Cyber Intel Brief: May 11 – 17, 2023

Data Breaches

Cybercriminals Impersonate New Hire, Gain Access, Steal Data

Targeted Industries: All

What You Need To Know:

In a recent incident,  industrial cybersecurity company Dragos was targeted by a criminal group in a data breach attempt, which involved the exfiltration of sensitive data and intense pressure tactics. The breach, encompassing approximately 130GB+ of data, included personal information concerning Dragos executives and their family members. This cybercriminal organization, driven by financial gain and coercion, displayed proficiency in social engineering techniques and data exfiltration.

Despite attempts to extort the company and employing various tactics, Dragos chose not to negotiate or engage with the cybercriminals, opting instead to actively contain the breach and collaborate with external incident response partners. Measures to prevent future incidents are being implemented, such as fortifying identity and access management infrastructure, enforcing the principle of least privilege, and implementing multi-factor authentication. Dragos has also stressed the gravity of the breach, emphasizing the importance of not downplaying its severity.

Customers are advised to strengthen their own cybersecurity posture by implementing robust identity and access management systems, enforcing the principle of least privilege, and incorporating multi-factor authentication. The intelligence community is actively monitoring the situation and providing further threat hunting guidance. Dragos’ resolute response serves as a testament to the seriousness of data breaches and highlights the need for continued vigilance in the face of cyber threats.


Greatness Phishing-as-a-Service: Targeting Strategies, Tactics, and Countermeasures

Targeted Industries: Manufacturing, Healthcare and Social Assistance, and Information

What You Need To Know:

Cisco Talos has uncovered a phishing-as-a-service (PaaS) platform called Greatness, which has been utilized in multiple phishing campaigns since mid-2022. This alarming discovery raises critical questions about the identifiable patterns in Greatness’ targeting strategy, the tactics employed, and the methods used to bypass multi-factor authentication (MFA). Industries such as manufacturing, healthcare, and technology, primarily located in the US, the UK, Australia, South Africa, and Canada, are at higher risk of falling victim to the malicious schemes orchestrated by Greatness.

By examining available data, it becomes evident that Greatness predominantly focuses on organizations within the manufacturing sector, followed closely by healthcare and technology sectors. The implications of these targeted attacks can result in compromised accounts, data leaks, and potentially even ransomware incidents, making it crucial for customers operating in these sectors to remain vigilant. Greatness utilizes a range of tactics, techniques, and procedures (TTPs), including phishing emails with HTML file attachments disguised as shared documents. These attachments connect to the attackers’ server, retrieve phishing pages, and employ a “man-in-the-middle” intrusion to steal credentials, which are then delivered to affiliates through Telegram bots or the service’s admin web panel. Moreover, Greatness possesses the capability to bypass MFA by prompting victims to authenticate using the MFA method requested by the legitimate Microsoft 365 page, ultimately leading to the theft of authenticated session cookies.

To mitigate the impact of the Greatness PaaS, organizations are advised to evaluate the risk of allowing HTML attachments in emails and block them if necessary. By adhering to this recommendation and implementing robust threat hunting practices, businesses can enhance their cybersecurity defenses. The discovery of Greatness serves as a stark reminder that the threat landscape continues to evolve, demanding heightened awareness and proactive measures to safeguard sensitive information and networks.


MEME#4CHAN Phishing Campaign and XWorm Malware Targeting Manufacturing and Healthcare

Targeted Industries: All; recent campaign focused on Manufacturing and Healthcare and Social Assistance

What You Need To Know:

In a recent blog post by Securonix, the MEME#4CHAN campaign has been identified as a sophisticated phishing operation designed to exploit vulnerabilities and target industries primarily in manufacturing and healthcare. The operators behind this campaign employ a range of tactics, techniques, and procedures (TTPs), including phishing emails, obfuscation techniques, and the deployment of the XWorm v3.1 malware.

The intrusion chain used in the MEME#4CHAN campaign combines PowerShell and JavaScript execution, initiated through a malicious Word document file delivered via phishing emails. The attackers exploit a known vulnerability and utilize obfuscation techniques to execute malicious code. Although demonstrating moderate sophistication, the operators appear to lack the resources and knowledge to develop custom payloads, as they rely on publicly available malware.

Motivated by financial gain, the MEME#4CHAN operators cast a broad net, targeting businesses across various industries through phishing emails disguised as hotel booking reservations. This approach suggests limited resources for developing tailored emails. To mitigate the impact of this campaign, strong email filtering, network segmentation, robust user access controls, regular patching, and privileged access management (PAM) solutions are recommended.

Despite their level of sophistication, the recent cracking and publication of the XWorm v3.1 malware online indicate potential limitations in the operators’ capabilities. Nonetheless, the need for vigilance and proactive cybersecurity measures remains crucial to safeguard organizations against evolving threats like MEME#4CHAN.


BianLian Ransomware Group: Threat Assessment and Mitigation Strategies

Targeted Industries: Critical Infrastructure, including Professional Services and Property Development. Potential to affect all industries

What You Need To Know:

New cyber threat intelligence analysis provides a comprehensive assessment of the implications and future outlook of the BianLian Ransomware Group, drawing from the joint Cybersecurity Advisory titled “#StopRansomware: BianLian Ransomware Group” by CISA. The analysis focuses on key questions surrounding the group’s targets in specific industries or regions, their typical infection vectors, specific tools, techniques, or procedures (TTPs) employed, and recommended mitigations.

Threat Actors

Big Game Hunting Threat Actors Target VMware ESXi Hypervisor

Targeted Industries: All

What You Need To Know:

A recent blog post CrowdStrike sheds light on the escalating danger posed by big game hunting (BGH) threat actors targeting VMWare’s ESXi vSphere hypervisor. These adversaries employ sophisticated techniques to deploy Linux ransomware customized for ESXi, aiming for financial gain and disruption of critical infrastructure. Exploiting the hypervisor’s popularity and the absence of third-party agent support, threat actors actively compromise servers by exploiting vulnerabilities, underlining the urgency for proactive security measures.

Since 2020, BGH threat actors have been increasingly deploying Linux ransomware tailored for VMWare’s ESXi vSphere hypervisor, leveraging Ransomware-as-a-Service (RaaS) platforms like Alphv, Lockbit, and Defray. ESXi’s widespread adoption as a virtualization and management system, coupled with its lack of third-party agent or antivirus software support, presents an attractive target. Notably, vulnerabilities such as CVE-2020-3992 and CVE-2021-21974 targeting ESXi’s OpenSLP service have been actively exploited. To compromise ESXi servers, threat actors employ various intrusion vectors, including credential theft and VM escapes.

To mitigate the risk, organizations are advised to implement protective measures such as avoiding direct access to ESXi hosts, utilizing hardened jump servers, and regularly backing up ESXi datastore volumes. As virtualization technology continues to expand, adversaries are expected to persistently target VMware-based infrastructure, necessitating heightened security measures.

Threat Actors

Lancefly APT Deploys Custom Backdoor in Targeted Campaigns

Targeted Industries: Government, Aviation, Education, and Telecommunication

What You Need To Know:

Symantec’s recent blog post exposes the activities of the Lancefly advanced persistent threat (APT) group and their highly targeted campaigns against government, aviation, education, and telecommunication sectors in South and Southeast Asia. Lancefly employs a custom backdoor named Merdoor, along with the ZXShell rootkit, to carry out their intrusion chain, compromising networks through various infection vectors such as phishing emails, SSH brute force, and exploitation of exposed servers. While the full impact of their activities remains unclear, their sophisticated techniques and adaptability pose a significant threat to the targeted organizations in the region.

Merdoor, a fully-featured backdoor, enables Lancefly to establish itself as a service, log keystrokes, and communicate with its command-and-control server using multiple methods, including HTTP, HTTPS, DNS, UDP, and TCP. The backdoor is injected into legitimate processes, while the updated ZXShell rootkit enhances the group’s capabilities by providing additional functions and the ability to disable antivirus software. Although the exact motivation behind Lancefly’s campaigns is not known, their persistent presence underscores the importance for organizations to implement strong network segmentation, regularly update software, conduct security audits, and enhance employee awareness and training programs to mitigate the impact of their activities.

Threat Actors

Latest Additions to Data Leak Sites

Targeted Industries: Manufacturing, Healthcare and Social Assistance, Information, Transportation and Warehousing, and Other Services

What You Need To Know:

In the relentless onslaught of ransomware attacks, monitored threat groups have recently added 32 victims to their leak sites, underscoring the pervasive and indiscriminate nature of this cybercrime wave. Among the listed victims, 19 are based in the United States. The manufacturing sector bore the brunt of these attacks, with 11 victims identified, followed closely by the information and educational services industries, with nine and eight victims respectively. However, it is important to note that while cybercriminals claim to have compromised these victims, the veracity of their assertions cannot be independently confirmed, adding another layer of complexity to this ever-evolving threat landscape.

Threat Actors

CISA Adds 7 CVEs to its Known Exploited Vulnerabilities Catalog

Targeted Industries: All

What You Need To Know:

In the ever-evolving landscape of cybersecurity, the CISA Known Exploited Vulnerabilities Catalog has recently added a series of critical vulnerabilities. Among the newly listed vulnerabilities, Ruckus Wireless, a prominent vendor, has been flagged for Cross-Site Request Forgery (CSRF) and Remote Code Execution (RCE) vulnerabilities across multiple products (CVE-2023-25717). Red Hat’s Polkit has been identified with an Incorrect Authorization Vulnerability (CVE-2021-3560), and the Linux Kernel is grappling with a Race Condition Vulnerability (CVE-2014-0196) and an Improper Input Validation Vulnerability (CVE-2010-3904).

The list further includes Jenkins User Interface (UI), which has been found to have an Information Disclosure Vulnerability (CVE-2015-5317). Oracle’s Java SE and JRockit have an unspecified vulnerability (CVE-2016-3427), and Apache’s Tomcat has been identified with a Remote Code Execution Vulnerability (CVE-2016-8735). It is crucial to apply updates or follow vendor instructions promptly to mitigate these vulnerabilities, with a CISA due date set for June 2, 2023.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog