Get the TIGR Threat Watch and Bulletin

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩 APT41 Continues to Target Healthcare and Pharmaceutical Industries

The Chinese sponsored adversary, APT41, is continuing to attack healthcare and pharmaceutical industries. Recent activity suggests attack vectors include spearphishing, water holes, supply-chain, and backdoors. The adversaries are also known to leverage the exploits Log4j (CVE-2021-44207), Citrix (CVE-2019-19781), and Zoho (CVE2020-10189) to target unpatched systems. The adversary aligns their motivations in response to China’s 14th Five-Year Plan.

Impact: This adversary’s toolkit includes, but is not limited to: Black Coffee, China Chopper, Cobalt Strike, Gh0stRAT, Mimikatz, PlugX, and ShadowPad with the objective to gain insight into United States operations.

Recommendation: Healthcare and pharmaceutical organizations are encouraged to prioritize the above listed vulnerabilities in their patch management plan.

🚩 Fancy Bear Hyperlinks PowerShell Script in a PowerPoint Lure File

Cluster25 threat intel researchers discovered a lure file created by Fancy Bear, a Russian threat group, posing to be a legitimate resource for The Organization for Economic Cooperation and Development. When users download the file and begin “Presentation Mode”, they can hover over a hyperlink that triggers a PowerShell script to download a malware dropper from OneDrive. The dropper downloads a payload, eventually leading to a Graphite malware infection.

Impact: This attack is only a concern for users who have downloaded the lure file, but organizations should be aware of this new remote code execution threat.

Recommendation: The IOCs will be sweeped through our clients environments. Users should have heightened awareness when downloading files from sources outside of their organization and should verify the legitimacy of the source. Employee training and phishing simulation testing is encouraged.

Ukraine Warns of Russia’s Planned Cyberattacks on Ukrainian Allies

The Ukrainian government released a statement indicating concern that Russia is planning to increase cyberattack measures, putting Ukraine and it’s allies at risk. Attackers will be targeting the energy industry and other critical infrastructure using intel from previous cyberattacks on Ukrainian energy systems in 2015 and 2016. Ukraine’s Defense Intelligence agency also warns that allies should expect to see an increased volume of Russian DDoS attacks.

Impact: Russia continue to threaten acts of cyberwar against Ukraine and its allies.

Recommendation: Critical infrastructure organizations in Ukraine and allied countries should be on heightened alert. Ensure that contingency plans and data back ups are in place.

NullMixer Drops Redline Stealer, SmokeLoader, and Other Malware

Kaspersky researchers spotted a new campaign leveraging malware called NullMixer. The malware spreads using SEO so malicious sites can be easily discovered on search engines and is typically found on sites that claim to have cracked software. When a user executes the impersonated software, NullMixer drops additional malicious files onto the host, including: SmokeLoader, LgoogLoader, Disbuk, RedLine, Fabookie, and ColdStealer.

Impact: Adversaries often use cracked software as a lure. The use of SEO allows the malicious software to appear legitimate by ranking highly on search engine results to gain victims. NullMixer is flexible with capabilities to allow a variety of malware variants for different attack styles.

Recommendation: Users should only download software from legitimate and verified authors. It’s recommended that organizations implement software install blocks to prevent users from having the ability to install unapproved software.

Senators Introduce Bill Centered on CISA Open Source Security Efforts

After recent Log4j vulnerabilities, senators introduce the Securing Open Source Software Act. This bill requires the Cybersecurity & Infrastructure Security Agency (CISA) to create a framework to mitigate and address risks of open source software. “This [vulnerability] presented a serious threat to federal systems and critical infrastructure companies,” Senator Peters said. This bill will be the first to codify open source software as public infrastructure.

Impact: Log4j exploits continue to impact many industries globally. This bill will strengthen security protocols related to the use of open source software at the federal level.

Recommendation: No immediate action is required.

Microsoft SQL Servers Targeted in TargetCompany Ransomware Attacks

Microsoft SQL servers are being targeted by threat actors using TargetCompany’s FARGO ransomware strain. The attack occurs in cmd.exe and powershell.exe where adversaries download and run a .NET script to fetch additional malware and halt database processes. Attackers encrypt the database contents in a directory using the .Fargo3 extension. The ransom note is revealed upon opening. Adversaries use double extortion tactics by threatening to leak stolen data on their Telegram channel.

Impact: Microsoft SQL servers are being targeted by threat actors who are “aiming for a quick and easy profit by blackmailing database owners.”

Recommendation: Microsoft SQL server administrators should keep machines up-to-date with the latest security features. Organizations should polish business continuity plans and review best practices:

Sign up here!

To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.


Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS!

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL:

Threat Bulletin Archive

Interested in what we do?

Explore our Advisory Services to learn how our team can help improve your cyber program.