Throughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs.
The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total wrote about the MSI+JAR polyglot technique. Microsoft decided not to fix the issue at that time.…
Affected Platforms: FortiOSImpacted Users: Government & large organizationsImpact: Data loss and OS and file corruptionSeverity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.…
This paper investigates a recent QakBot phishing campaign’s ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device.. Key observations:
EclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW).…
Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.…
December 30, 2022
Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.…
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin.…
Beware of What Is Lurking in the Shadows of Your IT
Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.
During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest.…
NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.
Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow.…
Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.…
Secureworks® Counter Threat Unit™ (CTU) researchers are investigating the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper and a payload.…
Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. According to our data, its attacks have been targeting the government sector of the following countries:
Russia Belarus Azerbaijan Turkey SloveniaThe goals of the group are espionage and theft of confidential information.…
In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server.…
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.…
On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors [2].…
ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.…
There’s a common saying in cyber security, “you can’t protect what you don’t know,” and this applies perfectly to the attack surface of any given organization.
Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant.…
December 8, 2022 update – Reflected additional research on Boa-related CVEs and updated supply chain diagram.
Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries.…
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.…