Threat Intelligence Reposts

India is facing a severe and growing threat of cybercrime, with a staggering 80 percent of reported incidents emanating from just ten vulnerable districts, as outlined in a recent white paper titled ‘A Deep Dive into Cybercrime Trends Impacting India‘ by the Future Crime Research Foundation (FCRF), a non-profit startup incubated at IIT Kanpur. The study underscores the urgent need for enhanced cybersecurity measures and increased awareness among both individuals and organizations.

Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of
current trends in the cybercriminal space and leveraged successes of other ransomware variants’
operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including
the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch
threat actors conduct ransomware operations involving data exfiltration and double extortion. After
data exfiltration often involving direct communications with victims demanding ransom, Snatch threat
actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s
extortion blog if the ransom goes unpaid.

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage.

While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials.

As cloud native computing continues to gain popularity, so does the risk posed by criminals seeking to exploit the unwary. One newly spotted method targets services on the AWS platform, but not necessarily the ones you might think.

Researchers from the Sysdig Threat Research Team (TRT) have uncovered a cryptojacking operation dubbed "AMBERSQUID," which does not directly target EC2 instances that would trigger an approval for more resources.

China and Russia are prepared to unleash a flurry of cyberattacks on U.S. critical infrastructure and defense networks should war break out, according to a Pentagon strategy unveiled this week.

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats.

Symantec warns that the Redfly APT appears to be focusing exclusively on targeting critical national infrastructure organizations.

Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC).

On September 6th, 2023, Microsoft published a follow-up to their initial investigative report from July 11th about Storm-0558 — a threat actor attributed to China who managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts. Microsoft’s latest report about how the signing key may have been compromised by the threat actor

The Cybersecurity and Infrastructure Security Agency (CISA) has released an update to a previously published Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. The CSA—originally released to warn network defenders of critical infrastructure organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix)

CISA released four Industrial Control Systems (ICS) advisories on September 7, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console
ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT
ICSA-23-250-03 Socomec MOD3GP-SY-120K
ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update)
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

A nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network

The Chinese hackers had breached senior US officials’ emails.

Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total.

MS SQL servers are an attractive target for cybercriminals because they are widely used and they often store valuable data.

Attackers also find them useful because they can make them part of a cryptomining botnet or use them as a proxy server.

Google next year aims to drop support for third-party cookies, which store browser data that ad companies use for tracking and analytics – to the frequent detriment of user privacy. The US mega-corp has developed a variety of replacement technologies, such as the Topics API that will allow ad targeting to continue without cookie-based tracking and – it's claimed – no privacy consequences.

A team of researchers from the University of Wisconsin-Madison has uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code.

An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

Additionally, the researchers found that numerous websites with millions of visitors, including some Google and Cloudflare portals, store passwords in plaintext within the HTML source code of their web pages, allowing extensions to retrieve them.

“For years, the U.S. Government has been calling out Russian actors who have engaged in a range of malicious cyber activity targeting U.S. and allied partners for cyber espionage and potential disruptive actions,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “Today’s joint report reflects the value of deep collaboration across our international cyber defense partners, the need for all organizations to keep their Shields Up to detect and mitigate Russian cyber activity, and the importance of continued focus on maintaining operational resilience under all conditions.”

The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.