Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

CrowdStrike Identifies Supply-Chain Attack via Trojanized Comm100 Chat Installer

Threat actors trojanized the Comm100 Live Chat application installer in a supply-chain attack by infecting the installer’s files on the vendor’s website. The malicious installer was live from September 27th through September 29th. The attackers implanted a backdoor into the installer’s main.js file, providing them remote shell access to any machines that downloaded the infected installer between the above dates. The adversaries injected payloads into the machine using remote access to connect to their malicious command-and-control domains (C2).

Impact: Comm100 is unsure how the adversaries gained initial access to their systems. While users who downloaded the installer before September 27th are unlikely to be infected, they should still check their application for updates.

Recommendation: Users should immediately update their Comm100 applications to version 10.0.9 if they have not done so already.

New Chrome Phishing Tactic Adds Authenticity to Impersonate Login Pages

Adversaries are using Chrome’s Application Mode as a new phishing tactic. Application Mode allows threat actors to display credential phishing login pages in a ChromeOS native application window. The appearance of the native application window adds another level of legitimacy to social engineering and phishing attacks.

Impact: All Chromium-based browsers support Application Mode, making it a versatile option for adversaries targeting Google Chrome, Microsoft Edge, or Brave. The attack requires the victims to have Chromium app mode enabled locally. Adversaries first spearphish the target into launching a shortcut to allow the Chromium app mode feature.

Recommendation: Organizations should implement phishing awareness programs to help prevent these kinds of attacks. Users are encouraged to refer to CISAs’ guide on avoiding social engineering and phishing attacks: https://www.cisa.gov/uscert/ncas/tips/ST04-014.

North Korean Adversaries Found Leveraging Dell Driver Bugs in Spearphishing Attacks

North Korean threat group “Lazarus” leveraged a Dell driver bug, CVE-2021-21551, in spearphishing attacks against European companies. After successfully luring employees to open documents attached to LinkedIn messages and emails, attackers deploy malware droppers and HTTPS backdoors on organizations’ systems. The Dell vulnerability allowed Lazarus to access and edit Windows’ kernel memory, disabling security monitoring on the companies’ infrastructure.

Impact: Attackers luring employees was the initial point of failure for this attack, giving the threat actors access to organizations’ systems. The adversaries’ primary goal seems to be espionage and data extortion.

Recommendation: Organizations should implement strict Acceptable-Use Policies (AUP) to ensure that employees are utilizing the company’s devices and network appropriately.

🚩North Korean State-Sponsored Threat Group “ZINC” Weaponizes Open-Source Software in Recent Espionage Campaign

The Microsoft Threat Intelligence Center (MSTIC) reports that ZINC, a North Korean state-sponsored threat group, is weaponizing a variety of open-source software in recent attacks. ZINC begins by posing as a recruiter in the technology industry on LinkedIn, hoping to lure victims into communicating via WhatsApp. The threat actors then utilize up to five currently known methods to deliver the ZetaNile malware: SSH, PuTTY, KiTTY, TightVNC Viewer, and Sumatra PDF Reader.

Impact: According to MSTIC, Microsoft is directly notifying customers that have been targeted or compromised.

Recommendation: Microsoft recommends that organizations review all authentication activity for remote access infrastructure along with enabling Multi-Factor Authentication (MFA). Additionally, review CISA’s ransomware prevention best practices guide: https://www.cisa.gov/stopransomware/ransomware-guide.

CISA Expects an Influx in Disaster-Related Scams Due to Hurricane Ian

CISA warns that hurricane Ian will open doors for adversaries to scam disaster victims. The incidents may include phishing emails to steal credentials, illegitimate hurricane-related hyperlinks, or fake hurricane insurance emails requiring payment.

Impact: Natural disasters often lead to adversaries luring targets into weather-related scams that could infect users’ computers with malware.

Recommendation: Be wary of sharing your precise location on social media platforms either explicitly, or through photos or other details. CISA provides several resources for administrators, users, and citizens to review regarding disaster-related scams, avoiding social engineering attacks, and more in the linked article.

🚩Microsoft Exchange Server Zero-Day Remote Code Execution (RCE) Vulnerability Exploited in Recent Attack

A Vietnamese information security company, GTSC, discovered threat actors leveraging two Microsoft Exchange vulnerabilities in attacks on their critical infrastructure. GTSC’s Red Team deconstructed the exploit code to uncover the vulnerabilities; CVE-2022-41040 enables an authenticated attacker to trigger CVE-2022-41082 which allows for RCE.

Impact: The vulnerabilities are found on Microsoft Exchange Servers 2013, 2016, and 2019.

Recommendation: Microsoft states that “Microsoft Exchange Online Customers do not need to take any action”, and posted mitigations for organizations in the linked article. GTSC provides a PowerShell command to scan log files to determine if an organization’s Exchange Server has been exploited. You can view the code here: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.