Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

Texas Data Breach Exposes Personal Information of 1.8 Million People

The Texas Department of Insurance (TDI) released more information regarding the scope of the data breach that occurred in January causing 1.8 million Texans’ data to be stolen. According to TDI’s report, there is no evidence that this stolen data has been misused and fixed the vulnerability that allowed the situation to happen in the first place.

Impact: Important private information including names, addresses, dates of birth, phone numbers, and either parts of all of the Social Security Numbers of over a million Texas residents were stolen.

Recommendation: No immediate action is required

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang

Cybersecurity company PRODAFT published an in-depth analysis into the Russian Wizard Spider threat group. PRODAFT explains that “most of Wizard Spider’s efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets,” and they recycle some of the money that they steal back into their developers to create new tools and talent. Wizard spider features “extraordinary profitability” that allows them to rapidly increase their reach in the criminal scene. Wizard Spider also employs the use of a custom Voice over Internet Protocol (VoIP) system that allows them to cold-call victims that aren’t responding to their demands to put additional pressure onto them.

Impact: By better understanding the innerworkings of large threat groups, it is easier to understand how to counter an respond to attacks that may not have happened yet.

Recommendation: No immediate action is required.

Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control

CISA reported that threat actors may be able to exploit vulnerabilities in VMware software to trigger a server-side template injection resulting in remote code execution (RCE) and potential privilege escalation. The vulnerabilities effect multiple versions of VMware including VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. CISA determined that these vulnerabilities are an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies because of how common the software is in the federal enterprise.

Impact: Threat actors are notorious for exploiting unpatched vulnerabilities.

Recommendation: Organizations should urgently follow CISA’s emergency directive that describes patching instructions here: https://www.cisa.gov/emergency-directive-22-03

Phishing Websites Now Use Chatbots To Steal Your Credentials

Researchers at Trustwave discovered a new phishing attack that uses chatbots to steal credentials. This strategy serves two purposes, it automates the process for threat actors, potentially allowing for more credentials to be stolen, and it provides a sense of security for the victims because the chatbots are commonly found on trusted websites. Like most phishing campaigns, the process begins with a link in the victim’s email, the link, in this case, leads to the automated chatbot where the user is eventually prompted to put in their credentials.

Impact: Threat actors have been discovered using chatbots to steal user credentials.

Recommendation: Do not respond or interact with suspicious messages. One approach that could help avoid this type of threat is to not click links received via email. Visit the service in question directly. Review the CISA Phishing Tip Sheet for more recommendations at https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Phishing%20Tip%20Sheet.pdf

Chinese ‘Space Pirates’ Are Attacking Russian Aerospace Firms

A new Chinese threat actor known as “Space Pirates” has begun targeting the Russian aerospace sector with a phishing campaign that installs novel malware. Their novel malware includes “custom loaders hiding behind decoy documents, slightly modified backdoors that have been around for years, the Chinese trademark malware PlugX, and tailored spins of the PcShare backdoor.” Space Pirates also employ the use of undocumented modular malware tools, namely Deed RAT, BH_A006, and MyKLoadClient. MyKLoadClient is a loader that uses SFX archives combined with DLL side-loading allowing the threat actors to input commands that give them close control over the infection. BH_A006 is a backdoor that features many layers of obfuscation allowing it to bypass security protections and analysis. Deed RAT is a remote access trojan that leverages intelligent method of transferring control to the shellcode.

Impact: A new Chinese-sponsored threat group is targeting Russian aerospace organizations with novel malware.

Recommendation: Because Space Pirates rely on phishing campaigns for infection, it is recommended to follow the best security practices when facing suspicious emails and messages by being vigilant to avoid clicking links and attachments from emails you’re not expecting to receive. Please review the CISA Phishing Tip Sheet for more recommendations at https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Phishing%20Tip%20Sheet.pdf

Threat Actors Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility

On Tuesday, May 17, Microsoft warned about a new campaign that’s targeting SQL Servers. The campaign exploits a built-in PowerShell binary to obtain persistence on compromised systems. Microsoft is tracking the campaign as “SuspSQLUsage,” but the goals of the campaign are still unknown as of now. The attack is effective because they “achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” Microsoft explains. Fileless persistence allows for the attacker to blend in with regular network traffic while remaining hidden for long periods of time.

Impact: A new campaign was discovered leveraging fileless persistence in SQL servers, this tactic lets them infiltrate servers for extended periods of time.

Recommendation: To learn more about network infrastructure security, please visit https://media.defense.gov/2022/Mar/01/2002947139/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_20220301.PDF

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.