Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
VMware Discloses Trio of High Severity Bugs in Network Monitoring Tool
VMware recently disclosed three high-severity vulnerabilities impacting its network monitoring tool, Aria Operations for Networks. The bugs, identified as CVE 2023-20887, CVE 2023-20888, and CVE 2023-20889, range in severity from 8.8 to 9.8 on the CVSS scale. The vulnerabilities allow for remote code execution and information disclosure, posing significant risk to network integrity. They affect Aria Operations for Networks versions 6.2 through 6.10. Although there is currently no evidence of exploitation in the wild, the vulnerabilities are serious and require immediate attention.
Impact: Aria Operations for Networks is a tool used extensively for network visibility and analytics, serving critical functions in network management, performance optimization, and security. The disclosed vulnerabilities, if exploited, could allow an attacker to execute arbitrary code and expose sensitive information. The consequences could range from data leakage to full system compromise, which would critically impact businesses relying on VMware’s solutions for their networking needs. The bugs require network access for exploitation, emphasizing the importance of secure access controls in mitigating such threats. While further technical details on the vulnerabilities remain limited, their high CVSS scores underline the potential severity of the threats.
Recommendation: Organizations are strongly advised to apply the provided patches for each vulnerability as swiftly as possible to prevent potential exploitation. Given that the bugs require existing network access for exploitation, organizations should also reinforce their network access controls and monitor network activity for unusual or suspicious behavior. Users of affected versions of Aria Operations for Networks should prioritize these actions to mitigate the potential risk and ensure the security of their environment. Lastly, as a good security practice, regular updates and patching, coupled with continuous monitoring of emerging threats, are recommended for all systems and software. Despite the current lack of exploits in the wild, remaining vigilant and proactive in the face of potential threats is the best defense.
Japanese Pharmaceutical Company Eisai Latest Ransomware Victim
Eisai, a Japanese pharmaceutical company, announced that it was the victim of a ransomware attack. Few details regarding the attack are available. However, Eisai stated that several of the organization’s servers were encrypted and some services were taken offline. Eisai is working with local law enforcement to investigate the issue. This incident is the most recent of several high-profile ransomware attacks that have targeted the pharmaceutical industry.
Impact: No group has yet claimed responsibility for this attack, nor have any been identified as potential culprits by Eisai or Japanese law enforcement. While the scope of this compromise is likely limited to Eisai and organizations with some business relationship with them, the attack is part of a broader trend that concerns the industry. Healthcare and pharmaceutical companies make attractive targets to malicious actors, particularly ransomware groups, due to a perception that they are more likely to pay ransoms because of the potentially catastrophic consequences of disruption to their operations.
Recommendation: While all organizations should safeguard against ransomware attacks, this is potentially true of those within the pharmaceutical industry or other high-risk sectors. Best practices include comprehensive user training and awareness, multi-factor authentication (MFA), and secure email gateway (SEG) software to detect potential phishing emails that could initiate an attack. Additionally, endpoint detection and response (EDR) and security information and event management (SIEM) software can greatly increase the chances of detecting a compromise that has already occurred.
Malicious C2 PowerShell Script Targets U.S Aerospace Defense Industry
Adlumin Threat Research has discovered a new malicious PowerShell Script known as PowerDrop that mainly targets the U.S. Aerospace Defense Industry. This custom-built malware uses deception, encoding, and encryption to evade EDR systems and detections. PowerDrop executes via WMI, uses non-standard forms of communication, has no disk presence, and uses other techniques consistent with those used by APT groups. Adlumin suspects nation-state actors may be at play given the state of the Russo-Ukrainian war, but it has not identified any specific APT yet. The malware consists of a novel Remote Access Tool (RAT) persistently embedded in Windows Management Instrumentation (WMI) and PowerShell. The code leverages Internet Control Message Protocol (ICMP) echo request messages as triggers for the malware’s command-and-control (C2) operations, including ICMP ping usage for data exfiltration. While it’s not uncommon to use PowerShell for remote access and employ WMI-based persistence of PowerShell scripts, along with ICMP triggering and tunneling, what makes this malware different is its distinctive structure and its capability to combine aspects of both basic threats and advanced tactics used by Advanced Persistent Threat (APTs) groups.
Impact: The most significant impact imposed on organizations by this threat is related to national security implications. Given the target being the U.S. Aerospace Defense Industry and the suspected involvement of nation-state actors, there are broader national security implications. The compromise of defense-related systems and information can jeopardize military capabilities, compromise strategic plans, and impact national security interests.
Recommendation: Organizations should deploy advanced security solutions that use behavior-based analysis to detect anomalous activities and suspicious behavior within the network. Organizations should also configure PowerShell execution policies to restrict the execution of unsigned and potentially malicious scripts, reducing the risk of the malware gaining access and persistence through PowerShell. Additionally, staying updated on the latest threat intelligence reports, collaborating with industry peers and government agencies, and sharing information to identify indicators of compromise associated with the malware and potential Advanced Persistent Threat (APT) groups will help organizations identify potential threats they are facing.
🚩 New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency
A recent malicious malware campaign has been discovered, primarily targeting users of cryptocurrency platforms such as Coinbase, Bybit, KuCoin, Huobi, and Binance in countries including Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. The malware uses the Satacom downloader, also known as Legion Loader, to deploy stealthy malware that siphons cryptocurrency via rogue Chromium-based browser extensions. The malicious process begins when unsuspecting users download ZIP archives from bogus websites while seeking cracked software. The archive contains an executable file, which initiates the malware routine leading to the deployment of the Satacom downloader.
Impact: The sophisticated nature of this malware poses a significant threat to users’ cryptocurrency holdings. The malware primarily targets BTC and employs web injections to manipulate website content, allowing unauthorized control over victim accounts and illicit withdrawals of BTC to threat actor wallets. The malware has capabilities to conceal its activities, including masking email confirmation of fraudulent transactions and extracting user data such as system metadata, cookies, and browser history. The malware’s C2 address is concealed within BTC transaction fields, enabling it to evade domain blocks or takedowns, further complicating mitigation efforts.The sophisticated nature of this malware poses a significant threat to users’ cryptocurrency holdings. The malware primarily targets BTC and employs web injections to manipulate website content, allowing unauthorized control over victim accounts and illicit withdrawals of BTC to threat actor wallets. The malware has capabilities to conceal its activities, including masking email confirmation of fraudulent transactions and extracting user data such as system metadata, cookies, and browser history. The malware’s C2 address is concealed within BTC transaction fields, enabling it to evade domain blocks or takedowns, further complicating mitigation efforts.
Recommendation: Organizations should adopt a proactive, multi-faceted approach to cybersecurity. Implement robust endpoint protection to detect and block malware, while ensuring timely patching of software vulnerabilities. Adopt strong email filtering practices to prevent phishing attempts and educate users about the dangers of downloading cracked software or visiting untrusted websites. Encourage the use of reputable browser extensions and stress the importance of checking permissions before installation. Consider employing network monitoring to detect suspicious activities, such as abnormal DNS requests which may indicate C2 communication. Lastly, maintain regular backups of critical data and use MFA where possible to add an extra layer of security.
ChatGPT Creates Polymorphic Malware
Several proof-of-concept attacks have demonstrated that the large language model (LLM) ChatGPT can be leveraged to create malware capable of evading EDR systems or polymorphic malware. It has been shown how a seemingly benign executable can make an API call to ChatGPT to create and then send dynamic versions of malicious code, thereby thwarting many kinds of cybersecurity tools. Ordinarily, LLMs like ChatGPT have content filters that prevent them from creating malicious content. Still, these filters can be bypassed by engineering prompts in a specific way, such as having ChatGPT interpret the prompt as a hypothetical question. This technique can be used to create polymorphic malware that mutates at runtime, making it challenging for threat scanners to identify. Several proof-of-concept examples, such as BlackMamba and ChattyCat, have showcased the potential of leveraging ChatGPT for polymorphic malware.
Impact: The impact of the potential exploitation of ChatGPT and other large language models for generating polymorphic malware is significant and raises several concerns, such as increased cybersecurity threats, evasion of detection systems, the need for advanced defense mechanisms, and regulatory challenges. The ability to bypass content filters and generate polymorphic code makes it more difficult for traditional endpoint detection and response systems to detect and mitigate malware. This opens up new avenues for cybercriminals and increases the sophistication of their attacks. Polymorphic malware created with the help of ChatGPT can mutate at runtime, making it challenging for security scanners and antivirus software to recognize and block such threats. This leads to an increased risk of successful attacks and compromises. The emergence of AI-powered malware necessitates the development of sophisticated AI-based defense systems capable of detecting and mitigating these evolving threats. Traditional security measures may become less effective against polymorphic malware generated by language models like ChatGPT. Regulating generative AI poses a significant challenge. As the technology industry is still exploring the full potential of these models, policymakers and regulators need help creating comprehensive regulations to address the risks associated with their misuse. Determining the appropriate regulatory approach, processes, and accountability becomes complex in this rapidly evolving landscape.
Recommendation: Organizations can take measures to mitigate the risks associated with the potential exploitation of language models like ChatGPT, such as implementing behavior-based anomaly detection. Instead of solely relying on signature-based detection methods, deploying behavior-based anomaly detection systems can identify unusual patterns of activity or code execution. This can help detect polymorphic malware generated by language models.
Google Releases Patch for Chrome Zero-Day Exploit
Summary: Google released a security update to address CVE-2023-3079, a recently-discovered vulnerability believed to enable JavaScript V8 type confusion attacks. Type confusion attacks occur when a program uses a specific method type to initialize or access a given resource but then uses a different type, causing an issue that allows for out-of-bounds memory access. Google confirmed that there had been active instances of this vulnerability being exploited, making this the third zero-day exploit that Google remediated in 2023.
Impact: Google did not release any details about the nature of the active exploitations it observed concerning this vulnerability, nor the profiles of any malicious actors involved. As Google Chrome is the most widely-used web browser in the world in 2023, it is likely safe to assume that nearly all organizations could be potentially impacted by this vulnerability. Type confusion attacks can allow malicious attackers to bypass security controls and compromise a target environment.
Recommendation: All organizations should ensure that key software is updated regularly, especially web browsers, which are the primary method for end users to interact with the internet. To increase the chances of detecting any compromises that occur, organizations should consider using endpoint detection and response (EDR) or security information and event management (SIEM) software.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed