Cyber Intel Brief: May 19 – 25, 2022
By Eric Ford
Rise in XorDdos: A Deeper Look at the Stealthy DDoS Malware Targeting Linux Devices
- Microsoft has seen a 254% increase in activity for the XorDdos Linux trojan over the last six months. The malware primarily gains access by brute-forcing Linux servers using SSH. Additionally, Microsoft has observed later infections (although not directly dropped by XorDdos) of the Tsunami backdoor and XMRig coin miner.
- Observation of this activity may be possible by monitoring for SSH brute force activity on Linux devices.
Mitigation recommendations include establishing an account lockout policy, implementing and enforcing multi-factor authentication, employing an anti-virus or EDR solution, and finally, assessing the risks of having SSH exposed to the internet without any security restrictions in places.
Beneath the Surface: Uncovering the Shift in Web Skimming
- Observation of this activity may be possible by monitoring for image file addition/creation activity in the /media/wysiwyg/ directory.
Mitigation recommendations include ensuring that e-commerce platforms, content management systems, and installed plugins are up to date with the latest security patches; only utilizing third-party plugins and services from reputable sources; auditing your web assets on a regular basis for any compromised or questionable content; changing default login credentials on all systems; segregating and segmenting network systems; implementing a strong password management program and enforcing multi-factor authentication.
PDF Malware Is Not Dead Yet
- HP Wolf Security observed a threat actor employing a PDF during a phishing campaign that ultimately led to the Snake Keylogger being dropped on the victim’s computer. The PDF used a pop-up that tricked users into opening a .docx file embedded as an object that downloaded shellcode from a remote server that exploited a vulnerability in Microsoft’s Equation Editor, tracked as CVE-2017-11882.
- Observation of this activity may be possible by monitoring for suspicious outbound web activity from Microsoft Word processes.
Mitigation recommendations include ensuring Microsoft Office is up to date with the latest patches and incorporating the TTPs outlined in the report, such as opening embedded documents in PDFs, in your phishing awareness training and simulation exercise program.
Raising Phishing Integrity – Misleading Victims In Order to Deliver Qakbot
- Sygnia observed a Qakbot phishing campaign sending hijacked emails exfiltrated from previous Exchange server compromises with links to ZIP archives that had been uploaded to compromised domains. Within the archive was an Office document that, once the recipient enabled macros, would drop the Qakbot payload. During their analysis, Sygnia identified approximately 350 domains that may be compromised with similar ZIP archives. Of these domains, the analysis revealed that 82% of them were running the web hosting software cPanel, which if the cPanel package cpanel-dovecot-solr is installed is vulnerable to the Log4j vulnerability.
- Observation of this activity may be possible by monitoring for ZIP archives being downloaded followed by suspicious network/process activity.
Mitigation recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM), and finally, following Deepwatch’s guidance and recommendations on Log4Shell provided in our Significant Cyber Event here.
Interactive Phishing: Using Chatbot-like Web Applications to Harvest Information
- Trustwave encountered a phishing website that incorporated a chatbot in a recent email phishing campaign. The phishing emails spoofed DHL and included a link directing the recipient to download a PDF with a button or URL to the website. The chatbot has predefined responses and will eventually lure the victim into inputting an email and password. If the victim clicks the “Schedule Delivery and Pay” button, the victim is redirected to a separate page used to harvest credit card details.
- Observation of this activity may be possible by monitoring for suspicious email with modified headers and links.
Mitigation recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, using anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM), and finally, regularly auditing user accounts for activity and deactivating or removing any that are no longer needed.
CISA Adds 41 Vulnerabilities to the Known Exploited Vulnerabilities Catalog
- CISA has added 41 vulnerabilities to its Known Exploited Vulnerabilities Catalog based on reliable evidence that these vulnerabilities have been actively exploited in the wild.
- Some of the software affected include Microsoft Windows, Internet Explorer, Apple iOS, and QNAP Network Attached Storage Devices.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, as part of their vulnerability management process.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.