Threat Watch Feed
Researchers have discovered an unpatched flaw in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise devices. The flaw exists as the WPBT mechanism can accept a signed binary with an expired certificate to bypass the integrity check, which could allow an attacker to sign a malicious binary with an available expired certificate and run arbitrary code with kernel privileges when the device boots up. Attackers can exploit this weakness in the tables with direct physical access, remote access, or through supply chains.
Impact: Every Windows system since Windows 8 is vulnerable to an easily-crafted attack that could exploit this WPBT flaw.
Recommendation: Microsoft recommends deploying a Windows Defender Application Control (WDAC) policy to control what binaries can be permitted to run on devices.
Over 700 million LinkedIn users may have been involved in the recently published data scrape of LinkedIn. While no public breach of LinkedIn has been disclosed, the threat actors claim the data was obtained through data scraping techniques. The 187GB collection was first sighted for sale in June on underground forums.
Impact: Profile names, LinkedIn IDs, profile URLs, location information (city, town, country), and email addresses were collected. While the vast majority of the information is publicly accessible, some email addresses have been exposed, which are not typically viewable from the LinkedIn profile.
Recommendation: Ensure best security practices towards phishing and social engineering campaigns.
Researchers have discovered a new advanced persistent threat (APT) group, codenamed FamousSparrow, targeting hotels as well as governments, international organizations, engineering companies, and law firms around the world. Most of the attacks observed use vulnerabilities in web applications, including Microsoft Exchange and Microsoft SharePoint, as entry points into its victims’ networks. Researchers noted that this group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability on March 3, 2021.
Impact: Attacking hotel systems gives cyber-espionage groups insight into movements of persons of interest. Attacks have been observed in Europe, the Middle East, the Americas, Asia, and Africa.
Recommendation: There are no current recommendations or released IOCs yet for this threat.
Security researcher Amit Serper has discovered a flaw in the Autodiscover feature of the Microsoft Exchange email server that can be exploited to harvest Windows domain and app credentials from users all over the world. The Autodiscover feature, intended to allow email clients the ability to automatically discover email servers, provide credentials, and then receive proper configurations, uses a “back-off” procedure when pinging predetermined URLs. Serper registered a series of Autodiscover-based domains that were still available online and set up honeypots to determine the scale of the flaw. In this process, the researcher captured 372,072 Windows domain credentials and 96,671 unique credentials.
Impact: Amit Serper discovered credentials for companies from multiple verticals, including, food manufacturers, investment banks, power plants, power delivery, real estate, shipping and logistics, and more.
Recommendation: Microsoft is currently investigating this bug and “will take appropriate steps to protect customers.”
Microsoft researchers released information regarding their discovery of a massive Phishing-as-a-Service operation that provides phishing services using a hosting-like infrastructure to cybercrime actors. The service, known as BulletProofLink, BulletProftLink, or Anthrax, is currently advertised on underground cybercrime forums and has built-in hosting and email-sending services. Researchers have also observed the phishing service taking a copy of the stolen credentials from the customer’s campaigns. Microsoft described the whole operation as quite advanced.
Impact: Microsoft stated that, “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today.”
Recommendation: IOCs have been dispersed to the TIGR Threat Feed.
Cisco Talos recently discovered a new backdoor that is used by the Russian Turla APT group that can be used to download, upload, or execute files while flying under the radar. Researchers stated that the new backdoor is likely used as a second-chance backdoor to maintain access to the system but could also be used as a second-stage dropper. Cisco Talos noted infections were observed the U.S., Germany and most recently in Afghanistan.
Impact: Cisco Talos found evidence that this threat has been used by adversaries since at least 2020. Despite the anomalous activity of contacting the C2 every 5 seconds, this backdoor has gone practically unnoticed for two years.
Recommendation: IOCs have been dispersed to the TIGR Threat Feed. The Cisco Talos blog also states a variety of coverage options that can protect against this threat.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
Popular mobile RSS reader apps include:
- RSS Reader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed