Tecplix ThreatTrack Insights - November II

1.?Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel

Google has issued a cautionary alert regarding a development involving multiple threat actors. They have identified a public proof-of-concept exploit named Google Calendar RAT (GCR), utilizing the Google Calendar service for command-and-control operations through a Gmail account. This exploit, developed by Valerio Alessandroni (known online as MrSaighnal), establishes a 'Covert Channel' by manipulating event descriptions in Google Calendar.

Despite being published on GitHub in June 2023, Google reports no observed use of the tool in the wild. However, their Mandiant threat intelligence unit has noted several threat actors sharing this exploit on underground forums. GCR, when running on a compromised system, intermittently checks the Calendar event descriptions for new commands, executes these commands on the targeted device, and then updates the event description with the command output. What's particularly concerning is its utilization of legitimate infrastructure, which significantly complicates the detection of suspicious activities for defenders, as highlighted by Google in their eighth Threat Horizons report.

Recommendations:

? Regularly conduct cybersecurity awareness training for employees to educate them about phishing threats, including how to identify suspicious emails and avoid clicking on unknown attachments or links.

? Utilize reputable and updated endpoint security solutions that include anti-malware, anti-phishing, and behavior-based detection mechanisms.

? Disable the accounts, if found compromised.

2.?Spammers Abuse Google Forms Quizzes to Perform Scams

Security experts have identified a new trend involving the misuse of Google Forms' "Release scores" feature by cybercriminals orchestrating crypto-related spam and scams. These malicious actors manipulate this functionality to craft fraudulent emails urging recipients to invest in cryptocurrency or divulge personal information.

Cisco Talos has highlighted how spammers abuse Google Forms by generating quizzes and utilizing any available email address to complete these forms. Upon submission, these spammers gain access to responses and activate the "Release scores" feature within Google Forms. This allows them to send tailored email communications using the sender's Google account address. Leveraging Google's servers for transmission potentially heightens the likelihood of these deceptive messages reaching victims' inboxes.

This emerges shortly after Google's prior advisory regarding threat actors exploiting its Calendar service to establish command-and-control infrastructure. This manipulation involved the use of a tool known as Google Calendar RAT, initially introduced on GitHub in June. This tool empowered attackers to exploit event descriptions within Google Calendar, establishing a concealed communication channel.

The convergence of these tactics underscores the evolving landscape of cyber threats, demonstrating the adaptability and exploitation of legitimate platforms for nefarious purposes.

Recommendation:

• Stay updated on IoCs and block malicious indicators.

3. Managed SOC Services for Enhanced Security

https://tecplix.com/blog/managed-soc-enhanced-security/

In today’s complex digital landscape, escalating threats require an innovative and adaptable security approach. Organizations must integrate security tools efficiently while leveraging expertise for effective threat prevention, detection, and response.

Impact of Data Breaches:

Between March 2022 and March 2023, data breaches globally cost companies an average of $4.45 million, highlighting the significance of robust security measures.

Understanding a SOC's Role:

A Security Operations Center (SOC) plays a pivotal role in monitoring, alerting, and responding to security incidents by leveraging various tools and technologies.

1. Components & Functions of a SOC:

• Discovery of Assets
• Behavioral Monitoring
• Activity Logging
• Alert Prioritization
• Incident Response
• Root Cause Investigation
• Compliance Management

2. Benefits of a Managed SOC:

• Continuous Monitoring and Analysis
• Enhanced Incident Response
• Reduced Downtime
• Centralized Asset Management
• Efficient Collaboration
• Cost Reduction
• Enhanced Trust & Transparency

Tecplix's Managed SOC Services:

Tecplix offers advanced cybersecurity solutions, including:

• Expert SOC Resources
• Real-time Threat Intelligence
• Proactive Threat Hunting
• Swift Incident Response
• Customized Security Solutions
• Comprehensive Endpoint Protection
• OT/ICS Security Expertise

1. SIEM and SOC Integration:

Tecplix seamlessly integrates SIEM technology with SOC services, providing real-time threat detection, proactive security measures, regulatory compliance, and optimized operational efficiency.

2. Elevating Cybersecurity Experience:

Tecplix's approach involves understanding unique digital environments, providing clear insights, proactive monitoring, and swift issue resolution, ensuring a secure digital space.

By embracing Tecplix's Managed SOC services, organizations can bolster their cybersecurity posture, stay ahead of threats, and ensure a resilient digital infrastructure.

4. New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics

An enhanced iteration of the Jupyter Infostealer malware has resurfaced, demonstrating subtle yet potent modifications aimed at establishing a persistent presence within compromised systems.

VMware Carbon Black researchers have unearthed renewed waves of Jupyter Infostealer attacks, leveraging refined PowerShell command adjustments and the inclusion of private key signatures. These alterations seek to cloak the malware as a legitimately signed file, thereby complicating its detection.

Previously recognized as Polazert, SolarMarker, and Yellow Cockatoo, the Jupyter Infostealer has a history of exploiting manipulated search engine optimization (SEO) strategies and malvertising tactics. These methods serve as initial access vectors, enticing unsuspecting users searching for popular software to download it from questionable websites.

This malware possesses the capability to harvest credentials and establish encrypted command-and-control (C2) communication, facilitating the exfiltration of data and execution of arbitrary commands.

The latest artifacts employ diverse certificates to confer an aura of authenticity upon the malware, masking its true nature until the fake installers trigger the infection chain upon launch.

These installers initiate an interim payload that employs PowerShell to establish a connection with a remote server, culminating in the decoding and activation of the infostealer malware.

The evolution of stealer malware, readily available for purchase in the cybercrime underground, showcases an ongoing refinement of tactics and techniques. This evolution effectively reduces barriers to entry, enabling less experienced threat actors to engage in malevolent activities.

Notably, Lumma Stealer has undergone an update, integrating a loader and introducing random build generation for enhanced obfuscation. This advancement elevates the malware beyond mere data theft, enabling the execution of secondary attacks, potentially including the deployment of ransomware.

Similarly, Mystic Stealer, another stealer malware variant, has steadily progressed by incorporating loader functionality in recent versions. This expansion complements its existing information-stealing capabilities, underscoring a trend toward multifaceted and increasingly sophisticated cyber threats.

Recommendations:

? Always download software and applications from official and reputable sources.

? Ensure that your operating system, antivirus software, and applications are up-to-date with the latest security patches and updates.

? Be cautious when clicking on links or downloading attachments from unknown or unexpected emails.

? Educate users about the risks associated with downloading and installing software from unknown sources.

? Consider implementing application whitelisting, which allows only approved

applications to run on your system.

5. Microsoft Patch

In the recent November 2023 Patch released by Microsoft, a comprehensive set of security updates were issued, addressing a total of 58 vulnerabilities, including five zero-day exploits. These updates cover a range of critical issues, reinforcing the resilience of various Microsoft products and services.

Among the key vulnerabilities addressed are:

• CVE-2023-36036: Microsoft resolved an actively exploited elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation could lead to an attacker gaining SYSTEM privileges.
• CVE-2023-36033: Another actively exploited and publicly disclosed elevation of privilege vulnerability in Windows DWM Core Library was fixed. Exploitation of this flaw could result in the elevation of privileges to SYSTEM level.
• CVE-2023-36025: Microsoft addressed an actively exploited Windows SmartScreen vulnerability. This flaw could allow a malicious Internet Shortcut to bypass security checks and warnings, potentially compromising a user's system.

Additionally, two other publicly disclosed zero-day vulnerabilities were addressed:

• CVE-2023-36413: This fix addressed a Microsoft Office Security Feature Bypass Vulnerability.
• CVE-2023-36038: Microsoft tackled an ASP.NET Core Denial of Service Vulnerability, enhancing overall system security.

Moreover, the Patch released covered a range of vulnerabilities across multiple categories, including Remote Code Execution, Information Disclosure, Elevation of Privilege, Security Feature Bypass, Denial of Service, and Spoofing.

It's important for users and organizations to promptly apply these updates to ensure their systems are fortified against known security risks and potential attacks.

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.