Malware
The Threat of BazarCall Campaigns
Impacted Industries: All
What You Need To Know:
A recent Trellix report details a BazarCall campaign which involves the delivery of a fake notification email that informs the recipient about a charge levied on their account for the purchase/renewal of a product/subscription and to call a phone number.
Trellix found that each phishing email has a unique ID the threat actor asks for in all scripts. The threat actors maintain a database of each ID that contains details related to the specific email sent to the target. The threat actors ask the target to visit a website, enter a code, and download a file.
The downloaded file is for a ClickOnce Security and Deployment Application file with the “.application” extension that drops multiple files on the target’s system. Trellix found that the dropped files are for ScreenConnect software, allowing the threat actor remote access to the target’s computer.
Malware
Potential TTPs Used in Future IcedID Campaigns
Impacted Industries: All
What You Need To Know:
According to Team Cymru’s telemetry, the most common and successful delivery method in an IcedID campaign is a password-protected zip file containing an ISO containing an LNK file. The second most successful campaign leveraged PrivateLoader.
Command and control (C2) communication observed by Team Cymru lasted an average of six days before ending with four or five C2 IPs generally active. Team Cymru observed the threat actors assign the C2 domain to a new IP the day before or the day of the campaign and use it for inbound victim traffic on port 80 and for Tier 1 to Tier 2 communications with traffic beginning on the same day.
Malware
Potential TTPs Used in Future Emotet Campaigns
Impacted Industries: All
What You Need To Know:
VMWare detected two Emotet waves in January 2022 that used Microsoft Office Word or Excel attachments with VBA or Excel 4.0 macros. The first wave used Microsoft Office 97-2003 Excel file format with Excel 4.0 macros.
VMWare observed Emotet primarily using four modules: the core module (the Emotet payload); credential stealing modules, specifically MailPassView and WebBrowserPassView; a spam module; and an email harvesting module.
Exploited Vulnerabilities
The Exploitation Possibility of CVE-2022-40684 in FortiOS, FortiProxy, & FortiSwitchManager
Impacted Industries: All
What You Need To Know:
A Twitter user posted to the platform, hours after Fortinet sent a private notification to customers, details of an undisclosed vulnerability in FortiOS, FortiProxy, & FortiSwitchManager. According to the notification posted to Twitter, a threat actor can exploit the vulnerability by sending specially crafted HTTP or HTTPS requests to a vulnerable device allowing the threat actor to perform administrative operations.
Fortinet publicly released its advisory on 10 October stating that they knew of an instance where a threat actor exploited this vulnerability. Considering the exploitation can be used with any HTTP method, wider exploitation is expected. Furthermore, Horizon3.ai stated they are releasing a technical deep dive and a POC later in the week of 10 October.
Exploited Vulnerabilities
Likely Vulnerabilities To Be Exploited By Chinese Threat Actors in Future Campaigns
Impacted Industries: All
What You Need To Know:
CSA listed 20 vulnerabilities that are the most common CVEs exploited by Chinese state-sponsored threat actors since 2020. Of the 20 listed, 12 are for vulnerabilities related to remote code execution, with four affecting Microsoft products and two vulnerabilities affecting Atlassian and F5 products respectively.
Exploited Vulnerabilities
The Likelihood of Continued Exploitation of CVEs Added to CISA’s Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected include FortiOS, FortiProxy, FortiSwitchManager, and Microsoft Windows COM+ Event System Service.
Threat Landscape
The Implications of the Intel Alder Lake BIOS Leak
Impacted Industries: All
What You Need To Know:
Tom’s Hardware reported that the source code for Intel’s Alder Lake CPU was leaked on GitHub. Security researcher Mark Ermolov’s early reports indicate that he found secret MSRs, typically reserved for privileged code, presenting a security issue. In addition to the leaked MSRs, the GitHub repository included the private signing key used for Intel’s Boot Guard, potentially invalidating the feature. It is unclear if the leaked private key is used in production. If it is, hackers could use it to modify the boot policy in Intel firmware and bypass hardware security.
Intel stated to Tom’s Hardware that it doesn’t rely upon information obfuscation as a security measure, which may mean it has likely scrubbed the most overly-sensitive material before releasing it to external vendors. In response to the leak, Intel has opened its private Alders & Seekers bug bounty campaign to all security researchers and extended the program to 20 January 2023.
The GitHub repository, which has been removed but has since been copied numerous times, was created by an apparent LC Future Center employee, a China-based original design and manufacturing company that manufactures laptops for several OEMs, including Lenovo.
Threat Landscape
Implications of Caffeine Phishing as a Service Platform
Impacted Industries: All
What You Need To Know:
A recent report, published by Mandiant, details the inner workings of the Caffeine phishing-as-a-service platform. The website is open to the public, and anyone can register for an account without significant disclosure of information or external validation mechanisms. The basic service tier costs $250 a month.
All phishing pages appear to masquerade as a Microsoft 365 login page to harvest user credentials. Throughout Mandiant’s investigation into the PhaaS platform, analysts observed Caffeine’s administrators announce several key platform improvements, including feature updates and additional payment methods.
Threat Landscape
The Threat of HTML File Attachments in Phishing Campaigns
Impacted Industries: All
What You Need To Know:
Trustwave SpiderLabs observed in the last 30 days that HTML file attachments had become the second most observed file attachment type used in phishing campaigns, totaling 14%. To harvest credentials users click on the HTML file, which shows a fake login page that can mimic any login page the threat actors want, including Microsoft, Google, or an online banking page.
In addition, threat actors have used the HTML smuggling technique to deliver malware to a target which employs HTML and JavaScript to assemble the payload on the host device; instead of the malware passing directly through a network, the adversary builds the malware on the victim’s device.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share