes the likelihood of compromise higher than normal. ATI recommends mitigative actions occur within the next few weeks, which includes incorporating the hashes and network indicators related to KEYPLUG as well as the IP addresses and domains related to Cobalt Strike in your defense-in-depth-strategy.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Professional services, manufacturing, information, education, and administrative and support services

What You Need To Know:

In the past week, monitored ransomware threat groups added 54 victims to their leak sites. Of those listed, 36 are based in the US. The most popular industry listed was professional services, with nine victims. They were followed by eight in manufacturing, seven in information, four in education & administrative and support services.This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds CVE-2023-04-03 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: Public Administration; Potential to affect all

What You Need To Know:

On 03 April 2023, CISA added CVE-2022-27926 to its Known Exploited Vulnerabilities Catalog. The vulnerability affects Zimbra Collaboration, which could allow the execution of arbitrary web scripts or HTML.This threat is likely operating now and has been exploited to gain access to emails to public administration entities for espionage-related reasons. The threat is reported as limited, and customers who may have an interest in the Russian-Ukraine war fit the adversary’s interest and makes the likelihood of compromise consistent with normal expectations. ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog