Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Zero-Day Exploit Affecting Apex One Security Software Products
Trend Micro reported a zero-day vulnerability affecting Apex One, Apex One SaaS, and Worry-Free Business Security software. Exploiting CVE-2023-41179 involves using the ability to remove third-party security software to achieve arbitrary code execution. Threat actors would need access to the product’s admin console to exploit this vulnerability. Trend Micro confirms that this vulnerability is being actively exploited.
Impact: Arbitrary code execution can lead to unauthorized access, network traversal, installation of malware, and potential reputational damage.
Recommendation: If your organization uses these products, immediately update to the patched versions to prevent exploitation. Please refer to the source article, which lists the patched versions for each software.
Researchers Identify RCE Exploit in Juniper SRX and EX Series Products Using Junos OS
Researchers at Watchtowr Labs have identified a combination of vulnerabilities in Juniper switches and firewalls that allow a remote attacker to execute arbitrary code without authentication. The attack relies on CVE-2023-36846 to upload a file through the J-Web interface without authentication and CVE-2023-36845 to set environment variables. Combined, these two vulnerabilities allow an attacker to run arbitrary PHP on the devices. A patch from Juniper is already available for these vulnerabilities.
Impact: A threat actor exploiting these vulnerabilities could gain complete control of switching or firewall equipment and use it to watch traffic flowing out of an organization, gain access to internal networks, or change the device’s configuration to enable further compromise.
Recommendation: If possible, all Juniper devices should be updated to the newest version to patch these vulnerabilities. If an update is not possible, the J-Web interface should be disabled to prevent its misuse. Configuration could still be carried out without the J-Web interface via the CLI.
🚩LockBit Ransomware Exploits RMM Software in Prolific Attacks
The LockBit ransomware group has adopted a sophisticated strategy of leveraging remote monitoring and management (RMM) software to infiltrate targeted networks. In three recent attacks reported by eSentire, LockBit affiliates exploited exposed RMM instances or introduced their own RMM tools, effectively employing a living off the land (LotL) approach to establish a firm presence within victim networks. This technique involves obtaining legitimate credentials to gain access and move laterally within networks, avoiding traditional malware and antivirus detection. LockBit’s relentless ransomware campaigns have made them one of the most prolific cybercriminal groups in 2023, with a wide range of sectors and devices targeted.
Impact: The LockBit threat presents significant risks to organizations. By infiltrating RMM systems, attackers can gain admin-level access and rapidly compromise multiple endpoints, potentially causing widespread disruption and data loss. Additionally, attacks on managed service providers (MSPs) can compromise downstream customer organizations, amplifying the impact. The group’s ability to avoid traditional malware detection methods and exploit legitimate software tools poses a severe challenge to cybersecurity efforts.
Recommendation: Restrict access to RMM systems and other critical assets to authorized personnel only. Regularly review and update access privileges to minimize the risk of unauthorized access. If using RMM software, ensure it is securely configured and access panels are not exposed to the open internet. Implement strict access controls and monitor for any suspicious activities.
Unsecured Azure Storage Leaks 38TB of Data
Since July 2020, Microsoft’s AI research division has been inadvertently leaking approximately 38 terabytes of sensitive data from a misconfigured Azure Blob storage bucket and open-source AI model details. This leak was discovered by cloud security firm Wiz, who found that a Microsoft employee had accidentally shared the URL for this bucket. The misconfiguration lay in a Shared Access Signature token with excessive permissions. While SAS tokens can help manage access to resources, they can also lead to unnecessary access capabilities if not set up and audited correctly. Data leaked because of these actions includes Microsoft services passwords, Microsoft employee personal info, secret keys, and tens of thousands of internal Teams messages between Microsoft employees. According to Microsoft, no customer data was exposed, and no other services were endangered. Wiz had reported this leak on June 22nd, with mitigation procedures being completed two days later.
Impact: Customers with direct contact with Microsoft employees may have had sensitive data exposed due to leaked Teams messages.
Recommendation: Utilize the BlueBleed search portal to determine if company-sensitive data was leaked online: https://socradar.io/labs/bluebleed
🚩 Earth Lusca China-Linked APT Group Deploys New Linux Backdoor
TrendMicro discovered that Earth Lusca, a China-linked APT group, developed a new Linux backdoor named SprySOCKS. This backdoor is based on the open-source Windows trojan Trochilus but re-implemented for Linux systems. SprySOCKS has a loader component called mandibule and an encrypted primary payload. It implements backdoor capabilities like system info collection, shell access, SOCKS proxy, and file operations. The interactive shell code resembles the Linux variant of Derusbi malware. Security researchers observed SprySOCKS being used by Earth Lusca in attacks this year on government entities in Southeast Asia, Central Asia, and the Balkans.
Impact: Developing custom Linux malware like SprySOCKS shows this APT group’s continued evolution and commitment to compromise. Successful deployment of this stealthy backdoor gives the group long-term remote access to infiltrate sensitive systems and exfiltrate confidential data. Targeted organizations are at high risk of IP theft and espionage.
Recommendation: TrendMicro urges organizations to minimize potential entry points into their environments and regularly patch and update tools, software, and systems. Doing so maintains security, functionality, and performance while decreasing the chances of a successful intrusion.
UNC3944 Using SMS Attacks to Steal Credentials and Extort Victims
Mandiant has released a report detailing its findings on UNC3944, a threat actor group that relies heavily on SMS-based attacks. Having focused initially on targets in the telecommunications industry with attacks primarily geared towards credential gathering, the group has recently expanded its attacks to various industries. They have also moved beyond simple credential-gathering to the deployment of ransomware, intending to extort their targets aggressively. Similar to the ALPHV/BlackCat attacks that impacted MGM Resorts earlier this month, the group is known to use harvested credentials to trick service desk staff into resetting multi-factor authentication (MFA), thereby enabling further compromise.
Impact: With its expanded focus of late, any company could become a target of this activity. UNC3944 displays an unusually high level of competency in understanding the internal workings of its victims. It is capable of compromising a target and gathering sensitive data for extortion purposes at a rapid pace. The group is also highly aggressive in its methods of extorting victims, even going as far as disrupting communications between internal incident responders or contacting executives directly and demanding payment.
Recommendation: Secure MFA, including the removal of SMS as an MFA verification option, enable number matching with Microsoft Authenticator, requirement users authenticate from trusted locations, and the creation of conditional access policies. A further recommendation, which organizations should also consider as it is highly effective if implemented, is mandatory video verification during MFA reset calls to help desk.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed