SISA Weekly Threat Watch
SISA Weekly Threat Watch ?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
A new?data-wiping malware?named SwiftSlicer has been discovered in a recent cyberattack against a target in Ukraine and is attributed to?Sandworm, a hacking group working for Russia’s General Staff Main Intelligence Directorate (GRU). According to security researchers, Sandworm launched SwiftSlicer using?Active Directory Group Policy, that allows domain admins to execute scripts and commands throughout all the devices in Windows network.
SwiftSlicer was installed to delete?shadow copies?and to overwrite critical files in the Windows system directory, particularly drivers and the?Active Directory (AD) database. SwiftSlicer overwrites data using?4096 bytes?blocks that are filled with randomly generated bytes and after this, the malware reboots the system. It is recommended to adopt the principle of?least privilege?for AD Security and clean up inactive user accounts as these accounts pose a serious security risk to the AD environment.
Bitwarden and other password managers are being targeted in phishing campaigns via?Google Ads, with the goal of stealing users’?password vault credentials. The phishing campaign used the domain?‘appbitwarden[.]com’ in the ad, redirecting users to?‘bitwardenlogin[.]com’?when clicked. The page at ‘bitwardenlogin.com’ was a perfect replica of the official?Bitwarden Web Vault?login page.
The phishing page collects the credentials, and then?redirects users?to the genuine Bitwarden login page after submission. To avoid being a victim of such phishing campaigns, it is advised to stay cautious when clicking on Google Ads, even if they appear legitimate and always?verify the authenticity?of the website before entering any information. Additionally, use a reliable?ad-blocker?to prevent malicious ads from appearing on the device.
A new type of ransomware, named?Mimic, utilizes the?APIs?of the Windows file search tool?‘Everything’?to locate and encrypt targeted files. It begins with an executable delivered via email, which when executed extracts four files including the main payload, additional files, and tools to disable?Windows Defender?on the targeted system. The utility ‘Everything’ is a popular filename search engine for Windows developed by?Void Tools. It is known for its speed and low system resource usage, as well as its support for real-time updates.
领英推荐
Mimic ransomware encrypts files and adds the?“.QUIETPLACE”?extension to them. It also drops a ransom note which demands payment in?Bitcoin?to recover the encrypted data. It is recommended to keep all software and operating systems up to date to reduce the risk of vulnerabilities being exploited. Regularly back up important data to an offline location to ensure its restoration in case of a ransomware attack.
Gootkit, also known as?Gootloader, is transmitted through compromised websites that victims are persuaded to visit when searching for business-related documents like contracts and agreements using a method known as?search engine optimization (SEO) poisoning. A new variant of this malware was identified in November last year, using a new infection chain, tracked as?GOOTLOADER.POWERSHELL.
A?malicious ZIP file?containing a.JS file is downloaded onto the device whenever a user accesses a website that has been infected by?UNC2565. This JavaScript file obfuscates data by inflating a file with a.LOG extension and tons of junk code when it is launched. Later, this is renamed and granted a.JS extension. It then creates a?PowerShell process?that collects device information and delivers it to the?C2 server. When the C2 receives all the data, it responds with a payload that further infects the target device with other payloads, such as?FONELAUNCH?and an in-memory dropper that commonly distributes?Cobalt Strike beacon.
Brazilian threat actor behind?point-of-sale (PoS) malware, Prilex, is a singular threat actor that has evolved from?ATM-focused malware?into unique modular PoS malware, which is the most advanced PoS threat seen so far. Its new updates allow it to?block contactless payment transactions?to steal from?NFC?cards. The main agenda behind the new functionality discovered is to disable the contactless payment feature to force the user into inserting the card in the?PIN?pad reader.
This effectively permits the threat actors to capture the data coming from the transaction by using various techniques, such as?manipulating cryptograms,?forcing protocol downgrades, and?performing a GHOST attack. This can be accomplished even on cards protected with the so-called?unhackable CHIP and PIN technology. PoS software developers are advised to implement self-protection techniques in their modules to prevent malicious code from tampering with the transactions managed by those modules. Additionally, all?EMV validations?must be implemented to protect against counterfeit fraud through authentication of unique data that resides on chip cards, smart phones, and other devices.
To get daily updates on the critical vulnerabilities being exploited by threat actors,?subscribe ?to SISA Daily Threat Watch – our daily actionable threat advisories.