Threat Intelligence Reposts
20 Sept 2023
Cyber Battlegrounds: FCRF Unveils India’s Top 10 Cybercrime Hotspots & Vulnerable Districts
India is facing a severe and growing threat of cybercrime, with a staggering 80 percent of reported incidents emanating from just ten vulnerable districts, as outlined in a recent white paper titled ‘A Deep Dive into Cybercrime Trends Impacting India‘ by the Future Crime Research Foundation (FCRF), a non-profit startup incubated at IIT Kanpur. The study underscores the urgent need for enhanced cybersecurity measures and increased awareness among both individuals and organizations.
20 Sept 2023
Joint Cybersecurity Advisory (CISA + FBI) - Snatch Ransomware
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of
current trends in the cybercriminal space and leveraged successes of other ransomware variants’
operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including
the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch
threat actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration often involving direct communications with victims demanding ransom, Snatch threat
actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s
extortion blog if the ransom goes unpaid.
18 Sept 2023
BlackCat ransomware hits Azure Storage with Sphynx encryptor
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.
While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials.
18 Sept 2023
Cryptojackers spread their nets to capture more than just EC2
As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.
Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.
12 Sept 2023
Malware distributor Storm-0324 facilitates ransomware access
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.
8 Sept 2023
Storm-0558 Update: Takeaways from Microsoft's recent report
On September 6th, 2023, Microsoft published a follow-up to their initial investigative report from July 11th about Storm-0558 — a threat actor attributed to China who managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. Microsoft’s latest report about how the signing key may have been compromised by the threat actor
7 Sept 2023
CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to a previously published Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The CSA—originally released to warn network defenders of critical infrastructure organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix)
7 Sept 2023
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) advisories on September 7, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console
ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT
ICSA-23-250-03 Socomec MOD3GP-SY-120K
ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update)
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
7 Sept 2023
Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
A nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network
6 Sept 2023
Cybercriminals target MS SQL servers to deliver ransomware
Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total.
MS SQL servers are an attractive target for cybercriminals because they are widely used and they often store valuable data.
Attackers also find them useful because they can make them part of a cryptomining botnet or use them as a proxy server.
6 Sept 2023
Google Chrome pushes ahead with targeted ads based on your browser history
Google next year aims to drop support for third-party cookies, which store browser data that ad companies use for tracking and analytics – to the frequent detriment of user privacy. The US mega-corp has developed a variety of replacement technologies, such as the Topics API that will allow ad targeting to continue without cookie-based tracking and – it's claimed – no privacy consequences.
2 Sept 2023
Chrome extensions can steal plaintext passwords from websites
A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.
An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.
Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.
31 Aug 2023
U.S. and International Partners Release Report on Russian Cyber Actors Using “Infamous Chisel” Malware
“For years, the U.S. Government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “Today’s joint report reflects the value of deep collaboration across our international cyber defense partners, the need for all organizations to keep their Shields Up to detect and mitigate Russian cyber activity, and the importance of continued focus on maintaining operational resilience under all conditions.”
18 Jul 2022
Russia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response
The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.