SISA Weekly Threat Watch
SISA Weekly Threat Watch?– our weekly feature brings you a quick snapshot of all the major security vulnerabilities that pose a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
A growing number of ransomware organizations are utilizing a fresh strategy that speeds up the encryption process while decreasing the likelihood of being discovered and stopped. According to a research study, the?LockFile ransomware gang?supposedly uses?intermittent encryption?technique that encrypts only a portion of the content of the targeted files.
The Black Basta, PLAY, Agenda, Qyick, and ALPHV (BlackCat) ransomware groups have also employed the same technique. These organizations are promoting?sporadic encryption?techniques to get potential affiliates to join?RaaS operations. To lower the risks involved, it is advised that businesses increase their investments in anti-ransomware solutions with?behavior-based detection?and a reliable backup of sensitive information.
The?Iranian hacker group TA453 has created a new phishing technique called?Multi-Persona Impersonation?through which the group lures targets into extremely realistic and hard-to-detect email discussions by using various?personas and email accounts. The group uses personal email accounts (Outlook, AOL, Gmail, and Hotmail) and CCed personas from fake businesses in all its attacks.
To perform template injection, hackers share?OneDrive?links that contain malicious documents that are password-protected. The?Korg template?macros are used to collect information from my-ip[.]io, including the user’s public IP address, a list of actual operating processes, and the username. The?Telegram API?is used by macros to steal this data. Future directions of techniques like MPI are expected to increase its impact. Organizations are advised to spread greater awareness within the firm about emails from suspicious or unknown senders to prevent data compromise.
A threat actor known as?Webworm?has been connected to customized?Windows-based remote access trojans, some of which are allegedly in the testing or pre-deployment stages. The malicious “[TEMP]logexts.dll” file is loaded by calling the?“LoadLibraryA” API?from the genuine application Logger.exe. A loader is the logexts.dll file. Once executed, it verifies the?command-line parameters?for the process and tries to steal a token from the “WINLOGON.EXE” process if the command-line contains the single parameter “isdf”.
领英推荐
The?Gh0st RAT?version has capabilities like network service creation,?UAC?bypassing,?shellcode unpacking?and memory launch, layers of obfuscation to get around security measures and prevent analysis, and more. To stay protected from such attacks, it is recommended to implement and use security solutions which employ file-based, behavior-based or ML-based detection mechanisms.
The creators of the?Kinsing malware?are utilizing security flaws in the?WebLogic Server?by spreading cryptocurrency miners. Kinsing, who already had financial motivations, was discovered by Trend Micro dropping Python scripts that switched off OS security features and service agents. The recent attacks exposed a vulnerability –?CVE-2020-14882, a two-year-old?RCE?vulnerability?by utilizing unpatched servers to take control of the server and spread malware.
The Kinsing malware is downloaded from a remote server via the shell script. In addition to launching a?cryptominer, the operators were seen spreading the malware to additional hosts and containers. The vulnerability can be successfully exploited to cause RCE, which enables a variety of malicious actions on infected systems, such as the execution of malware,?data exposure, and total machine control. Enhanced employee awareness,?MFA?enforcement, deployment of?DLP solution?and automatic software updates are some of the best practices to minimize the chances of a cyber breach.
In an evolving espionage campaign, Gamaredon, a?Russian state-backed?threat group have been using malware that steals information from Ukrainian victims by using?spear phishing and social engineering?to gain continuous access to their systems. According to researchers, Gamaredon’s new?infostealer?can steal files from attached storage devices (local and remote).
A?PowerShell?script that was recently mentioned in a?Ukraine CERT alert?is used to spread the infostealer. Phishing mails with Office documents that contain malicious?VBS macros?are used to spread the malware. Each stolen file produces a?POST?request along with its content and metadata. The Gamaredon threat group is present and utilizes the new infostealer to attack?Ukrainian entities. However, to prevent such espionage activities, the researchers have published a detailed list of IoCs regarding the new infostealer.
See you next week with more interesting cybersecurity bites!