Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

A New Bug in Microsoft Windows Could Let Attackers Easily Install a Rootkit

Researchers have discovered an unpatched flaw in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise devices. The flaw exists as the WPBT mechanism can accept a signed binary with an expired certificate to bypass the integrity check, which could allow an attacker to sign a malicious binary with an available expired certificate and run arbitrary code with kernel privileges when the device boots up. Attackers can exploit this weakness in the tables with direct physical access, remote access, or through supply chains.

Impact: Every Windows system since Windows 8 is vulnerable to an easily-crafted attack that could exploit this WPBT flaw.

Recommendation: Microsoft recommends deploying a Windows Defender Application Control (WDAC) policy to control what binaries can be permitted to run on devices.

Threat Actors Leak LinkedIn Data Scrape Information

Over 700 million LinkedIn users may have been involved in the recently published data scrape of LinkedIn. While no public breach of LinkedIn has been disclosed, the threat actors claim the data was obtained through data scraping techniques. The 187GB collection was first sighted for sale in June on underground forums.

Impact: Profile names, LinkedIn IDs, profile URLs, location information (city, town, country), and email addresses were collected. While the vast majority of the information is publicly accessible, some email addresses have been exposed, which are not typically viewable from the LinkedIn profile.

Recommendation: Ensure best security practices towards phishing and social engineering campaigns.

A New APT is Targeting Hotels Across the World

Researchers have discovered a new advanced persistent threat (APT) group, codenamed FamousSparrow, targeting hotels as well as governments, international organizations, engineering companies, and law firms around the world. Most of the attacks observed use vulnerabilities in web applications, including Microsoft Exchange and Microsoft SharePoint, as entry points into its victims’ networks. Researchers noted that this group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability on March 3, 2021.

Impact: Attacking hotel systems gives cyber-espionage groups insight into movements of persons of interest. Attacks have been observed in Europe, the Middle East, the Americas, Asia, and Africa.

Recommendation: There are no current recommendations or released IOCs yet for this threat.

Microsoft Exchange Autodiscover Bug Leaks Hundreds of Thousands of Domain Credentials

Security researcher Amit Serper has discovered a flaw in the Autodiscover feature of the Microsoft Exchange email server that can be exploited to harvest Windows domain and app credentials from users all over the world. The Autodiscover feature, intended to allow email clients the ability to automatically discover email servers, provide credentials, and then receive proper configurations, uses a “back-off” procedure when pinging predetermined URLs. Serper registered a series of Autodiscover-based domains that were still available online and set up honeypots to determine the scale of the flaw. In this process, the researcher captured 372,072 Windows domain credentials and 96,671 unique credentials.

Impact: Amit Serper discovered credentials for companies from multiple verticals, including, food manufacturers, investment banks, power plants, power delivery, real estate, shipping and logistics, and more.

Recommendation: Microsoft is currently investigating this bug and “will take appropriate steps to protect customers.”

Microsoft Uncovers Giant Phishing-as-a-Service Operation

Microsoft researchers released information regarding their discovery of a massive Phishing-as-a-Service operation that provides phishing services using a hosting-like infrastructure to cybercrime actors. The service, known as BulletProofLink, BulletProftLink, or Anthrax, is currently advertised on underground cybercrime forums and has built-in hosting and email-sending services. Researchers have also observed the phishing service taking a copy of the stolen credentials from the customer’s campaigns. Microsoft described the whole operation as quite advanced.

Impact: Microsoft stated that, “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today.”

Recommendation: IOCs have been dispersed to the TIGR Threat Feed.

TinyTurla – Turla Deploys New Malware to Keep a Secret Backdoor on Victim Machines

Cisco Talos recently discovered a new backdoor that is used by the Russian Turla APT group that can be used to download, upload, or execute files while flying under the radar. Researchers stated that the new backdoor is likely used as a second-chance backdoor to maintain access to the system but could also be used as a second-stage dropper. Cisco Talos noted infections were observed the U.S., Germany and most recently in Afghanistan.

Impact: Cisco Talos found evidence that this threat has been used by adversaries since at least 2020. Despite the anomalous activity of contacting the C2 every 5 seconds, this backdoor has gone practically unnoticed for two years.

Recommendation: IOCs have been dispersed to the TIGR Threat Feed. The Cisco Talos blog also states a variety of coverage options that can protect against this threat.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.