Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Apple Releases Security Updates for Multiple Products
CISA released a cybersecurity advisory alerting users and organizations of nine security updates from Apple addressing vulnerable features in several products. Apple disclosed that the company is aware of a report that a WebKit vulnerability in several older generation products, CVE-2023-23529, may have been exploited. There are no additional reports of adversaries actively exploiting the other addressed vulnerabilities.
Impact: The latest iOS and macOS versions are 16.4 and 13.3, respectively. Recent releases include patches for all vulnerabilities listed in Apple’s security updates.
Recommendation: Apple users and administrators should review all advisories as applicable to their organizations. Ensure data and system backups are up-to-date before implementing security updates or patches.
🚩 APT43 Continues Ongoing Attacks On U.S. Organizations
APT43 is an espionage adversary linked to North Korea’s General Reconnaissance Bureau. Also known as Kimsuky, they consistently target U.S. think tanks, academics, and organizations interested in geopolitical issues to support the interests of the North Korean regime. APT43 collects strategic intelligence on foreign policy and leverages global events, such as shifting operations to target healthcare during COVID-19 and leveraging North Korea’s politics to their advantage. APT43 is also an ongoing threat to U.S. financial organizations as, unlike many other adversaries, APT43 also participates in cybercriminal activity to fund its intelligence operations.
Impact: APT43 is quite distinct as they do not leverage custom malware or zero-days like many other adversaries. They are predominantly known for commodity malware and their social engineering techniques, often impersonating journalists and researchers after North Korean missile launches and other geopolitical events to identify targets.
Recommendation: APT43 uses 34 different commodity malware families and 82 different MITRE TTPs that vary depending on the attack and malware. Educating users on the signs of social engineering and hardening endpoints are some of the most effective countermeasures to defend against this diverse APT.
🚩 Emerging Threat Dark Power Ransomware Claims 10 Victims In The First Month
The cybersecurity community has recently discovered a new strain of ransomware called Dark Power, which claims to have already hit ten victims in its first month of activity. According to researchers, this ransomware is part of the Ragnar Locker family, which is known for targeting large enterprises and demanding hefty ransom payments. The Dark Power ransomware uses a combination of advanced encryption algorithms, anti-forensic techniques, and stealth mechanisms to evade detection and make it difficult for victims to recover their files without paying the ransom.
Impact: While the Dark Power ransomware poses a severe threat to businesses of all sizes, it’s known for targeting large enterprises with ransom demands in the millions. Ransomware can result in significant financial losses from the disruption of services, breached confidentiality if data is leaked, and in some cases, can impact data integrity.
Recommendation: Organizations should maintain up-to-date cybersecurity software and offline backups and conduct regular assessments to identify and mitigate weaknesses. While organizations may feel tempted to pay the ransom, it is not recommended as it does not guarantee the restoration of systems or unaltered or leaked data.
🚩 Cinoshi MaaS Offers Free Access to Four Malware Types
Security researchers recently identified a newly advertised free malware-as-a-service (MaaS) platform named Cinoshi, offering free access to an infostealer, botnet, clipper, and cryptominer. The service provides inexperienced threat actors with a web panel to compile payloads, configure infostealers, manage bots, and set up other malicious activity. For advanced attacks, adversaries can pay a fee in Russian currency to obfuscate or encrypt the infostealer payload for defense evasion.
Impact: Cinoshi’s free platform poses an increased threat to all organizations, as the availability of malware and deployment tools allows adversaries of all skill levels to execute potentially high-impact attacks with minimal effort.
Recommendation: Indicators of compromise associated with Cinoshi, including payload samples and command-and-control (C2) server IP addresses, have been dispersed to the TIGR Threat Feed. Analysts should monitor logs for suspicious outbound traffic to identify potential instances of data exfiltration.
Adversaries Leverage New BEC Tactics for Fake Asset Purchases
Adversaries are taking a new approach to BEC attacks by leveraging the net-30 and net-60 payment terms vendors offer to purchase high-value goods without upfront payment. The attack works similarly to a traditional BEC attack, but instead of sending fake invoices, they use fraudulent W-9 forms to set up repayment terms. Repayment terms allow the adversary to purchase high-value goods from corporate vendors, such as technology, agricultural, and construction goods.
Impact: An FBI IC3 report states that cybercriminals generated $2.7 billion in revenue from reported BEC attacks in 2022. Meanwhile, reported ransomware attacks accrued to $34.3 million, totaling only 1.27% of the compared BEC losses, indicating that BEC attacks are becoming more successful with higher payouts
Recommendation: Organizations that act as vendors should implement processes to confirm the legitimacy of buyers and purchase orders by calling the organization directly. Do not base legitimacy on information in email signatures, as adversaries can easily impersonate organizations using public data.
Fraudulent IRS Tax Phishing Campaign Delivers Emotet Malware
Malwarebytes researchers have discovered a new phishing campaign that uses fraudulent IRS tax emails to distribute Emotet malware. The emails contain malicious attachments that, when opened, can infect the victim’s computer with malware. Emotet is a dangerous malware that can steal sensitive information and spread to other devices on the network.
Impact: The phishing campaign could affect many taxpayers in the United States and, if successful, could compromise sensitive personal and financial information. The spread of Emotet malware could also result in the disruption of business operations.
Recommendation: Individuals should exercise caution when receiving emails claiming to be from the IRS, especially if they contain attachments or links. Ensure all systems are properly secured with up-to-date antivirus software and operating system patches.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- RSS Reader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed