Ransomware
TZW Ransomware is a Variant of GlobeImposter
Impacted Industries: All
What You Need To Know:
SentinelOne’s analysis of a ransomware sample dubbed by AhnLab as TZW ransomware reveals it’s a variant of the GlobeImposter ransomware family and uses the same infrastructure to host the TOR website. Additionally, the code and functionality are essentially the same.
Malware
OneNote Drops Batch, Jscript, & HTML File Types to Deliver QakBot
Impacted Industries: All
What You Need To Know:
Cyble has observed multiple file types dropped by OneNote attachments, leading to QakBot infections. The techniques observed include using OneNote attachments that drop batch files (.bat), Jscript (.jse), HTML application files (.hta), and zip attachments containing Windows Script Files (.wsf). Over the last 30 days, Deepwatch has observed command line activity dropping .cmd, .jpg, and .png files executed with CMD.exe or RUNDLL32.exe with the parent or grandparent process of ONENOTE.exe.
Malware
Darkcloud Stealer Utilizes Various Data Exfiltration Techniques
Impacted Industries: All
What You Need To Know:
Cyble has observed a noticeable increase in the prevalence of Darkcloud Stealer malware, an information stealer that can be used to gather passwords, credit card numbers, social security numbers, and personal and financial information. Threat Actors are sending out numerous spam campaigns to disseminate this malware throughout the world. This malware has been identified as highly sophisticated and has the ability to customize its payload to target different applications, making it highly adaptable.
Threat Landscape
GoDaddy Discloses Multi-Year Cyber Attack Campaign
Impacted Industries: All
What You Need To Know:
GoDaddy recently disclosed three cyber incidents in its annual 10-k filing with the SEC, stating that a cybercriminal compromised the hosting login credentials of approximately 28,000 hosting customers in March 2020. In November 2021, a cybercriminal accessed the provisioning system in their legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million customers. In December 2022, a cybercriminal accessed their cPanel hosting servers, installing malware that intermittently redirected GoDaddy-hosted websites to malicious sites. Based on their investigation, they assess these incidents are part of a multi-year campaign by a sophisticated cybercriminal group.
Phishing
Cybercriminals Use Free Services to Create Credential Harvesting Web Pages
Impacted Industries: All
What You Need To Know:
A recent SANS Infosec Handlers Diary entry details a phishing campaign where cybercriminals used publicly available and free services to create webpages that collect credentials. The phishing web pages display a login screen overlaid on top of a website that matches the target’s email domain. The login popup features the email domain logo and favicon.
Threat Actors
Latest Additions to Data Leak Sites
Impacted Industries: Manufacturing, Wholesale and Retail Trade, Professional Services, and Construction
What You Need To Know:
In the past week, monitored threat groups added 63 victims to their leak sites. Thirty-four of those listed are US-based. The United Kingdom had four and Canada had three victims each listed. The most popular industries were manufacturing with 18 victims; and wholesale and retail trade, professional services, and construction with four victims each. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.
Exploited Vulnerabilities
CISA Adds Four CVEs to its Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
Based on the evidence of active exploitation, CISA has added four CVEs (listed below) to its Known Exploited Vulnerabilities Catalog. Some of the software affected include IBM Aspera Faspex, Mitel MiVoice Connect, Apple, and Microsoft. Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors.
- CVE-2022-46169 – Cacti
- CVE-2022-40765 & CVE-2022-41223 – Mitel MiVoice Connect
- CVE-2022-47986 – IBM Aspera Faspex
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
The post Cyber Intel Brief: Feb 15 – 22, 2023 appeared first on Deepwatch.