Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Threat actors trojanized the Comm100 Live Chat application installer in a supply-chain attack by infecting the installer’s files on the vendor’s website. The malicious installer was live from September 27th through September 29th. The attackers implanted a backdoor into the installer’s main.js file, providing them remote shell access to any machines that downloaded the infected installer between the above dates. The adversaries injected payloads into the machine using remote access to connect to their malicious command-and-control domains (C2).
Impact: Comm100 is unsure how the adversaries gained initial access to their systems. While users who downloaded the installer before September 27th are unlikely to be infected, they should still check their application for updates.
Recommendation: Users should immediately update their Comm100 applications to version 10.0.9 if they have not done so already.
Adversaries are using Chrome’s Application Mode as a new phishing tactic. Application Mode allows threat actors to display credential phishing login pages in a ChromeOS native application window. The appearance of the native application window adds another level of legitimacy to social engineering and phishing attacks.
Impact: All Chromium-based browsers support Application Mode, making it a versatile option for adversaries targeting Google Chrome, Microsoft Edge, or Brave. The attack requires the victims to have Chromium app mode enabled locally. Adversaries first spearphish the target into launching a shortcut to allow the Chromium app mode feature.
Recommendation: Organizations should implement phishing awareness programs to help prevent these kinds of attacks. Users are encouraged to refer to CISAs’ guide on avoiding social engineering and phishing attacks: https://www.cisa.gov/uscert/ncas/tips/ST04-014.
North Korean threat group “Lazarus” leveraged a Dell driver bug, CVE-2021-21551, in spearphishing attacks against European companies. After successfully luring employees to open documents attached to LinkedIn messages and emails, attackers deploy malware droppers and HTTPS backdoors on organizations’ systems. The Dell vulnerability allowed Lazarus to access and edit Windows’ kernel memory, disabling security monitoring on the companies’ infrastructure.
Impact: Attackers luring employees was the initial point of failure for this attack, giving the threat actors access to organizations’ systems. The adversaries’ primary goal seems to be espionage and data extortion.
Recommendation: Organizations should implement strict Acceptable-Use Policies (AUP) to ensure that employees are utilizing the company’s devices and network appropriately.
🚩North Korean State-Sponsored Threat Group “ZINC” Weaponizes Open-Source Software in Recent Espionage Campaign
The Microsoft Threat Intelligence Center (MSTIC) reports that ZINC, a North Korean state-sponsored threat group, is weaponizing a variety of open-source software in recent attacks. ZINC begins by posing as a recruiter in the technology industry on LinkedIn, hoping to lure victims into communicating via WhatsApp. The threat actors then utilize up to five currently known methods to deliver the ZetaNile malware: SSH, PuTTY, KiTTY, TightVNC Viewer, and Sumatra PDF Reader.
Impact: According to MSTIC, Microsoft is directly notifying customers that have been targeted or compromised.
Recommendation: Microsoft recommends that organizations review all authentication activity for remote access infrastructure along with enabling Multi-Factor Authentication (MFA). Additionally, review CISA’s ransomware prevention best practices guide: https://www.cisa.gov/stopransomware/ransomware-guide.
CISA warns that hurricane Ian will open doors for adversaries to scam disaster victims. The incidents may include phishing emails to steal credentials, illegitimate hurricane-related hyperlinks, or fake hurricane insurance emails requiring payment.
Impact: Natural disasters often lead to adversaries luring targets into weather-related scams that could infect users’ computers with malware.
Recommendation: Be wary of sharing your precise location on social media platforms either explicitly, or through photos or other details. CISA provides several resources for administrators, users, and citizens to review regarding disaster-related scams, avoiding social engineering attacks, and more in the linked article.
🚩Microsoft Exchange Server Zero-Day Remote Code Execution (RCE) Vulnerability Exploited in Recent Attack
A Vietnamese information security company, GTSC, discovered threat actors leveraging two Microsoft Exchange vulnerabilities in attacks on their critical infrastructure. GTSC’s Red Team deconstructed the exploit code to uncover the vulnerabilities; CVE-2022-41040 enables an authenticated attacker to trigger CVE-2022-41082 which allows for RCE.
Impact: The vulnerabilities are found on Microsoft Exchange Servers 2013, 2016, and 2019.
Recommendation: Microsoft states that “Microsoft Exchange Online Customers do not need to take any action”, and posted mitigations for organizations in the linked article. GTSC provides a PowerShell command to scan log files to determine if an organization’s Exchange Server has been exploited. You can view the code here: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
Popular mobile RSS reader apps include:
- RSS Reader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed