Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
09.29.22

Cyber Intel Brief: Sept 22 – 28, 2022

By Eric Ford, 

New TTPs

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

Impacted Industries: All

What You Need To Know:

Symantec has observed affiliates of a RaaS operator using new versions of two malware families for data exfiltration and stealing credentials stored by Veeam backup software.


Threat Landscape

Hunting for Unsigned DLLs to Find APTs

Impacted Industries: All

What You Need To Know:

Researchers at Palo Alto’s Unit 42 reported on the TTPs used by threat actors to inject unsigned DLLs. Research showed that trojans and individual threat actors typically used rundll32.exe or regsvr32.exe to load a malicious DLL, while APT groups used DLL search order hijacking (DLL side loading) most of the time.


Malware

BumbleBee: Round Two

Impacted Industries: All

What You Need To Know:

The DFIR Report details an intrusion where the threat actors used an ISO file containing an LNK file and a malware loader hidden as a DLL file to gain initial access.


Malware

Agent Tesla RAT Delivered by Quantum Builder With New TTPs

Impacted Industries:  All

What You Need To Know:

Zscaler has observed a phishing campaign containing a malicious LNK file containing a GZIP attachment. The threat actors built the LNK file with a publicly available LNK, HTA, and ISO file builder. Executing the LNK file delivers a keylogger/RAT.


Threat Actors

The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities

Impacted Industries: Educational Services and Information

What You Need To Know:

SentinelLabs researchers uncovered a never-before-seen advanced persistent threat actor using previously undiscovered malware, targeting organizations in the educational service and information sectors in several countries in the Middle East and Africa.


Threat Actors

Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets

Impacted Industries: Public Administration; Manufacturing; and Professional, Scientific, and Technical Services

What You Need To Know:

Recorded Future details a Chinese state-sponsored cyber espionage campaign. Recorded Future’s campaign analysis observed the threat actor dropping a new custom backdoor.


Threat Actors

In the Footsteps of The Fancy Bear: Powerpoint Mouse-Over Event Abused to Deliver Graphite Implants

Impacted Industries: Public Administration, Professional, Scientific, and Technical Services

What You Need To Know:

Cluster25 researchers collected and analyzed a PowerPoint file to implant a variant of malware linked to a Russian APT. The file exploits a code execution technique triggered when the user starts the presentation mode and moves the mouse.


Exploited Vulnerabilities

CISA Adds 2 Vulnerabilities to Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes a code injection vulnerability in Sophos Firewall (CVE-2022-3236) and an RCE vulnerability in Zoho ManageEngine and Password Manager Pro (CVE-2022-35405).


Exploited Vulnerabilities

Surge in Magento 2 Template Attacks

Impacted Industries: Retail Trade

What You Need To Know:

Sansec forensic cases have identified threat actors exploiting the template vulnerability in Magento 2. The observed attacks have been interactive and led to downloading a RAT that creates a state file and polls a remote server hosted in Bulgaria for commands.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Cyber Intel Brief: Sept 14 – 21, 2022

Next post

Customer Advisory | Microsoft Exchange Zero-day Vulnerabilities CVE-2022-41040 and CVE-2022-41082, Actively Exploited

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy