SISA Weekly Threat Watch
SISA Weekly Threat Watch ?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
In response to drivers signed through their profiles being used in cyber-attacks, including?ransomware incidents, Microsoft has terminated many Microsoft hardware developer accounts. Researchers believe that malicious kernel-mode hardware drivers trusted by?Microsoft’s Windows Hardware Developer Program’s Authenticode?signatures are being used by threat actors. The Microsoft Partner Center was used by several developers to submit malicious device drivers to get a Microsoft signature.
Users of the?Cuba ransomware?loaded a malicious driver using a driver signed with a Microsoft certificate using the?BURNTCIGAR?loader tools. A similar Microsoft-signed driver was also used by?Hive ransomware?against a healthcare facility. New?Microsoft Defender signatures?(1.377.987.0) have been made available by the firm to help post-exploitation attacks identify legitimately signed drivers. Users are advised to update the signatures as soon as possible and perform a full environment scan to look for any unusual activity.
The self-hosted?WordPress websites?are being searched online by a new?Go-based botnet?malware called “GoTrim”, which is attempting to?brute force?the administrator’s password and take over the website. When a brute-force attack is successful,?malicious PHP scripts?are used to install a bot client on the newly compromised system. It sends credentials, including a bot ID represented by a freshly created MD5 hash, to the?C2 server.
Using either the client mode or the server mode, GoTrim can communicate with its C2. Furthermore, it sends beacon requests to C2 and terminates if it does not get a response after?100 tries. To get past anti-bot protections, malware can imitate legitimate Firefox on?64-bit Windows?requests. Users can protect their WordPress sites by using?Web Application Firewalls (WAF), obfuscating admin login pages, and using strong passwords. Keeping the?CMS?software?and the plugins up to date can also reduce the risk of malware infection.
As part of a recent campaign, government organizations in Ukraine were compromised by?trojanized installer files?for Windows 10. These files were used to carry out post-exploitation operations. Torrent websites in the languages of?Ukrainian and Russian?were used to distribute the malicious?ISO files.?The malware collects data from the compromised system and exfiltrates it after the compromised software is installed.
领英推荐
The ISO file was made to install?PowerShell backdoors, stop telemetry data transmission from the infected?PC to Microsoft, and prevent automatic updates and licenses verification. Additional implants were later installed in the machines, but only after an initial survey of the compromised environment to see whether it contained any?valuable intelligence. To stay protected, block the?IOCs?in your perimeter and core security devices. It is also recommended to avoid downloading and installing Windows installers from pirated websites.
Agenda is a?ransomware-as-a-service (RaaS)?gang that is credited to an operator by the name of Qilin and has been connected to a string of assaults mostly focusing on the manufacturing and IT sectors across many nations. It is a newly discovered ransomware family written in?GoLang. By defining parameters that are used to determine the percentage of file content to be encrypted, Agenda, like?Royal ransomware, builds on the concept of?partial encryption?(also known as intermittent encryption).
?The ransom note is placed into every directory after the encrypted files are given the extension “MmXReVIxLV,” according to an examination of the?ransomware code. Additionally, the Rust version of Agenda can end the Windows AppInfo process and turn off?User Account Control (UAC), which works to lessen the impact of malware by requiring?administrative privileges?to start a programme or activity. It is recommended to install updates/patch operating systems, software, and firmware as soon as they are released. It is also a best practice to ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Glupteba is a modular,?blockchain-enabled virus?that infects Windows PCs to mine?bitcoin, steal user passwords and cookies, and sets up proxies on Windows systems and IoT gadgets. These proxies are eventually offered to other online offenders as?“residential proxies.”?In order to avoid being disrupted, Glupteba uses the Bitcoin blockchain to obtain up-to-date lists of?command-and-control servers?it should contact in order to receive commands.
The botnet’s clients use a discover function to locate the C2 server address by listing?Bitcoin wallet?servers, retrieving their transactions, and parsing them to identify an?AES-encrypted address. After analyzing more than?1,500 Glupteba samples?submitted to VirusTotal, Nozomi Networks claimed to have discovered 15 wallet addresses used by threat actors as far back as June 19, 2019. To safeguard against a potential Glupteba infection, it is advised to keep an eye on?DNS logs?and update antivirus software.