Cyber Intel Brief: March-31-April 6, 2022
By Eric Ford,
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
- The Hacker News reported on a recent Fortinet analysis of Deep Panda that was observed exploiting the Log4J vulnerability, also known as Log4Shell, in VMWare Horizon servers to drop backdoors, loaders, and rootkits.
- Deep Panda dropped the backdoor, dubbed Milestone, and a new rootkit called Fire Chili. Milestone is based on Gh0st RAT but with changes in how it communicates. It was discovered that Fire Chili was signed with stolen certificates from video game developers.
Deepwatch Threat Intel Team assesses with high conﬁdence that threat actors, like Deep Panda, will continue to exploit known vulnerabilities, like Log4j, as opportunities to install backdoors in organizations for later access and use. It is recommended to patch vulnerabilities as soon as possible with a focus placed on known exploited vulnerabilities, like those featured by CISA in their Known Exploited Vulnerabilities Catalog. It is also recommended to monitor for new registry keys, drivers, and services.
Deep Dive Analysis – Borat RAT
- Cyble Research Labs discovered a new remote access trojan (RAT), dubbed Borat, that in addition to traditional RAT features has the capability to deploy ransomware, conduct DDoS attacks, and record audio and video.
- At this time, there are no known incidents involving Borat RAT so it is not known what initial infection vectors will be used by threat actors but phishing emails and exploitation of vulnerabilities is highly likely. Additionally, it is not known how effective the RAT is. If threat actors start using it and start claiming how effective it is, the prevalence of this RAT will likely increase.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that as threat actors become more aware of Borat RAT they will start to incorporate it into their attack chain due to its vast capabilities. To reduce the risk of this type of malware activity it is recommended that organizations ensure their security protection software is up and running properly on systems within their organization. It is also recommended to monitor for any tampering with any security protection software and investigate as needed.
The Latest Remcos RAT Driven By Phishing Campaign
- Fortinet recently analyzed the newest version of Remocs RAT (version 3.4.0 Pro) that they discovered being dropped from a malicious Excel file in a phishing campaign.
- Remocs Remote Control and Surveillance Software is now considered a malware family due to the prevalent use amongst threat actors. There are two versions, a professional version, and a free version. The professional version is fully featured and while the free version is limited.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will continue to use Remcos RAT in their attack chain due to its low price. Additionally, with Remocs being a “legitimate” application that has been abused by threat actors, it is likely to be overlooked by analysts. To reduce the risk of this type of malware activity it is recommended that organizations implement phishing awareness and simulation exercises that incorporate the techniques outlined in this report. Using Secure Email Gateway (SEG) protection technology that has the ability to detect these malicious attachments can also provide a filtering mechanism so they never make it to the end-user thus reducing the risk of this threat activity even more.
Fresh Phish: Phishers Schedule Victims on Calendar App
- Inky recently discovered threat actors abusing Calendly, a free online appointment scheduling application, to send malicious links in meeting invitations.
- Threat actors inserted a malicious link to preview fake fax documents. If clicked the recipients were redirected to a credential harvesting page that impersonated a Microsoft login page.
Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will continue to use legitimate services to send phishing emails as they will not be blocked by anti-phishing filters. Recommended mitigations include adding this technique to end-user phishing awareness training and simulation exercises and implementing a multi-factor authentication solution. Additionally, consider deploying a password management program. Some password managers offer browser extensions and use an automated script that compares the current site’s URL to the database’s URL. If the two don’t match, the manager will not prefill credentials.
Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware
- SOCRadar observed dark web forum posts stating that bugs identified in Lockbit 2.0 will not exist in Lockbit 3.0 and that it is expected to be released within the next couple of weeks.
- According to the forum posts, Lockbit 3.0 addresses bugs identified by security researchers that allowed victims to reverse the encryption. At this time, it is not known what other new features Lockbit 3.0 will introduce.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that Lockbit 3.0 will be released in the second quarter of 2022 and rebranding from Lockbit 2.0 to 3.0 at the same time. At this time, it is not known what improvements will be made, but when Lockbit rebranded to Lockbit 2.0 a new data exfiltration tool was introduced called Stealbit, which allowed for streamlined data exfiltration and victim name posting to their branded leak site. It is recommended that organizations implement a phishing awareness and simulation program and patching known exploited vulnerabilities along with deploying a multi-factor authentication solution.
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
- Mandiant has published their deep dive analysis of FIN7, which includes the tools and tactics they use to compromise company networks.
- Mandiant believes, based on their analysis, that FIN7 is using new malware (STONEBOAT), initial access vectors, and has shifted their overall strategy.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that FIN7 operations may be linked with the deployment of ransomware. Mitigation of FIN7 activity can be achieved by establishing a password management program and implementing a phishing awareness and simulation program. Additionally, the monitoring of PowerShell can reduce risk, as specific commands can indicate possible FIN7 activity.
CISA Adds 11 Vulnerabilities to Known Exploited Vulnerabilities Catalog
- CISA has added 11 new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Notable software affected includes Trend Micro Apex, Sophos Firewall, Microsoft Windows, macOS Monterey, and QNAP.
- Threat actors have been observed actively exploiting these vulnerabilities.
Deepwatch Threat Intel Team strongly urges all customers to prioritize timely remediation of vulnerabilities featured in CISA’s Known Exploited Vulnerabilities Catalog as part of their vulnerability management practice.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.