Unit 42 Threat Intel Bulletin - August

Unit 42 Threat Intel Bulletin - August

Cybersecurity Trends

No alt text provided for this image

Watch the on-demand webinar to learn how Unit 42 experts help clients manage and reduce attack surface risk.

No alt text provided for this image
No alt text provided for this image

Unit 42 Threat Research

No alt text provided for this image

Threat Brief - Microsoft Office and Windows HTML Remote Code Execution: CVE-2023-36884 (Threat Briefs, Vulnerability)

With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.

Read more

No alt text provided for this image

Diplomats Beware: Cloaked Ursa Phishing With a Twist (Malware)

Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0004, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally.

Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:

  • Notes verbale (semiformal government-to-government diplomatic communications)
  • Embassies’ operating status updates
  • Schedules for diplomats
  • Invitations to embassy events

Learn more

No alt text provided for this image

Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor (Malware)

Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie .

The threat actor deployed coin miners on hijacked machines to abuse the compromised servers’ resources. They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites.

Find out more

No alt text provided for this image

Detecting Popular Cobalt Strike Malleable C2 Profile Techniques (Cloud)

Unit 42 researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new profiles that are not available on public repositories. We will highlight the distinct techniques attackers use to exploit the Cobalt Strike platform and circumvent signature-based detections.

We identified Team Server instances connected to the internet that host Beacon implants and provide command-and-control (C2) functionality. We have also extracted the Malleable C2 profile configuration from the Beacon binary to help us understand the various methods used to evade conventional detections.

Read more

No alt text provided for this image

loT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple loT Exploits (Malware)

The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.

Palo Alto Networks Next-Generation Firewall customers receive protection through Cloud-Delivered Security Services such as Internet of Things (IoT) Security , Advanced Threat Prevention , WildFire and Advanced URL Filtering , which can help detect and block the exploit traffic and malware.

Check it out

No alt text provided for this image

Threat Group Assessment: Muddled Libra (Threat Briefs and Assessments)

At the intersection of devious social engineering and nimble technology adaptation stands Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.

Muddled Libra is a methodical adversary that poses a substantial threat to organizations in the software automation, BPO, telecommunications and technology industries.

Level up your knowledge

No alt text provided for this image

Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732 (Vulnerability)

After seeing reports of two similar privilege escalation vulnerabilities in Microsoft Windows – CVE-2021-1732 and CVE-2022-21882 – we decided to analyze both to better understand the code involved in each. This is a continuation of Inside Win32k Exploitation , in which we discussed the Win32k internals and exploitation in general as background information to explore the issues surrounding CVE-2021-1732 and CVE-2022-21882 .

Here, we will dig deeper into CVE-2021-1732 and CVE-2022-21882 and their related proof-of-concept (PoC) exploits. We’ll walk through an analysis of these two exploits, and thus see why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882.

Discover more

Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies (Vulnerability)

In late January 2022, several reports on social media indicated that a new Microsoft Windows privilege escalation vulnerability (CVE-2022-21882 ) was being exploited in the wild. These reports prompted us to do an analysis of CVE-2022-21882, which turned out to be a vulnerability in the Win32k.sys user-mode callback function xxxClientAllocWindowClassExtraBytes.

In 2021, a very similar vulnerability (CVE-2021-1732 ) was reported to – and patched by – Microsoft. We decided to take a closer look at both vulnerabilities to better understand the code involved in each. In our initial analysis we wanted to determine why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882.

See what experts say

No alt text provided for this image

Android Malware Impersonates ChatGPT-Themed Applications (Malware)

Unit 42 researchers have observed a surge of malware written for the Android platform that is attempting to impersonate the popular ChatGPT application. These malware variants emerged along with the release by OpenAI of GPT-3.5, followed by GPT-4, infecting victims interested in using the ChatGPT tool.

Here, we provide an in-depth analysis of two types of currently active malware clusters. The first cluster is a Meterpreter Trojan disguised as a "SuperGPT" app. The second is a "ChatGPT" app that sends short-text messages to premium-rate numbers in Thailand, resulting in charges for the victim that are pocketed by the threat actor.

Master your skills - read more

No alt text provided for this image

Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Threat Advisory and Assessment)

On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. MOVEit Transfer is a managed file transfer (MFT) application intended to provide secure collaboration and automated file transfers of sensitive data.

Stay informed

No alt text provided for this image

Threat Roll-up

  • (Crime Prevention) The FBI called on Taylor Swift’s “Swifties” to report federal crimes. (Source: Billboard )
  • (Cyber Sabotage) Americans should prepare for cyber sabotage from Chinese hackers, a senior U.S. cybersecurity official said Monday. (Source: Reuters )
  • (Cyber Insurance) Cyber Insurance Premiums Surge by 50% as Ransomware Attacks Increase. (Source: Bloomberg )
  • (Ransomware) U.S. Department of Justice charges a 20-year-old Russian national for deploying LockBit ransomware worldwide. The suspect was arrested in Arizona. (Source: The Hacker News )
  • (Ransomware) The ransomware landscape is energized with the emergence of smaller groups and new tactics, while established gangs like LockBit see fewer victims. (Source: Dark Reading )
  • (Vulnerability) Apple addressed three new zero-day vulnerabilities exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits. (Source: Bleeping Computer )
  • (Ransomware) Linux version of Akira ransomware targets VMware ESXi servers, encrypting virtual machines in double-extortion attacks against companies worldwide. (Source: Bleeping Computer )
  • (Vulnerability) Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs to compromise websites by bypassing security measures and registering rogue administrator accounts. (Source: Bleeping Computer )

No alt text provided for this image

More Information

No alt text provided for this image

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了