Cyber Intel Brief: May 04 – 10, 2023


Kimsuky Malware Observed in Latest Campaign Updated With New Recon Component

Impacted Industries: Professional, Scientific, and Technical Services; Educational Services; and Public Administration

What You Need To Know:

On 04 May 2023, SentinelOne reported that Kimsuky, a North Korean APT group, updated its reconnaissance component, RECONSHARK, of the BABYSHARK malware. Kimsuky then used a macro-enabled Word document hosted on OneDrive to deliver spear-phishing emails with the OneDrive link. The updated malware can deploy further payloads and send the collected information to the command and control server via HTTP POST requests. The campaign targets subject matter experts, think tanks, educational institutions, and government entities in North America, Asia, and Europe, with customers in professional, scientific, and technical services, educational services, and public administration industries most likely to be affected. The threat is most likely limited and operating now due to Kimsuky’s specific targeting profile to gather intelligence on nuclear issues involving China and North Korea with reconnaissance and weaponization activities for future targeting. ATI recommends mitigative action occur within the normal business cycle, which includes end-user training, and setting a Group Policy or Application Control framework that blocks the execution of mshta.exe.


The FBI Disrupts the FSB’s Cyber Espionage Snake Malware Network; Release Joint Cybersecurity Advisory

Impacted Industries: Public Administration, Educational Services, Other Services, and Financial Services

What You Need To Know:

On 09 May 2023, the Justice Department announced the completion of an operation (Operation MEDUSA) to disrupt the Snake malware’s network of approximately 15 to 25 US-based compromised computers “used in or affecting interstate or foreign commerce or communication,” located in California, New York, Oregon, South Carolina, Georgia, Connecticut, and Maryland. Additionally, a Joint Cybersecurity Advisory was issued to help organizations detect and remove Snake malware infections. The operation permanently disabled Snake malware on US-based compromised computers that meet the US definition of a “protected computer,” which is a computer “used in or affecting interstate or foreign commerce or communication.” Customers with computers that meet the protected computer definition have a higher probability of having been compromised, whose impact will cause moderate or significant damage leading to either the computer being used to route Snake malware traffic or exfiltration of highly sensitive data. 

We assess that the number of compromised computers is less than 500 globally based on Turla selectively compromising hundreds of computers in at least 50 countries worldwide, and come with a file that lists four to 10 other hop-point IP addresses. It is unlikely that the operation dismantled the entire Snake malware network, and it is likely still operational Furthermore, Turla can update existing compromised computers and is likely developing the next iteration to prevent the actions the FBI took recently and reconstitute its US-based network hop points. ATI recommends mitigative action occur within the normal business cycle, which includes changing credentials, and applying updates.


Cybercriminal Abuses Form Service Provider to Steal Credentials

Impacted Industries: All

What You Need To Know:

On 08 May 2023, McAfee reported a phishing campaign primarily targeting the US, using an attached server-parsed HTML (.shtml) file to steal credentials. The attachment code displays a fake sign-in popup box, sending credentials to the form service provider Formspree, who forwards them to an email address. Cybercriminals are likely conducting opportunistic targeting rather than specific organizations or industries against a limited to moderate number of organizations to avoid exceeding form service providers’ free plan submission limits. We assess that this campaign is operating now, as the form service provider URLs appear operational. There is a lower probability that the cybercriminal is developing future campaigns due to the form submission limits imposed by the service providers. ATI recommends mitigative action occur within the next few weeks, which includes evaluating the risk of allowing web traffic to form service providers, like Formspree and Formspark, ensuring multi-factor authentication is employed.

Exploited Vulnerabilities

Iran APT Groups Exploit Papercut Vulnerability

Impacted Industries: Educational Services, Public Administration, and Other Services

What You Need To Know:

In an update to our intelligence brief titled PaperCut Exploitation Leads to Truebot and Cryptomining, on 04 May 2023, VulnCheck published a proof-of-concept exploit for the Papercut print management software that bypasses known detections. In addition, Microsoft observed Iranian state-sponsored threat actors, Mint Sandstorm and Mango Sandstorm, exploiting the vulnerability. While Mint Sandstorm’s exploitation was opportunistic and impacted organizations globally, Mango Sandstorm’s activity remains low. The exploitation attempts are likely focused on intelligence gathering against targets of interest to the Iranian government. However, there is a chance that a smaller subset of internet-exposed Papercut servers may be targeted for destructive activity and ransomware deployment. Education and research institutions and governmental/political service organizations using vulnerable versions have a higher probability of compromise, causing considerable to significant damage such as resource/data theft, data/system destruction, and data encryption resulting in financial loss. 

ATI recommends mitigative action occur within the normal business cycle and the next few weeks for education and research institutions and governmental and political service organizations,which includes upgrading the PaperCut server to a patched version by following the PaperCut advisory, and implementing the threat hunting guidance found in Appendix A.

Exploited Vulnerabilities

CISA Adds CVE-2023-29336 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

On 09 May, CISA added CVE-2023-29336 to its Known Exploited Vulnerabilities Catalog. CVE-2023-29336 affects Microsoft’s Win32k, which  contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges. Users are advised to apply updates per vendor instructions for each vulnerability, with CISA recommending mitigation due date of 30 May 2023.

Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Manufacturing, Information, Educational Services, Professional Services, and Healthcare and Social Assistance

What You Need To Know:

In the past week, monitored ransomware threat groups added 61 victims to their leak sites. Of those listed, 27 are based in the US. The most popular industry listed was manufacturing  with 11 victims. Followed by nine in information, eight in educational services, six in professional services, and five in healthcare and social assistance.This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog