Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
The Red Canary blog released its threat intelligence report covering the latest and most prevalent adversaries and malware for November 2022. The report details popular toolkits, malware, and droppers compared to the previous month’s insights.
Impact: The Qbot banking trojan, also known as QakBot, continues to be one of the largest threats.
Recommendation: No immediate action is required.
Cybercriminals known as initial access brokers are advertising stolen credentials compromised via a recent Fortinet vulnerability. Researchers first discovered the adversaries selling access on several Russian dark web forums.
Impact: Affected users include “Fortinet customers that have not yet patched a critical authentication bypass vulnerability.”
Recommendation: Fortinet users should ensure all systems and software are up to date with the latest security patches.
Security researchers have seen increased activity from previously unidentified ransomware, now known as Trigona. The threat actors behind Trigona launched a Tor website with a chat feature allowing victims to discuss negotiations for ransom payments. The ransomware encrypts all files apart from necessary Windows processes and appends the encrypted files with a “._locked” extension.
Impact: Due to the novelty of Trigona, the developers’ skills and current attack vectors are unknown.
Recommendation: As it is unclear how the adversaries gain initial access and ultimately deploy the ransomware, organizations should apply general security practices such as those outlined here: https://www.cisa.gov/stopransomware/ransomware-guide
Security researchers discovered three vulnerabilities actively affecting operational technology (OT) from two German companies: automation software company “CODESYS” and factory manufacturer “Festo.” These vulnerabilities are predicted to affect hundreds of industrial devices in the supply chain. The most severe vulnerability could allow adversaries to perform a denial of service (DoS) attack using remote code execution (RCE).
Impact: Many proprietary OT protocols are managed improperly or have weak security configurations.
Recommendation: In addition to performing all needed updates and patches, researchers suggest that organizations, “create an inventory of vulnerable devices and enforce segmentation controls, isolating tools that cannot be patched immediately.”
CISA Adds Two Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog Affecting Google Chrome and Oracle
The U.S. Cybersecurity and Infrastructure Security Agency added two critical vulnerabilities to its Known Exploited Vulnerabilities Catalog that are affecting Google Chrome and Oracle products. CVE-2021-35587, with a 9.8 critical score, could allow an unauthenticated adversary with network access to compromise Oracle Access Manager. A threat actor also leveraged CVE-2022-4135, with a 9.6 critical score, to perform a sandbox escape via an HTML page.
Impact: Affected products include Oracle Fusion Middleware 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0.
Recommendation: Users and administrators should perform all necessary security updates to patch the above vulnerability. Regardless of program, application, or software, best security practices involve performing routine updates for security reasons.
Guilford College disclosed a ransomware attack over the Thanksgiving holiday, bringing the year-to-date total of known ransomware attacks on colleges to 35. The Hive ransomware group claimed the attack on the North Carolina college. The gang publicized a sample of the stolen information, threatening to exfiltrate the data if a ransom is not paid. When notified of the attack, system administrators at Guilford isolated infected systems and are still working with security experts to determine the next steps.
Impact: The college is not yet aware of the amount or exact type of data Hive accessed.
Recommendation: Organizations should review CISA’s recent advisory notification regarding Hive: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
Popular mobile RSS reader apps include:
- RSS Reader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed