Cyber Intel Brief: Nov 3 – 9, 2022

Phishing

Emotet Resumes Phishing Campaign

Impacted Industries: All

What You Need To Know:

Several sources are reporting that Emotet phishing campaigns have resumed. Emotet’s latest campaign introduces a new Excel attachment template, instructing users to copy the file into the trusted ‘Templates’ folders, bypassing Microsoft Office protections.

Analyst Note: From samples uploaded to VirusTotal, the Deepwatch Adversary Tactics and Intelligence (ATI) Threat Intel Team noticed several documents targeted English, German, and Italian users and file names masquerading as invoices, scans, electronic forms, and other lures. Even though Microsoft displays a pop-up warning the user that copying a file into the ‘Templates’ folder requires “administrator” permissions, the user can click the continue button to save the document to the Templates folder. When the user launches the attachment from the ‘Templates’ folder, it will open and immediately execute macros that download the Emotet malware.


Malware

SocGholish Expands Malware Server Infrastructure

Impacted Industries: All

What You Need To Know:

SentinelOne reports that SocGholish operators have been significantly diversifying and expanding their infrastructure for staging malware with new servers, introducing an average of 18 new malware-staging servers per month. Threat actors have mainly hosted the second-stage SocGholish servers on shadow subdomains of compromised websites. However, SentinelOne has observed a second-stage server hosted on an Amazon Web Services domain.

Analyst Note: SocGholish threat actors added 73 new second-stage malware servers to their infrastructure between July and October, and we expect more second-stage malware servers to follow. By quickly adding and removing second-stage malware servers from their infrastructure, the SocGholish operators can better avoid detection, increasing their chances of success. We assess that the threat actors may also use cloud-hosted servers in future campaigns.


Techniques

Windows Credential Roaming Leads to Privilege Escalation

Impacted Industries: Public Administration; likelihood all customers

What You Need To Know:

Mandiant discovered a privilege elevation vulnerability in Windows Credential Roaming Service while researching an APT29 phishing incident. Mandiant observed APT29 queried LDAP attributes related to storing encrypted user credential token BLOBs used for Microsoft’s Credential Roaming feature in Active Directory.

Analyst Note: We assess that threat actors continue to read and apply the information available in open-source reporting in future operations to target organizations of interest. Mandiant identified several situations that could allow a threat actor to abuse the Credential Roaming feature. Mandiant reported the vulnerability to Microsoft, who assigned CVE-2022-30170 and released patches to address the issue. It is possible APT29 could have been attempting to exploit this vulnerability. However, Mandiant could not determine how (or if) this attribute is used in Credential Roaming.


Techniques

Five DLL Sideloading Attacks May Be Related

Impacted Industries: All

What You Need To Know:

Sophos investigated five cases of DLL sideloading and identified the use of a loader shellcode and a malicious server in all five incidents. The cases involved the threat actor using the DLL sideloading technique, exploiting a legitimate executable to sideload a malicious DLL. Adversaries use DLL sideloading to perform actions under a legitimate, trusted, potentially elevated system or software process.

Analyst Note: Numerous threat actors use DLL sideloading to execute their malicious payloads for persistence, privilege escalation, and defense evasion. Threat actors will likely continue directly sideloading their payloads by planting and then invoking a legitimate application that executes their payload(s). However, adversaries may also plant the malicious DLL within the search order of a program and then wait for the end user to use the targeted application to execute the malicious DLL.


Exploited Vulnerabilities

CISA Adds 7 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes vulnerabilities in Microsoft Windows and Samsung Mobile Devices.

Analyst Note: Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors. The vulnerabilities added this week could allow a threat actor to elevate privileges or gain improper access control. Threat actors will likely ramp up exploitation efforts of the newly listed vulnerabilities within the next two weeks. However, we can not rule out the possibility that threat actors could switch to other tactics & techniques to gain initial access.


Research

AgentTesla: Top Malware Variant for October

Impacted Industries: All

What You Need To Know:

Check Point research from October data shows AgentTesla was the most prevalent malware strain; the educational services sector was the most targeted; and the most exploited vulnerabilities include Log4j,  a string of vulnerabilities affecting HTTP headers, and a string of vulnerabilities affecting web servers.

Analyst Note: Four of the top five malware strains are all infostealers, and threat actors frequently use these stealers to gain initial access to targeted organizations for data encryption and exfiltration.


Research

Mandiant Published Cybersecurity Forecasts for 2023

Impacted Industries: All

What You Need To Know:

In 2023, Mandiant expects to see threat actors find new ways to steal user identities. Mandiant has observed small indicators that show ransomware activity is decreasing in the United States and growing in Europe, and expects to see threat actors rely more on data extortion and less on encryption. In addition, threat actors will continue studying the blogs and research of analysts in the security community. They will do this to learn offensive TTPs, defensive strategies, and how to exploit vulnerabilities.

Analyst Note: With threat actors reading OSINT reports and applying the TTPs in their operations, improving their defensive strategies, and learning how to exploit vulnerabilities, this highlights the importance of incorporating open-source threat intelligence into your security practices, even if the report may not be readily applicable to your situation.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog