Cyber Intel Brief: Sept 29 – Oct 5, 2022

Threat Actor

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Impacted Industries: Public Administration, Manufacturing, Utilities, and Grantmaking and Giving Services

What You Need To Know:

Symantec discovered that an espionage group used new malware to attack targets, exploiting vulnerabilities to gain initial access, installing web shells, harvesting credentials, moving laterally across networks, and installing malware on other computers.

Threat Actor

DeftTorero: Tactics, Techniques and Procedures of Intrusions Revealed

Impacted Industries: All

What You Need To Know:

Kaspersky’s historical intrusions analysis of Lebanon-based APT suggests a TTP shift to more fileless/LOLBINS techniques and the use of familiar offensive tools publicly available. According to Kaspersky, the group gains initial access to web servers through exploitation or credential theft.

New TTPs

Investigating Novel Malware Persistence Within ESXi Hypervisors

Impacted Industries: Unknown

What You Need To Know:

Mandiant identified a threat actor using a technique they have not observed before, leveraging malicious vSphere Installation Bundles to install multiple backdoors on ESXi hypervisors.


Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group

Impacted Industries:  All

What You Need To Know:

Sygnia asserts that a single threat group operates the Cheerscrypt and Night Sky ransomware, and are recent rebrands.


SmokeLoader Delivers the New Erbium Stealer

Impacted Industries: All

What You Need To Know:

Cyberint has discovered a new info stealer used in one campaign; the threat actors used SmokeLoader to infect targets. According to Cyberint, the malware focuses on crypto wallets and clients for Discord and Telegram. However, the malware can steal cookies, passwords, and other browser information.


Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

Impacted Industries: Defense Industrial Base

What You Need To Know:

During incident response engagement, CISA uncovered multiple APT groups likely compromised a Defense Industrial Base (DIB) sector organization’s network, and some APT actors had long-term access to the environment. CISA also discovered the threat actors using a custom data exfiltration tool to steal the victim’s sensitive data and implant 17 web shells.

Exploited Vulnerabilities

CISA Adds 3 Vulnerabilities to Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog. The software affected includes two vulnerabilities in Microsoft Exchange and one in Atlassian Bitbucket.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog