Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

As New Clues Emerges, Experts Wonder: Is REvil Back?

The Russian REvil group has returned after taking a major hit when fourteen of its members were arrested three months ago. Researchers signaled the REvil return after finding samples covered in the groups “fingerprints” including identical creation dates, compilation strings, and several other REvil attributes. REvil’s TOR websites also have sprung back up and serve to recruit more members.

Impact: REvil is known for being a particularly destructive strain of ransomware and its resurgence means that organizations need to be on alert for possible attacks.

Recommendation: Organizations are recommended to monitor their networks for suspicious activity linked to REvil. Indicators of compromise will be added to the TIGR threat feed to aid in the discovering of REvil activity.

AstraLocker Ransomware Shuts Down And Releases Decryptors

The AstraLocker operation has shutdown and has released a ZIP archive containing working decryptors for any compromised systems. In a final statement, the AstraLocker developer said that “it was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back, [but] I’m done with ransomware for now. I’m going in cryptojacking.” Cybersecurity researchers were able to study the AstraLocker encryption process and found that the ransomware used unique encryption tactics. Instead of compromising the device first, AstraLocker’s operator directly deployed the payloads from email attachments using malicious Microsoft Word documents. The shutdown comes likely as a response from unwanted attention stemming from recent articles that detail AstraLocker attacks and tactics.

Impact: With the release of the AstraLocker decryptors, previously compromised data may be able to be recovered. Ex-AstraLocker members are likely to join other established groups to bolster their power and potentially “re-emerge” as a new group entirely.

Recommendation: Organizations compromised by AstraLocker may be able to recover data by using the decryptors found here: https://bazaar.abuse.ch/sample/b82912864b2336fb19a48a3b141913c456335d1b4abf3cda481a16609be4e97e/. AstraLocker’s developer suggested they might switch to cryptojacking malware. While we shouldn’t take the words of a criminal at face value, it may be worthwhile to be familiar with the signs of cryptojacking including a noticeable slowdown in device performance, overheating of batteries on devices, reduction in productivity of your device or router, or unexpected increases in electricity costs.

Microsoft Finds Raspberry Robin Worm In Hundreds Of Windows Networks

Microsoft reported that the RaspberryRobin worm (RR), a USB-based malware, has been discovered in the networks of technology sector organizations. RR is delivered by a malicious USB drive, and can easily escalate its attack while avoiding User Account Control (UAC) on infected systems by leveraging legitimate Windows tools such as fodhelper, msiexec, and odbcconf. Upon initial interaction from the user, the RR worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive. The malicious file infects other devices, communicates with command and control servers, and executes malicious payloads.

Impact: Though the RR worm has not been linked to any threat actors, their attacks are occurring in the wild and target organizations in the technology sector. The combination of stealthy, infectious, and having the ability to facilitate privilege escalation means that RR is a formidable threat in the technology space.

Recommendation: Before the RR attack can do any damage it must first gain access to the system. For this attack, initial access comes through a malicious USB, so by not plugging in unknown USBs, you can stop the attack before it even happens. Organizations are recommended to employ USB blockers where necessary while staying on alert from suspicious activity from odhelper, msiexec, or odbcconf.

Microsoft: Windows Server 2012 Reaches End Of Support In October 2023

Microsoft reminded customers that Windows Server 2012/2012 R2 will reach its end-of-support (EOS) date next year, on October 10, 2023. Once EOS reached, Microsoft will stop providing technical support and bug fixes for newly discovered issues that pose risk to organizations that use Windows Server 2012. There are multiple options for migration as the EOS date approaches.

Impact: After reaching the EOS date, no more bug fixes or patches will be released for Windows Server 2012. Threat actors would be able to leverage this and cause harm to organizations that fail to take action.

Recommendation: There are a few options that organizations can take in order to move forward including upgrading to Windows Server 2019 and SQL Server 2019, and migrating applications and workloads to Azure. If both of those recommendations are not an option, then organizations can buy Extended Security Updates to receive three more years of security updates for SQL Server 2012, and Windows Server 2012 and 2012 R2.

New ‘SessionManager’ Backdoor Targeting Microsoft IIS Servers in the Wild

Researchers discovered a new malware called “SessionManager” that attempts to backdoor Microsoft Exchange servers. The malware is being actively exploited in the wild with 20 separate instances of infecting organizations since March. SessionManager functions as a module for Internet Information Services (IIS), Microsoft’s web server software, while conducting reconnaissance, gathering in-memory passwords, and delivering additional tools such as Mimikatz.

Impact: Dropping an IIS module as a backdoor allows threat actors to maintain persistent, update-resistant, and relatively stealthy access to an organization’s IT infrastructure. The backdoor further allows threat actors to collect emails, infect other systems, or secretly manage compromised servers to use in future attacks.

Recommendation: Organizations are recommended to follow the CISA instructions to switch from the legacy Basic Authentication method to Modern Authentication alternatives. The switch will help defend against SessionManager attacks. The full CISA advisory can be found here: https://www.cisa.gov/sites/default/files/publications/switch-to-modern-authentication-in-exchange-online-062822-508.pdf

Toll Fraud Malware Disables Your WiFi To Force Premium Subscriptions

The Microsoft Defender team put out an advisory that warns that toll fraud malware “is one of the most prevalent types of Android malware – and it continues to evolve.” Toll fraud is an offshoot of billing fraud that requires a mobile network connection and attempts to convince victims to click a subscription button. A successful attack initiates a fraudulent subscription, intercepts one-time passwords, and suppresses notifications that might alert the victim.

Impact: The toll fraud malware goes out of its way to disable subscription notifications to enable its malicious actions, siphoning away the victim’s money without their knowledge.

Recommendation: Microsoft recommends users install applications only from the Google Play Store or other trusted sources. Also avoid granting SMS permissions, notification listener access, or accessibility access to any applications without being absolutely sure that those settings are necessary. Those powerful permissions are not usually required, and without them, the toll fraud attack is impossible. For more information, please read the full Microsoft Defender report here: https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/#Mitigating-toll-fraud

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.