Cyber Intel Brief: Sept 22 – 28, 2022
By Eric Ford,
New TTPs
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
Impacted Industries: All
What You Need To Know:
Symantec has observed affiliates of a RaaS operator using new versions of two malware families for data exfiltration and stealing credentials stored by Veeam backup software.
Threat Landscape
Hunting for Unsigned DLLs to Find APTs
Impacted Industries: All
What You Need To Know:
Researchers at Palo Alto’s Unit 42 reported on the TTPs used by threat actors to inject unsigned DLLs. Research showed that trojans and individual threat actors typically used rundll32.exe or regsvr32.exe to load a malicious DLL, while APT groups used DLL search order hijacking (DLL side loading) most of the time.
Malware
BumbleBee: Round Two
Impacted Industries: All
What You Need To Know:
The DFIR Report details an intrusion where the threat actors used an ISO file containing an LNK file and a malware loader hidden as a DLL file to gain initial access.
Malware
Agent Tesla RAT Delivered by Quantum Builder With New TTPs
Impacted Industries: All
What You Need To Know:
Zscaler has observed a phishing campaign containing a malicious LNK file containing a GZIP attachment. The threat actors built the LNK file with a publicly available LNK, HTA, and ISO file builder. Executing the LNK file delivers a keylogger/RAT.
Threat Actors
The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities
Impacted Industries: Educational Services and Information
What You Need To Know:
SentinelLabs researchers uncovered a never-before-seen advanced persistent threat actor using previously undiscovered malware, targeting organizations in the educational service and information sectors in several countries in the Middle East and Africa.
Threat Actors
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
Impacted Industries: Public Administration; Manufacturing; and Professional, Scientific, and Technical Services
What You Need To Know:
Recorded Future details a Chinese state-sponsored cyber espionage campaign. Recorded Future’s campaign analysis observed the threat actor dropping a new custom backdoor.
Threat Actors
In the Footsteps of The Fancy Bear: Powerpoint Mouse-Over Event Abused to Deliver Graphite Implants
Impacted Industries: Public Administration, Professional, Scientific, and Technical Services
What You Need To Know:
Cluster25 researchers collected and analyzed a PowerPoint file to implant a variant of malware linked to a Russian APT. The file exploits a code execution technique triggered when the user starts the presentation mode and moves the mouse.
Exploited Vulnerabilities
CISA Adds 2 Vulnerabilities to Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
Based on the evidence of active exploitation, CISA has added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes a code injection vulnerability in Sophos Firewall (CVE-2022-3236) and an RCE vulnerability in Zoho ManageEngine and Password Manager Pro (CVE-2022-35405).
Exploited Vulnerabilities
Surge in Magento 2 Template Attacks
Impacted Industries: Retail Trade
What You Need To Know:
Sansec forensic cases have identified threat actors exploiting the template vulnerability in Magento 2. The observed attacks have been interactive and led to downloading a RAT that creates a state file and polls a remote server hosted in Bulgaria for commands.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.