Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

Red Canary’s Threat Intelligence Insights: November 2022

The Red Canary blog released its threat intelligence report covering the latest and most prevalent adversaries and malware for November 2022. The report details popular toolkits, malware, and droppers compared to the previous month’s insights.

Impact: The Qbot banking trojan, also known as QakBot, continues to be one of the largest threats.

Recommendation: No immediate action is required.

Cybercriminals Sell Access to Networks Compromised via Recent Fortinet Vulnerabilities

Cybercriminals known as initial access brokers are advertising stolen credentials compromised via a recent Fortinet vulnerability. Researchers first discovered the adversaries selling access on several Russian dark web forums.

Impact: Affected users include “Fortinet customers that have not yet patched a critical authentication bypass vulnerability.”

Recommendation: Fortinet users should ensure all systems and software are up to date with the latest security patches.

Trigona Ransomware Increasingly Spotted in Attacks Worldwide

Security researchers have seen increased activity from previously unidentified ransomware, now known as Trigona. The threat actors behind Trigona launched a Tor website with a chat feature allowing victims to discuss negotiations for ransom payments. The ransomware encrypts all files apart from necessary Windows processes and appends the encrypted files with a “._locked” extension.

Impact: Due to the novelty of Trigona, the developers’ skills and current attack vectors are unknown.

Recommendation: As it is unclear how the adversaries gain initial access and ultimately deploy the ransomware, organizations should apply general security practices such as those outlined here: https://www.cisa.gov/stopransomware/ransomware-guide

Three Vulnerabilities Found Affecting Operational Technology from German Companies

Security researchers discovered three vulnerabilities actively affecting operational technology (OT) from two German companies: automation software company “CODESYS” and factory manufacturer “Festo.” These vulnerabilities are predicted to affect hundreds of industrial devices in the supply chain. The most severe vulnerability could allow adversaries to perform a denial of service (DoS) attack using remote code execution (RCE).

Impact: Many proprietary OT protocols are managed improperly or have weak security configurations.

Recommendation: In addition to performing all needed updates and patches, researchers suggest that organizations, “create an inventory of vulnerable devices and enforce segmentation controls, isolating tools that cannot be patched immediately.”

CISA Adds Two Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog Affecting Google Chrome and Oracle

The U.S. Cybersecurity and Infrastructure Security Agency added two critical vulnerabilities to its Known Exploited Vulnerabilities Catalog that are affecting Google Chrome and Oracle products. CVE-2021-35587, with a 9.8 critical score, could allow an unauthenticated adversary with network access to compromise Oracle Access Manager. A threat actor also leveraged CVE-2022-4135, with a 9.6 critical score, to perform a sandbox escape via an HTML page.

Impact: Affected products include Oracle Fusion Middleware 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0.

Recommendation: Users and administrators should perform all necessary security updates to patch the above vulnerability. Regardless of program, application, or software, best security practices involve performing routine updates for security reasons.

Hive Ransomware Gang Claims Attack on North Carolina College

Guilford College disclosed a ransomware attack over the Thanksgiving holiday, bringing the year-to-date total of known ransomware attacks on colleges to 35. The Hive ransomware group claimed the attack on the North Carolina college. The gang publicized a sample of the stolen information, threatening to exfiltrate the data if a ransom is not paid. When notified of the attack, system administrators at Guilford isolated infected systems and are still working with security experts to determine the next steps.

Impact: The college is not yet aware of the amount or exact type of data Hive accessed.

Recommendation: Organizations should review CISA’s recent advisory notification regarding Hive: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.