SISA Weekly Threat Watch
SISA Weekly Threat Watch?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
TeamTNT has emerged as a threat actor that primarily targets?cloud environments. These environments include incorrectly configured?Docker APIs,?Kubernetes UI tools, misconfigured?Kubernetes clusters, and more. The three attacks, called the Kangaroo Attack, the Cronb Attack, and the “What Will Be” Attack involve downloading a shell script to a?C2 server, using rootkits, cron jobs and?cryptominers?to seize resources, and SSH and steal keys to perform lateral network movement.
The threat actor ran the default?Alpine container?image?with a malicious command that was intended to download and run the dc.sh shell file using a misconfigured?Docker API. Two highly intriguing functions present in this file can be used to take advantage of the release agent vulnerability and escape the container. Organizations are strongly recommended to empower their security teams with?Cloud Native Application Protection Platform (CNAPP)?solutions that cover various stages of the cloud development pipeline and enable greater visibility and context.
A growing phishing method known as?“Browser-in-the-Browser”?is being used by hackers in new attacks to steal Steam user credentials. It entails the creation of fake browser windows within the window, that are then created to appear like sign-in pop-up windows for specific login services. The targets receive invitation links inviting them to join a team for?LoL, CS, Dota 2, or PUBG?contests.
When the link is clicked, a phishing website hosting esports contests lures visitors to log in using their?Steam Account to participate. However, the victim is unaware that the new login page window is a?fake window?generated by the hackers to perform the?phishing attack. Threat actors change the victims’ passwords and email addresses after taking control of their accounts to make it harder for them to retake control. Employee awareness on pop-up window’s address bar, fake browser windows and control button design and fonts are necessary to prevent such attacks.
Russian-sponsored threat group?UAC-0113?has been masquerading telecom companies to target Ukrainian entities. The researchers linked this recent operation with the?Sandworm?group by connecting it with the data gathered by?CERT-UA, creating a link between the two. Attackers used domains that appeared to belong to the Ukrainian telecom firms Datagroup, Kyivstar, and EuroTransTelecom during the attack campaign.
领英推荐
To trick potential victims into accessing the domains, the attack usually begins with emails sent from fictitious domains. A website is accessed by?HTML smuggling?and a base64-encoded ISO file that was inserted in the HTML gets downloaded automatically. The malware known as?Warzone RAT?is the payload present in the picture file. It is recommended to implement CERT-UA directives in both private and public organizations in?Ukraine?to minimize the risks of being the next target of these attacks.
According to reports, the developers of the?LockBit ransomware version 3.0?(LockBit Black), have leaked it online. A newly registered Twitter account claimed that his team had infiltrated LockBit’s servers and found a builder for the LockBit 3.0 encryptor. Research group?VX-Underground?revealed that they had also been contacted on September 10 by a user who had shared a copy of the builder.
It was revealed that the leaker was a programmer the ransomware group had hired, and he leaked the builder because he was angry with?LockBit’s leadership. The LockBit ransomware campaign has suffered a major blow because of this leak. The leaked files can give anyone the ability to create executables for their own operations, including?encryptors, decryptors, and tools?to execute the decryptor in particular ways. Organizations must ensure that all machines have up-to-date antivirus and?anti-malware software. It is recommended to enable and enforce multi-factor authentication (MFA) across the network to stay protected.
Microsoft recently issued an alert that one of its?Exchange servers?has been compromised by a threat actor using credential stuffing attacks put out via rogue?OAuth applications?on exposed cloud tenants. The threat actors initially gained access to highly vulnerable accounts that are not?MFA?enabled by using unsecured administrator accounts. After getting access, the hacker made a rogue OAuth application and changed the Exchange Server settings to add a?malicious inbound connector?to the email server.
The threat actor then sent phishing emails, enticing recipients to click on a link which leads them to a landing page that requests their?credit card details?and enables them to sign up for recurring paid subscriptions. These email campaigns have been sent using popular bulk e-mail marketing tools like?Amazon SES?and?MailChimp. To reduce the risk of data compromise, it is recommended to ensure?Conditional access policies?are evaluated and enforced every time the user attempts to sign in.
See you next week :)