Cyber Intel Brief: Nov 24 – 30, 2022

By

Exploited Vulnerabilities

Threat Actor Selling Access to Multiple Fortinet VPNs

Impacted Industries: All

What You Need To Know:

Cyble reported a threat actor (TA) is selling access to multiple Fortinet VPNs over one of the Russian cybercrime forums. While analyzing the access, Cyble found that the TA was attempting to add their own public key to the admin user’s account and assessed that the TA behind this access exploited CVE-2022-40684.

Analyst Note: Cyble’s sensors have observed threat actors targeting Fortinet instances since 17 October 2022. According to a Shodan search, more than 124,000 FortiGate firewalls are reachable from the Internet. According to GreyNoise, there have been 30 unique IPs displaying exploitation attempt behaviors associated with FortiOS vulnerability between 22 November and 25 November. The highest number of unique IPs observed occurred on Thanksgiving (24 November).


Exploited Vulnerabilities

CISA Adds 2 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes Oracle Fusion Middleware and Google’s open-source web browser Chromium. The Oracle Fusion Middleware vulnerability allows an unauthenticated threat actor with network access via HTTP to take over the Access Manager product. Google’s Chromium contains a heap buffer overflow vulnerability that allows a remote threat actor who has compromised the renderer process to perform a sandbox escape via a crafted HTML page potentially.

Analyst Note: Threat actors will likely ramp up exploitation efforts of the newly listed vulnerabilities within the next two weeks. However, we can not rule out the possibility that threat actors could switch to other tactics & techniques to gain initial access. We base this assessment on CISA documenting the vulnerabilities in their Exploited Vulnerabilities Catalog and the likelihood that organizations will prioritize remediation of these vulnerabilities.


Ransomware

Vice Society Claims Responsibility for Attack on Community College

Impacted Industries: Educational Services

What You Need To Know:

According to Bleeping Computer, the Vice Society ransomware operation claims responsibility for an early November ransomware incident on Cincinnati State Technical and Community College. According to the article, the threat actors leaked the data, which dates from several years ago until 24 November 2022, to their TOR leak site. It is unknown if the threat actors still have access to the college’s network, given that some leaked documents date to Thanksgiving day.

Analyst Note: Limited information is available regarding initial access and follow-on actions. However, according to a joint Cybersecurity Advisory, Vice Society “likely obtain initial network access through compromised credentials by exploiting internet-facing applications.” Vice Society will likely continue targeting the education sector with a focus on K-12 school districts and college institutions. We expect activity to increase during the winter 2022 school break to improve the threat actor’s chances of avoiding detection and hamper incident response.


Ransomware

Quantum Ransomware Affiliate Uses Emotet to Gain Initial Access

Impacted Industries: All

What You Need To Know:

The DFIR Report observed a threat actor gaining access to their honeypots in June via Emotet and operating over eight days from initial intrusion, deploying numerous legitimate programs to facilitate their attack to the deployment of ransomware. Most threat actor activity occurred before or after regular US business hours when most staff are expected to be out of the office. The threat actors exfiltrated at least 250MB of data out of the environment and included revenue, insurance, and password storage documents.

Analyst Note: During the third day of the intrusion, the threat actor operated at approximately 7:30 AM EST, ceasing operations and then resuming actions again at approximately 4:15 PM EST. Ransomware was deployed and executed at approximately 8:00 PM EST on the eighth day. According to AdvIntel’s Yelisey Boguslavskiy, the group has established extensive alliances, prioritizing IcedID and Emotet botnets. The Adversary Tactics and Intelligence team assesses that Quantum ransomware affiliates likely gain initial access via IcedID and Emotet and employ different TTPs post access.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Subscribe to the Deepwatch Insights Blog