Unit 42 Threat Intel Bulletin - October

Cybersecurity Trends

Take the IDC Cloud Incident Response Readiness Evaluation

Watch the Lapsus$ Cloud Incident Response Case Study Video

Unit 42 Threat Intel Blogs

Tor 101: How Tor Works and Its Risks to the Enterprise (Tutorial)?

The Tor project provides one of the most well-known tools that users can leverage to stay anonymous on the internet. People use Tor for many different reasons, both benign and malicious. However, allowing Tor traffic on enterprise networks opens the door to a variety of potential abuses and security risks.

Find out more?

7 Tips to Improve Your Existing Incident Response Plan (Incident Response)?

The last few years have thrown everything (and several kitchen sinks) at IT and security teams. Massive cloud adoption, increasingly advanced attacks, a shift to work from home, and other contributing factors mean that your incident response (IR) plan from just a few years ago won't cut it in 2022. No organization wants to be reactionary when a security incident occurs. A proactive approach with a solid IR plan helps you respond rapidly and effectively, with the ability to help your organization resume normal operations as quickly as possible.

Read the tips

Threat Assessment: Black Basta Ransomware (Ransomware, Threat Briefs and Assessments)?

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.

Learn the details?

Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More (Vulnerability)?

Recent observations of exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities in VMware ONE Access and Identity Manager and Spring Cloud Function, Spring MVC and Spring Web Flux, among others. Attackers have also been taking advantage of a cross-site scripting vulnerability in WordPress core, and SQL injection vulnerabilities in VoIPmonitor GUI and other services. In our observations of network security trends, Unit 42 researchers select exploits of the latest published attacks that defenders should know based on the availability of proofs of concept (PoCs), the severity of the vulnerabilities the exploits are based on and the ease of exploitation.

More on this vulnerability

Legitimate SaaS Platforms Being Used to Host Phishing Attacks (Malware)?

Instead of creating phishing pages from scratch, more and more cybercriminals are now abusing legitimate software-as-a-service (SaaS) platforms, including various website builders or form builders, to host their phishing pages. Since these URLs are hosted on legitimate domains, they can be especially difficult for many phishing detection engines to detect. Furthermore, these platforms typically require little to no coding experience, significantly lowering the barrier to entry for creating and launching phishing attacks.

Discover these new phishing attacks

BlueSky Ransomware: Fast Encryption via Multithreading (Malware and Ransomware)

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses that predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption. In our analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the Conti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it.

Read up on this ransomware

Threat Roll-up

• (Phishing) Twilio hackers hit over 130 organizations in a massive Okta phishing attack. (Source: Group-IB)
• (APT) Microsoft has discovered a new malware used by the Russian hacker group APT29 (aka, NOBELIUM or Cozy Bear) that enables authentication as anyone in a compromised network. (Source: MSTIC)
• (Ransomware) Ransomware has disrupted operations at the Center Hospitalier Sud Francilien (CHSF), a 1,000-bed hospital outside Paris, locking down the facility's main systems, including patient admissions and medical imaging. (Source: Le Monde)
• (APT) The RedAlpha advanced persistent threat (APT) group, thought to be linked to the Chinese state, has been spying on global humanitarian, think tank, and government organizations thanks to a massive phishing campaign that's been active for years. (Source: RecordedFuture)?
• (Ransomware) The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang. (Source: BleepingComputer)
• (Ransomware) Greece's largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack. (Source: DESFA)
• (APT) APT Lazarus (Unit 42? designation – Selective Pisces) targets engineers with macOS malware. The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems. (Source: ESET)

More Information

• Modern SOC Reimagined virtual event – November 2
• Ignite '22 – December 12–15: Get ready for the world’s premier cybersecurity event
• Learn more about Unit 42
• Read Unit 42 blogs and threat briefs
• Actionable Threat Object & Mitigations (ATOMS)

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.