Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩Akira Ransomware Mutates to Target Linux and Windows Systems

The Akira ransomware group, active since March 2023, has been escalating its attacks, targeting various industries in the U.S. and U.K. The group uses multiple extortion techniques, including a double-extortion method, and has expanded its reach to Linux-based systems. The group exploits the CVE-2023-20269 vulnerability in Cisco ASA VPNs lacking multifactor authentication and uses remote access tools like RustDesk. The group has also been suspected of rebranding as Megazord.

Impact: The Akira ransomware group’s activities have significant implications for organizations, particularly those in the U.S. and U.K. The group’s evolving TTPs include using Windows internal binaries for execution and evasion, posing a serious threat. The group’s exploitation of the CVE-2023-20269 vulnerability in Cisco ASA VPNs and its expansion to Linux-based systems further widen the potential pool of victims.

Recommendation: Organizations should ensure they are not vulnerable to CVE-2023-20269 and block or place provisions on remote access tools.

Critical Vulnerabilities in Netatalk AFP Server

Security researchers have discovered multiple vulnerabilities in the Netatalk implementation of the Apple Filing Protocol (AFP) in Debian Linux. These include buffer overflow, out-of-bounds read, and other memory corruption issues that could allow remote attackers to execute arbitrary code or disclose sensitive information. The vulnerabilities affect Netatalk versions before 3.1.12~ds-8+deb11u1. The Debian bug tracking system and Mitre’s CVE dictionary track this under the identifiers CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, CVE-2022-43634, CVE-2022-45188, and CVE-2023-42464.

Impact: These vulnerabilities could allow remote attackers to take control of Netatalk servers or access sensitive data by sending crafted requests. Successfully exploiting them may lead to infrastructure compromise, information disclosure, and further penetration into internal networks.

Recommendation: Organizations using the oldstable distribution (bullseye) of Debian should immediately apply the security update provided in version 3.1.12~ds-8+deb11u1.

🚩 China’s UNC53 Infected Dozens of Networks with Thumb Drive Malware

Chinese-backed hacker group UNC53 has infected at least 29 global organizations with a decade-old strain of Sogu malware, delivered via USB drives. The malware, also known as Korplug or PlugX, has been detected in organizations across the United States, Europe, and Asia, with many infections originating from Africa-based operations. The malware has been found to spread via shared computers in print shops and internet cafés.

Impact: The Sogu malware campaign represents a revival of USB-based hacking, which can compromise both internet-connected and air-gapped systems. The malware copies itself onto any USB drive inserted into the infected PC, and if on an air-gapped computer, it attempts to connect to local networks or stores stolen data on the infected USB drive until it can be transferred to an internet-connected machine.

Recommendation: Organizations should enforce strict policies regarding the use of external drives, shared computers, and public internet or internet cafes. Public internet use can be avoided by tethering to company mobile devices instead. Limit access to company resources from unknown or untrusted IPs. Consider implementing network segmentation to limit the spread of malware and educate employees about the risks of using public computers and USB drives.

🚩 Rapidly Evolving P2Pinfect Botnet Targets Redis Servers Worldwide

In July 2023, Cado Security Labs uncovered a novel peer-to-peer botnet known as P2Pinfect, which explicitly targets servers hosting publicly-accessible instances of Redis. Since its discovery, P2Pinfect has rapidly evolved, with an exponential growth in its botnet size. As of the latest analysis, there are 219 identified nodes within the botnet, primarily concentrated in China (59.8%) but with a global presence, including the United States (15%) and Germany (5%). The botnet utilizes multiple cloud providers’ infrastructure, such as Alibaba (35.3%) and Tencent (14.4%), in addition to Amazon Web Services (AWS) (11.2%). P2Pinfect primarily infiltrates systems via Redis exploitation but also spreads through SSH brute-forcing. Recent updates to P2Pinfect include new persistence mechanisms via cron jobs, custom keepalive functionality, and evasion tactics that overwrite SSH authorized_keys files and attempt to change user passwords.

Impact: If compromised by P2Pinfect, organizations could have their systems secretly added to a rapidly growing peer-to-peer botnet. This could allow attackers to leverage computing resources for cryptomining, conduct DDoS attacks, steal data, deploy ransomware, or run other malicious activities without the organization’s knowledge. The malware overwrites SSH keys, which could lock out legitimate administrators. It also changes user passwords, which could lead to operational disruptions and data breaches. Widespread infections could negatively impact customer trust and lead to high incident response and remediation costs.

Recommendation: Keep all software and systems, including Redis and SSH, up to date with the latest security patches and updates to mitigate known vulnerabilities. Use tooling to check for signs of compromise like new persistent services, unauthorized SSH keys, suspicious cron jobs, and password changes.

FBI, CISA Release Joint Statement on Snatch Ransomware

The FBI and CISA released a joint statement outlining the threat posed by Snatch, a ransomware-as-a-service (RaaS) group active since at least 2018. Snatch is known for using its blog to extort victims by threatening to release their data. Initial compromise often occurs using remote desktop protocol (RDP) services to launch brute force attacks. After gaining a foothold, threat actors learn about the target environment and move laterally before exfiltrating and encrypting data. Snatch is also known to attempt to disable antivirus software on affected hosts.

Impact: Snatch is known for its extortion tactics, demanding money in order for victims to regain access to their files. This can have major financial impacts on target organizations and lead to significant disruptions to their operations, as well as reputational damage.

Recommendation: The FBI and CISA provide a list of indicators of compromise (IOCs) for which organizations should continuously monitor their environments. The report also offers guidance on general best security practices, explicitly emphasizing the importance of placing restrictions on remote desktop services.

🚩Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys

Cybersecurity researchers have uncovered a new threat within the npm package registry, where 14 malicious npm packages were identified. These packages, including @am-fe/hooks, @expue/app, and others, initially appear as legitimate JavaScript libraries and components. However, once installed, they execute obfuscated code designed to collect and siphon sensitive files from compromised systems, including Kubernetes configurations and SSH keys.

Impact: Along with Kubernetes config and SSH keys, these packages are also capable of collecting system metadata such as usernames, IP addresses, and hostnames. This data is transmitted to a malicious domain named app.threatest[.]com. This discovery follows recent incidents of counterfeit npm packages exploiting dependency confusion and targeting open-source registries, highlighting the continued risk to the software supply-chain and developer environments.

Recommendation: To defend against these threats, users and organizations must adopt rigorous security practices when dealing with npm packages. Only source packages from trusted and reputable developers or repositories, and vigilantly monitor package dependencies for unusual or suspicious changes. Employ robust security solutions to scan packages for potential malicious code. Additionally, developers and teams should be well-informed about supply-chain attack risks and maintain awareness of emerging threats and vulnerabilities within the open-source ecosystem. Proactive measures are essential to mitigating these evolving threats effectively.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.