Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

Aetna Reports 326,000 Affected by Mailing Vendor Attack

Health insurer Aetna ACE experienced a health data breach affecting nearly 326,000 individuals. The breach comes after OneTouchPoint, a subcontractor that provides mailing services to one of the insurer’s vendors, was hit by a ransomware attack. Aetna stated the affected information may have included names, addresses, dates of birth, and medical information.

Impact: “Insurance companies typically hold large volumes of individually identifiable data that are valuable to [adversaries],” says the president of a privacy and security consulting firm. The information could lead to identity theft, a dangerous consequence of data leaks.

Recommendation: No immediate action is required. Anyone affected by the breach should have been contacted and informed of steps to avoid identity theft.

Several Crypto Platforms Targeted In Multimillion-Dollar Attacks

Not even a day after a major attack against the Nomad cryptocurrency platform, many more platforms were breached. Experts believe that the total theft lies around $8 million dollars with most of the stolen money coming from the Solana platform. Solana believes that the attack stems from “software used by several software wallets popular among users of the network,” denying the accusations of a platform vulnerability. There was a major platform vulnerability in Reaper Farms, one of the other breached platforms. “It was a very simple mistake with dire consequences – validation of the receiver account was not accurate, allowing anyone to withdraw anyone else’s funds,” the company explained in a post-mortem statement.

Impact: It seems that attacks on cryptocurrency platforms are ramping up. These attacks put increasing risk on the user’s money and the infrastructure of financial organizations.

Recommendation: Most of the attacks affect users with “hot” cryptocurrency wallets that are directly connected to the internet. It may be an effective strategy to employ the use of a “cold” crypto wallet that stores your money in a USB drive. It’s important to note that many users have lost access to millions worth of crypto simply because they lost their drive or forgot the password, so be aware of the risk. Organizations in the financial sector are recommended to be aware of the trends surrounding cryptocurrency attacks and defend accordingly.

35,000 Code Repository Clones Flood GitHub To Deliver Malware

Yesterday, August 3rd, A software developer uncovered a widespread malware campaign affecting GitHub. No projects on GitHub were directly compromised; instead, the threat actors cloned around 35,000 repositories and inserted malicious code. The main danger of the campaign comes from typosquatting. Developers may believe they’re visiting the original repository but are instead met with malware. The malware is capable of exfiltrating environment variables, including API keys and AWS credentials, and facilitating remote code execution.

Impact: Widespread attacks that rely on typosquatting and malicious clones are challenging to identify and avoid. This could lead to stolen credentials and remote code execution. GitHub has taken down all of the known malicious cloned repositories, though that’s not to say that the threat actors wont come back with similar attacks in the future.

Recommendation: It is recommended to only use software from the official project repositories. Users need to be aware of potential typosquats that may appear identical to the original project but hide malware. One of the best ways to avoid the typosquatted repositories is to look for GPG keys of authentic project authors. These keys serve to verify that a given commit to the code was from the original author.

🚩 Chinese Threat Actors Use New Cobalt Strike-Like Attack Framework

Researchers discovered a new post-exploitation attack framework that’s being leveraged in the wild. Named Manjusaka, the framework can both rival and work alongside the widely exploited Cobalt Strike. The framework touts its flexibility with Rust-based RATs and GoLang-written binaries. “This new attack framework contains all the features that one would expect from an implant, however, it is written in the most modern and portable programming languages,” reads the Talos report. The modern design of Majusaka may give it the “leg up” on the dated Cobalt Strike, leading to more threat actors picking up the framework.

Impact: The Cisco Talos team explains that “the developer of the framework can easily integrate new target platforms like MacOSX or more exotic flavors of Linux as the ones running on embedded devices. The fact that the developer made a fully functional version of the C2 available increases the chances of wider adoption of this framework by malicious actors.”

Recommendation: Manjusaka is still in development, but organizations are encouraged to monitor for any relevant IOCs in their networks, especially if the framework gains popularity in the future.

VirusTotal Reveals Most Impersonated Software in Malware Attacks

VirusTotal published a report where they took a deep dive into threat actors mimicking legitimate applications. Threat actors use three strategies when making their malware seem like a legitimate program. The first, and perhaps most convincing strategy, is using the icon of a trusted application. This is a critical step in convincing the victim of the application’s “legitimacy”. The second strategy involves signing the malware with valid certificates stolen from other software makers. This helps the malware avoid some detections that attempt to verify software before running it. The final strategy entails packaging the malware in installers for popular applications like Google Chrome, Zoom, and Mozilla Firefox.

Impact: Threat actors are known to mimic legitimate software applications to trick users into installing malware on their device.

Recommendation: It is recommended to only download and install software from the vendor’s official website. To do this, you can type the URL instead of clicking links.

VMware Urges Admins To Patch Critical Auth Bypass Bug Immediately

VMware is warning organizations to patch a critical authentication bypass security flaw affecting local domain users in multiple products. The critical vulnerability, which scored a 9.8 on the CVSS scales, allows threat actors to gain unauthorized admin privileges. VMWare stressed the importance of these patches, saying that “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.” The same advisory also details some less-severe vulnerabilities that involve remote code execution.

Impact: Threat actors are known to exploit unpatched vulnerabilities. If adversaries take advantage of these exploits they could takeover organization’s networks and steal or encrypt important data.

Recommendation: “It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” says the Cloud Infrastructure Security & Compliance Architect at VMware. The necessary patches can be found here: https://www.vmware.com/security/advisories/VMSA-2022-0021.html Workarounds are also available for the organizations who may not be able to patch right away.

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.