Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
In a cybersecurity advisory, NSA has released 25 known public vulnerabilities being exploited by Chinese state-sponsored threat actors. The vulnerabilities affect a variety of products that facilitate defense contractors in remote access and external web services.
NSA Cybersecurity Advisory
Another Office 365 OAuth Attack Targets Coinbase Users to Gain Compromised Email Access
Researchers at KnowBe4 have discovered a new Consent app-based attack, designed to fool Office 365 users into giving mailbox access, instead of stealing credentials. The attacks target Coinbase digital currency exchange users with a phishing email desinged to look like a terms of service update.
New Vizom Malware Discovered Targets Brazilian Bank Customers with Remote Overlay Attacks
A new malware variant has been discovered by researchers at IBM Security, dubbed Vizom by the team, targeting Brazilian bank account holders. The malware disguises itself as video conferencing software, spreads through spam-based phishing campaigns, and uses remote overlay techniques and DLL hijacking.
GravityRAT: The Spy Returns
In a new blog post, researchers at Kaspersky discuss the modifications in the active GravityRAT campaign, which is likely attributed to a Pakistani hacker group and targeting Indian armed forces. The most notable change since the 2015-2018 campaign is multi-platformity; specifically, the addition of Android and MacOS versions.
FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
Mandiant researchers have identified a financially motivated threat group, now known as FIN11, whos activities may have been incorrectly attributed to TA505 in the past. While there are similarities in TTPs for both groups, the researchers feel there are enough differences that have been observed to now separate the groups.
Mandiant Threat Intelligence
Norway Says Russian Hackers Carried Out Breach at Parliament
According to Norwegian officials, Russian state-sponsored threat actors were responsible for attacks on the Norwegian parliament in August this year. The attacks targeted members of the Labour Party and Centre party, and according to the norwegian officials, the actors stole data from email accounts. No technical evidence has been released, and the Norwegian Police Security Service has stated that the investigation is ongoing.
New Action to Combat Ransomware Ahead of U.S. Elections
Microsoft has teamed up with organizations including FS-ISAC, Symantec, and ESET to disable Trickbot, one of the world's most notorious botnets. Microsoft has used a court order granted in Virginia to cut off key infrastructure to those operating Trickbot, disrupting the ability to initiate new infections or activate ransomware.
Threat Landscape Trends: LOLBins, Operating Systems, and Threat Types
In part two of a blog series, Threat Landscape Trends, analyst Ben Nahorney of Cisco Security covers the most frequently encountered IoC alerts covering the first 6 months of 2020. The blog post covers the trend of using "living off the land" binaries, known as LOLBins.
Ransomware Gang Now Using Critical Windows Flaw in Attacks
Threat group TA505 is exploiting the ZeroLogon vulnerability (CVE-2020-1472) in an updated version of Mimikatz with the purpose of giving hackers increased privileges on target systems and to run malicious scripts. TA505 have been active since 2014, attacking victims across a wide range of industries and distributing a variety of malware, including banking malware, backdoors, and ransomware.
HP Device Manager Vulnerabilities May Allow Full System Takeover
Three HP Device Manager vulnerabilities (CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927) can be used in tandem to achieve remote command execution by a threat actor. The vulnerabilities have been patched by HP, however a working exploit could be crafted if users have not updated systems.
Help Net Security
BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps
Researchers at Blackberry released a white paper today covering the threat group known as BAHAMUT; a sophisticated for-hire cyberespionage group known for their extremely technical capabilities in the growing culture of outsourced, third-party intelligence functions.
PoetRAT: Malware Targeting Public and Private Sector in Azerbaijan Evolves
The PoetRAT malware, initially identified in April 2020, has been seen targeting important organizations across Azerbaijan amidst violence in the Nagorno-Karabakh region. The actors behind the attacks, currently unidentified, have made PoetRAT harder to detect, implementing a new exfiltration protocol and obfuscation techniques to hide activities.
HEH, A New IoT P2P Botnet Going After Weak Telnet Services
A newly discovered botnet has been observed in the wild performing DDoS attacks and cryptomining. The botnet, named HEH Botnet, in written in Go and spreads via brute-force attack of the Telnet service on ports 23 or 2323, and can execute arbitrary shell commands.
Black-T: New Cryptojacking Variant from TeamTnT
Unit 42 has uncovered a new cryptojacking malware variant, dubbed Black-T, being used in operations by threat group TeamTnT. The threat group are targeting exposed Docker daemon APIs, and upon successful exploitation, dropping Black-T. TeamTnT is known for targeting AWS credential files and mining for Monero cryptocurrency.
Mobile Network Operator Falls Into The Hands of Fullz House Criminal Group
Boom! Mobile has fallen victim to a Magecart card-skimming attack by threat group Fullz House, also known as Magecart Group 4. The attack involves the injection of a Base64 encoded URL that loads a credit card skimmer designed to look like a Google Analytics element. The Boom! Mobile website is still compromised and online shoppers are still at risk.
Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?
Researchers at CyberArk Labs detail security vulnerabilities discovered in popular antivirus products. The vulnerabilities, which result from default Discretionary Access Control Lists (DACLs) for the ProgramData folder of Windows, can enable malicious actors to elevate privileges on a compromised system. Those antivirus solutions include those from Avira, Check Point, Fortinet, Kaspersky, McAfee, Microsoft Defender, Symantec, and Trend Micro, each of which has now been fixed by the vendor.
MosaicRegressor: Lurking in the Shadows of UEFI
A UEFI rootkit, dubbed MosaicRegressor by Kaspersky, has been discovered in the wild being used by a Chinese-speaking threat group during data theft and espionage operations. MosaicRegressor is only the second-ever identified UEFI rootkit, with the first being the LoJax rootkit discovered in 2018.
German-Made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
Amnesty International released details related to a malicious FinSpy surveillance campaign targeting Egyptian civil society organizations. FinSpy, a law enforcement software, has been used by what is believed to be an Egyptian state-sponsored hacking group since September 2019. The group has been targeting both desktop and mobile devices across Linux, macOS, Android, and Windows operating systems in order to gain hacking capabilities, such as intercepting calls, turning on webcams and microphones, and exfiltrating data.
Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS
A critical code execution vulnerability in the Instagram app was discovered and patched in February, impacting the app for both Android and iOS (CVE-2020-1895). Researchers at Check Point Security have released details on how an attacker could leverage the vulnerability against users who have not yet updated their application since the patch release.
Check Point Security
Gadolinium - Detecting Empires in the Cloud
The Microsoft Threat Intelligence Center (MSTIC) recently detected spearphishing-initiated attacks within their networks by Chinese threat group Gadolinium, also known as APT40. The attacks prompted Microsoft to remove 18 Azure Active Directory applications from its portal that were impacted in the attack. MSTIC provides an analysis of the Gadolinium attack, as well as a deep dive into the tactics and techniques used by the threat group.
Federal Agency Compromised by Malicious Cyber Actor
An undisclosed US federal agency has fallen victim to a sophisticated multi-stage malware attack. The threat actors responsible for the attack obtained valid access credentials for multiple O365 accounts, and installed an SSH tunnel and reverse SOCKS proxy to maintain persistence on the network.
Case Study: Emotet Thread Hijacking, an Email Attack Technique
Emotet malspam is currently a common email-based threat, known for constantly updating to evade detection. In a case study, Unit 42 researchers show an example of Emotet thread hijacking, and discuss this technique in-depth.
Group-IB Detects Series of Ransomware Attacks by OldGremlin
A new Russian-speaking threat group known as OldGremlin are behind targeted spearphishing malware and ransomware attacks against Russian businesses, according to research by Group-IB. The attacks are especially unusual given the unspoken rule against targeting Russian entities from within Russia and post-Soviet countries, leading the researchers to believe the actors may be operating from within a post-Soviet nation with weak ties or political controversy with Russia.
APT28 Delivers Zebrocy Malware Campaign Using NATO Theme As Lure
An APT28 campaign targeting the government bodies of NATO members beginning in August 2020 as been identified by researchers at QuoIntelligence. APT28, a known Russian hacking group, has been tied to attacks against NATO members in the past.
'DisrupTor' Dark-Web Crackdown Leads to 179 Arrests by International Law Enforcement
US and European law enforcement have announced the arrest of 179 alleged drug traffickers in Operation DisrupTor, an international sting operation targeting illicit underground commerce sites such as AlphaBay and Dream.
New Snort, ClamAV Coverage Strikes Back Against Cobalt Strike
Cisco Talos gives an in-depth review of the framework behind a Cobalt Strike attack in a newly-released white paper. The research discusses the challenges behind covering Cobalt Strike attacks, and the mindset behind crafting effective Snort and ClamAV detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike.
Rampant Kitten – An Iranian Espionage Campaign
An on-going Iranian espionage campaign, dubbed Rampant Kitten, has been operating for at least six years, targeting Iranian minority groups on personal computers and mobile devices. In a deep dive of the campaign, researchers at Check Point Research outline attack vectors, tools, and methods used in the attacks.
Check Point Research
Leading U.S. Laser Developer IPG Photonics Hit With Ransomware
Fiber laser developer IPG Photonics has suffered a ransomware attack, shutting down worldwide IT systems for the business and halting manufacturing and shipping. The ransom note indicates that RansomExx, also known as Defray777, is responsible for the attack.
Talos Vulnerability Report: Remote Code Execution Vulnerability Apple Safari
A remote code execution vulnerability (CVE-2020-9951) has been discovered and reported by Cisco Talos in an Apple Safari WebKit feature. Apple released security updates for Safari 14.0 today which includes a patch for the vulnerability.
Maze Gang Distributed Ransomware Payload Inside VM
The threat actors behind the Maze ransomware have conducted an attack adopting a Rangar Locker technique in which the ransomware payload is distributed inside of a virtual machine. The incident reported took place in July 2020, and was uncovered by researchers at Sophos MTR.
Internet Explorer Now Warns of Adobe Flash's Upcoming Demise
Following the release of a Windows 10 cumulative update, Microsoft is reminding Internet Explorer users that Adobe Flash support is coming to an end, and that sites using Flash content will no longer be supported after December 2020.
Seven International Cyber Defendants, Including “APT41” Actors, Charged
Seven cyber actors, all residents and nationals of the People's Republic of China, have been charged for their involvement in conducting computer network exploitations affecting more than 100 victim companies and organizations in the US and abroad. The threat actors are known to be affiliated with APT41. Two individuals have been arrested in Malaysia; the remaining five defendants are fugitives in China.
US Department of Justice
Spoofed Training Email from Phishing Simulator Company
Analysts at Cofense Intelligence have analyzed a security training-themed phishing campaign that has compromised at least 30 domains since April 2020. The phishing attacks aim to gather Microsoft Outlook credentials through malicious embedded links in the phishing emails.
Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Researchers at Check Point Research have found evidence that the threat actors behind Lucifer, a cryptojacking and DDoS hybrid malware that targets Windows, Linux, and IoT devices, started campaign operations in 2018. Data obtained through ThreatCloud shows recent Lucifer activity in the US, Ireland, the Netherlands, Turkey, and India, hitting over 25 organizations across industries including banking, manufacturing, and legal.
Check Point Research
Threat Analysis: URSA Trojan Impacts Many Countries Using Sophisticated Loader
In a deep dive analysis of the URSA trojan, researchers at Seguranca Informatica have dissected the malware used to target thousands of victims across Mexico and much of South America since June 2020. The URSA trojan is designed to collect banking credentials by creating a banking overlay window that the victim interacts with when visiting their home banking portal.
Data Breaches Exposes Vets, COVID-19 Patients
Recent data breaches at the US Department of Veteran Affairs and the UK National Health Service have impacted approximately 46,000 US veterans and 18,00 Welsh citizens.
Magento Stores Hit By Magecart; Largest Automated Hacking Attack Since 2015
Magecart credit card skimming attack targets eCommerce company Magento, compromising 1,904 Magento stores over the weekend.
CISA Alert: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
The Cybersecurity and Infrastructure Security Agency (CISA) warns in an advisory that Chinese MSS-affiliated threat actors are targeting US government agencies and private companies by exploiting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server.
CISA - Alert (AA20-258A)
Virginia's Largest School System Hit With Ransomware
Fairfax County Public Schools, the largest public school system in Virginia, has confirmed a ransomware attack on its technology systems. The Maze ransomware group claims responsibility for the attack.
Zerologon: Instantly Become Domain Admin by Subverting Netlogon Cryptography
Secura security researchers have published a test tool and white paper detailing CVE-2020-1472, a vulnerability that stems from a flaw in c cryptographic authentication scheme used by the Netlogon Remote Protocol. Microsoft has patched the vulnerability, and Secura urges all impacted users to install the patch on domain controllers as soon as possible.
Credential Phishing Attack Performs Real-Time AD Authentication
The Armorblox Threat Research Team has identified a phishing campaign that performed real-time validation against an undisclosed organization's Active Directory to harvest Office 365 credentials. The team provides a breakdown of the attack flow and of the infrastructure behind the attack.
Equinix Data Center Giant Hit by Netwalker Ransomware, $4.5M Ransom
International data center provider Equinix were hit with a Netwalker ransom attack over Labor Day weekend. The ransom note includes screenshots of data allegedly stolen, indicating theft of accounting and financial information for the business, as well as a 455 bitcoin demand.
Razer Gaming Fans Caught Up in Data Leak
Due to a misconfigured Elasticsearch cloud cluster, an estimated 100K Razer Gaming customers may have had private information exposed to the public. The database contained customer information including full names, phone numbers, email addresses, order details, and more.
Who Is Calling? CDRThief Targets Linux VoIP Softswitches
Newly identified CDRThief malware has been discovered and analysed by ESET researchers. The malware is designed to target Linknat VOS2009 and VOS3000 Chinese VoIP platforms, with a primary goal of exfiltrating Call Detail Records (CDR) from a compromised softswitch.
Malvertising Campaigns Come Back in Full Swing
Malwarebytes Labs researchers uncover a large malvertising campaign targeting the highly-trafficed xHamster website. The team provides a deeper look into this campaign and modern malvertising.
Java Network Launch Protocol - Another Way For Distributing Java Downloaders
Security researchers at Forcepoint X-Labs have identified a component in Java Network Launch Protocol (JNLP) that is actively being leveraged to automate malware download and execution.
A dive into GhostDNS infrastructure and various elements of phishing targets and victimology, provided by researcher Nick Byers of Team Cymru and in collaboration with Manabu Niseki and CERT.br.
Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot
An attack that drops a DDoS bot and a cryptocurrency miner on a Docker container built using Alpine Linux as its base image has been reported by Trend Micro. A similar attack was reported in May this year, confirming that malicious actors continue targeting environments running Docker containers.
WastedLocker: Technical Analysis
Garmin was the target of a ransomware attack in July 2020; a technical analysis by Kaspersky Labs indicates threat actors used the WastedLocker ransomware.
Cybercriminals Targeting Multiple Vulnerabilities in WordPress Plugins
Researchers at Zscaler uncovered campaigns targeting WordPress vulnerabilities, exploiting them to perform malvertising activities.
Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902
TrendLabs researchers discovered the Mirai Botnet exploiting critical BIG-IP vulnerabilities.
Malspam Campaign Caught Using GuLoader After Service Relaunch
Following the July 11 relaunch of CloudEyE, an Italian security firm exposed in June as a front for malware operations, Malwarebytes Labs researchers observed GuLoader downloader malspam campaigns.
Sneaky Doki Linux Malware Infiltrates Docker Cloud Instances
Threat actors are targeting misconfigured Docker instances using Doki malware, a malware strand used in the Ngrok cryptominer botnet campaign.
Android Spyware Targeting Tanzania Premier League
Researchers at Zscaler discovered Android spyware impersonating legitimate fan applications for the Tanzania Mainland Premier League.
'Ghostwriter' Influence Campaign
"Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests." The Mandiant Threat Intelligence team has released a white paper discussing connections within the "Ghostwriter" campaign.
Mandiant Threat Intelligence
Threat Actors Bypass Gateways with Google Ad Redirects
Cofense analysts have identified an Office 365 login credential phishing campaign which uses a Google Ad Services redirect to fool email gateways.
Cofense Phishing Defense Center
Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations
Since May 2020, the Vatican and the Catholic Diocese of Hong Kong have been targeted by a Chinese-state sponsored threat activity group known as RedDelta.
Recorded Future - Insikt Group