Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

Microsoft WPBT Flaw Allows Rootkit Installation

There was a flaw found in Microsoft Windows Platform Binary Table (WPBT) that if exploited can allow an attacker to install a rootkit on a device running Windows 8 or newer. WPBT is a fixed firmware that allows vendors to execute programs every time a device boots, which could be exploited by an attacker to deploy malicious tools. The attacks can take different forms, some of the most popular are running a malicious bootloader or a direct memory access (DMA) attack.

Impact: Rootkits are designed to give an attacker privileged access to a computer system while going undetected for a long period of time. This type of access could give the attacker the ability to install malware, run programs remotely, or exfiltrate data.

Recommendation: Microsoft recommends the use of Windows Defender Application Control (WDAC) Policy on Windows 10 1903 and later, Windows 11, or Windows Server 2016 and later. WDAC policy can be used to control which binaries can run on a Windows device. Older Windows 8 systems can use AppLocker policies to control what apps are allowed to run on the client.

Cloudflare Releases New Email Safety Tools

The internet infrastructure company, Cloudflare, has announced the launch of two free email protection tools that can be integrated with the company’s current email provider in order to take action against targeted phishing attacks by implementing security features that are geared towards small business and corporate customers. The first product, Cloudflare Email Routing, will enable organizations to manage an entire custom email domain from one account as well as consolidate many addresses in a single location, allowing small businesses the benefits of a dedicated, custom email domain without using a different platform. Security DNS Wizard is the second release that will aim to reduce email address spoofing through the use of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Additional features and tools are planned to be incorporated in the future.

Impact: Cloudflare may offer an additional line of defense against phishing attacks.

Recommendation: No immediate action is needed.

Clubhouse Exposes 3.8 Billion User’s Data, Now Up for Sale

Recently, 3.8 billion phone numbers were leaked from the social-media platform Clubhouse’s database. This alone is not concerning, however, these numbers have been linked with 533 million leaked Facebook profiles. The combination of Clubhouse and Facebook’s databases containing personally identifiable information (PII) is being sold in an underground forum for an asking price of $100,000. Aside from using the data to fuel scam campaigns and other cyber-attacks, such as basic account takeover (ATO), it will enable threat actors to produce rich profiles of targets, revealing previously hidden information from users and allowing for detailed socially engineered phishing attempts.

Impact: Aggregated data from both leaks could be used as part of targeted attacks.

Recommendation: Implement best practices against phishing and social engineering campaigns.

Three iOS Zero-Days Released Months After Apple Was Notified – Still Not Fixed

A researcher recently published the details of three zero-day vulnerabilities. The findings were released to a Russian blogging platform, Habr, and proof of concepts (PoCs) were posted on GitHub. The first vulnerability was found in Gamed daemon, and grants access to user data and grants read access to the file system. The other two vulnerabilities are found in the nehelper daemon. One can be used from within an app to learn what other apps are installed on the device, and the other vulnerability can be used to gain access to the device’s WiFi information. Currently, there is no patch or fix for these vulnerabilities.

Impact: Since the PoCs have been released it is possible for an attacker to take advantage of them to conduct device reconnaissance and enumerating. These activities are the first steps for an attacker to gain unauthorized access to a device or application.

Recommendation: Exercise best security practices and update vulnerable devices as soon as an update becomes available.

Cisco Patches 3 IOS XE Network Operating System Vulnerabilities

On September 22, 2021, Cisco Systems released patches to address three critical security vulnerabilities in its IOS XE network operating system that remote attackers could exploit to execute arbitrary code with administrative privileges and trigger a denial-of-service (DoS) condition.

Impact: These vulnerabilities affect Cisco products running a vulnerable release of Cisco IOS XE software for Cisco Catalyst 9000 Family Wireless Controllers, a vulnerable release of Cisco IOS XESD-WAN Software and have the SD-WAN feature enabled, and finally, Cisco IOS XE Software running in autonomous or controller mode and Cisco IOS XE SD-WAN Software.

Recommendation: Affected users and administrators are strongly encouraged to use best security practices and immediately apply the necessary updates to mitigate any potential exploitation risk by malicious actors.

New Android Malware Targeting US & Canadian Users with COVID-19 Lures

Researchers have discovered a recent SMS smishing malware campaign that targets Android users in the United States and Canada with COVID-19 regulations and vaccine information lures. The malware TangleBot, coined for its “many levels of obfuscation and control over a myriad of entangled device function,” obtains victim’s sensitive information and also interacts with banking or financial apps. The attack begins with an SMS message urging users to visit the link for more information on COVID-19 regulations, which notifies that the Adobe flash player needs to be updated, and choosing to update, installs the TangleBot onto the Android device.

Impact: Android mobile users could be susceptible to this TangleBot campaign.

Recommendation: Always be vigilant for suspicious looking text messages. Do not install software to your mobile device outside of a trusted app store or certified vendor.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.