Cyber Intel Brief: Sept 8 – 14, 2022

Threat Actors

Microsoft Investigates Iranian Attacks Against the Albanian Government

Impacted Industries: Public Administration

What You Need To Know:

Microsoft’s latest report showcases their research, their process of attributing the related actors, and the TTPs observed by DART and the MSTIC during an investigation into the attacks against the Albanian government that occurred on 15 July 2022.

Threat Actor

Lazarus and the Tale of Three RATs

Impacted Industries: Manufacturing, Utilities, and Energy related companies

What You Need To Know:

Cisco Talos observed a North Korean state-sponsored threat actor using a previously unknown malware implant. In this campaign, the threat actor’s targets focused on energy companies in Canada, the U.S., and Japan.


Dead or Alive? An Emotet Story

Impacted Industries: All

What You Need To Know:

A DFIR Report post details an intrusion from May 2022 where a domain-wide compromise started from an Excel document containing the Emotet malware. Since the beginning of the year, DFIR Report has observed an increase in Emotet dropping Cobalt Strike beacons.


OriginLogger: A Look at Agent Tesla’s Successor

Impacted Industries:  All

What You Need To Know:

Palo Alto’s Unit 42 researchers analyzed some malware tagged as Agent Tesla. However, their analysis reveals that they were instead researching OriginLogger.


You Never Walk Alone: The Sidewalk Backdoor Gets a Linux Variant

Impacted Industries: All; Hong Kong University

What You Need To Know:

ESET researchers discovered a Linux variant of the SideWalk backdoor, first described on July 2, 2021 as StageClient. The backdoor is a custom implant exclusive to SparklingGoblin and shares multiple commonalities with Specter RAT.

Threat Landscape

Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities

Impacted Industries: Healthcare and Social Assistance Services

What You Need To Know:

The FBI warns the healthcare sector of the increasing risks posed by unpatched, legacy, and default configured medical devices.

New TTPs

Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO

Impacted Industries: Educational Services, Public Administration, Healthcare and Social Services, and Information

What You Need To Know:

Proofpoint researchers have observed TA453 evolving its TTPs, resulting in campaigns utilizing what Proofpoint informally calls Multi-Persona Impersonation (MPI) phishing attacks.

Exploited Vulnerabilities

CISA Adds 14 Vulnerabilities To It’s Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on evidence of active exploitation, CISA has added 14 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Some of the software affected include Windows, Google Chromium, QNAP NAS, and D-Link devices.

Note: You can read how Deepwatch approaches cyber threat intelligence here.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog