Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

CISA Warns Users of Vulnerabilities Affecting Several Cisco Products

A recent alert from CISA encourages users and administrators to review nine high-severity security advisories from Cisco. Several features of Cisco’s IOS XE operating system are susceptible to denial of service, command injection, privilege escalation, and secure boot bypass vulnerabilities. An application programming interface (API) within Cisco’s DNA Center is vulnerable to a privilege escalation bug, and the company’s access point software also has a denial of service vulnerability.

Impact: Cisco released free software updates for all affected products, including security patches for each listed vulnerability.

Recommendation: After viewing the advisories linked in CISA’s alert, administrators should ensure that all Cisco products are up-to-date with the latest software releases to patch all known vulnerabilities.

🚩 ‘Bitter’ Espionage Group Targets Nuclear Energy Industry in Recent Spearphishing Campaign

Bitter, an advanced persistent threat (APT) group from South Asia, has been operating since 2013 and targets the nuclear energy sector and other critical infrastructure organizations. The group’s recent spearphishing campaign aims to trick targets into downloading an attached RAR file by impersonating various government organizations and inviting targets to a nuclear energy conference. After the victims install and extract the container file, a malicious Microsoft Excel executes and creates scheduled tasks to download second-stage malware. Alternatively, a Compiled HTML Help (CHM) file may be extracted from the RAR file to execute arbitrary code through an encoded PowerShell command stage to obfuscate malicious activity and evade detection.

Impact: Adversaries often abuse CHM files in attacks as they can launch without user interaction. CHM files frequently evade detection as security tools often overlook them as a legitimate extension used by Windows files.

Recommendation: Organizations should consider disabling or restricting the execution of uncommon file types and extensions such as CHM files. For specific mitigation and detection techniques related to the abuse of CHM files, view https://attack.mitre.org/techniques/T1218/001/

Newly-Discovered Exploit Can Be Used to Compromise Okta Accounts

Security researchers at Mitiga have identified an exploit that allows adversaries to compromise Okta accounts via audit logs. Each time a user’s authentication attempt fails, Okta logs the event in plaintext. It is not uncommon for users to enter their password into the “username” field by mistake. When this occurs, Okta still logs the event in plaintext as it does any other failed login attempt, meaning that any actor with permission to view the audit logs can potentially retrieve the password and gain access to the user’s account.

Impact: Audit logs stored by way of a SIEM tool or similar solution are accessible to anyone with read permissions. Additionally, some programs that interact with Okta can obtain permissions that enable them to read certain environmental data, potentially including audit logs.

Recommendation: Mitiga provides an SQL query that will help identify instances of failed login attempts that might reveal passwords. Any passwords that users have entered into the wrong field should be promptly changed. Additionally, organizations should utilize multi-factor authentication (MFA) wherever possible to reduce the likelihood of attackers gaining entry to their environment even in the event of a user’s password being compromised.

🚩 SharePoint as a Phishing Tool

Individuals across Europe and the U.S. are being targeted in a recent phishing campaign that relies on legitimate Microsoft servers by leveraging a native notification mechanism of Microsoft SharePoint. Cybercriminals are distributing OneNote files by leveraging the legitimate share feature to produce a genuine notification from SharePoint. The OneNote file is benign but contains a malicious link to an impersonated OneDrive login page to harvest credentials.

Impact: These methods are less likely to raise suspicion as they are legitimate features of Microsoft that are, by nature, not malicious. The OneNote file may also go undetected as it doesn’t contain malware but a hyperlink to malicious hosting instead.

Recommendation: Users should be cautious and vigilant when receiving emails that appear to be from SharePoint. Avoid opening files that an unknown sender shares.

North Korean Hackers Using Chrome Extensions to Steal Gmail Emails

The attack begins with a spearphishing email urging the victim to install a malicious Chrome extension. Once the victim visits Gmail through the infected browser, the extension automatically steals the victim’s email content. The extension abuses the developer tools API on the browser to send the stolen data to a relay server. The Android malware is “FastViewer”, “Fastfire”, or “Fastspy DEX”, which has been masquerading as a security plugin or document viewer since October 2022.

Impact: Kimsuky leverages the Google Play developer console allowing the victim’s device to be added for “app testing”. It abuse the web-to-phone synchronization feature of Google Play, to allow users to install apps on their linked devices. This attack could allow unauthorized access into a target’s email account, which may include access to high-profile users and sensitive data.

Recommendation: Due to the initial spearphishing attack vector, users should practice due diligence when checking emails and avoid downloading unknown plugins.

Android Banking Trojan “Nexus” Malware-as-a-Service Emerges (Maas) In The Wild

Security researchers have identified a new Android banking trojan called “Nexus” that is being offered for rent on dark web forums as MaaS. The trojan is disguised as a legitimate application and steals user login credentials for banking and financial apps. It can also intercept SMS messages and forward them to the attackers’ servers to counter multi-factor authentication. Nexus uses a unique encryption algorithm to evade detection by antivirus software, making it difficult to detect and remove. There has been some indication that the Nexus malware may also turn infected devices into bots on a botnet, which can be used for further attacks.

Impact: This Android trojan is a serious threat to users who may also use their phone for business purposes, as it is disguised as a legitimate application to steal users’ login credentials for banking and financial apps, as well as to intercept SMS messages.

Recommendation: Android users should verify the legitimacy of third-party applications, ensure their systems are up to date, and enable multi-factor authentication.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.