Cyber Hub

This week, researchers discovered a phishing campaign spreading an information stealer malware. This campaign leverages the current political situation in the U.S. as a lure for users to download an attachment infected with QRat. Another phishing campaign uses the secure mailer email format to send phishing emails aimed at stealing Microsoft users’ credentials.

After returning just in time for the holidays, Emotet registered a massive phishing campaign this week, threatening various organizations around the world. The malware is now targeting prominent institutions and becoming more and more effective and successful, as it implements new tactics.

This past week, a new Golang worm was found being spread to drop the XMRig cryptominer. The malware targets both Windows and Linux systems and compromises publicly-exposed services. In addition, a new malware that is associated with the Iranian group MuddyWater is hosted on GitHub and uses a sophisticated steganography technique to compile a Cobalt Strike script from an image hosted on Imgur.

This week, Microsoft revealed an additional piece of the SolarWinds supply chain attack’s investigation, claiming the attackers leveraged their grasp within Microsoft’s internal network to access parts of the company’s source code. However, the source code seems to be publicly available for open source software development, and thus does not pose additional risks to Microsoft costumers. In addition, researchers this week observed a massive scan activity, aimed at detecting exposed SolarWinds Orion hosts that are vulnerable to CVE-2020-10148/

Cybersecurity giant FireEye has suffered a massive data breach that involved the leaking of its red team tools. FireEye identified that the intrusion into its network was achieved using SolarWinds’ Orion software. The threat actors trojanized this software’s updates to deliver a backdoor they named Sunburst. This finding led FireEye to uncover a widespread campaign that the company links to an APT it calls UNC2452. Other researchers link the campaign to the Russian nation-state group, APT29 (aka Cozy Bear), and Microsoft named the malware Solorigate. FireEye detected this campaign affecting organizations from various sectors located in North America, Europe, Asia and the Middle East. FireEye anticipates that additional victims will be identified from other locations, since SolarWinds’ Orion is widely used. Among the verified victims include the US Treasury Department, the US Department of Commerce National Telecommunications and Information Administration (NTIA), and additional government and private organizations in the US. The threat actors embedded the backdoor into a legitimate, digitally-signed SolarWinds library with the filename SolarWinds.Orion.Core.BusinessLayer.dll. The backdoor was distributed via automatic updates that were digitally-signed from March – May 2020. Once the updates are installed, the malicious DLL will be loaded by the legitimate executable file of SolarWinds. After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. These subdomains are generated using Domain Generation Algorithm (DGA). The DNS response will return a CNAME record that points to a C&C domain. The network traffic is designed to masquerade as the Orion Improvement Program (OIP) protocol. It retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. Additionally, Sunburst uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers.

The holiday season typically sees a rise in cybercriminal activity, which can be easily spotted by following the surge of global phishing campaigns. This past week, security researchers identified a new phishing campaign distributing new payloads of the infamous Emotet malware, which has been dormant since the end of October.   Another phishing campaign that takes advantage of the spirit of this season consists of emails pretending to be Amazon gift cards. The victims of this campaign are actually being infected with the Dridex Trojan. 

See recommendations below  Over the past year, ransomware attacks have become more abundant, sophisticated, and lucrative. Ransomware groups continued developing new techniques to evade detection and maximize the effect of their attacks when compromising networks.   Alongside the technologic development, ransomware groups have also invested a lot of effort into the psychological aspects of getting ransom payments from their victims. For example, they have started publicly leaking data stolen during attacks and even performed DDoS attacks assuming that the victims want to avoid embarrassment and preserve their reputation.   Another notable development seen in the ransomware landscape this past year were the collaborations between different ransomware groups and the increased employment of ransomware affiliate models. This past week, these collaborations surfaced again as the FIN7 APT was involved in a ransomware attack of Ryuk. Furthermore, the threat actors behind MountLocker ransomware published data on one of Ragnar Locker’s victims on their website, which indicates that these two groups have a strong business relationship.  

In the past week, Microsoft released a note updating users that, after a failed security fix, a high-severity Windows Zero-Day that could lead to a complete desktop takeover remains exposed.  Additionally, this week Kubernetes disclosed a new security issue that affects every version of Kubernetes. The vulnerability is a Man-in-the-Middle (MITM) vulnerability with the most significant impact on multitenant clusters.  

This past week, security researchers identified new global phishing campaigns that leverage the COVID-19 pandemic and related developments to steal credentials from unsuspecting victims. This information can then be leveraged for multiple malicious purposes, mainly to penetrate the target’s network for cyber-espionage activities or to be sold to threat actors in underground markets.  Researchers also warned the public about a massive spear-phishing campaign, targeting enterprises to steal corporate credentials. Similarly, another new phishing campaign aims to steal employee credentials by impersonating a Microsoft Teams notification. 

This past week, researchers shared a new analysis of the SocGholish framework, which uses IFrame injections to gain initial access for various malware payloads, including the Dridex banking trojan and the WastedLocker ransomware.   Researchers analyzed the new malware version of the Agent Tesla keylogger, which now has some new stealing and exfiltration capabilities. In addition, researchers published a report focusing on Pawn Storm’s latest campaigns, seemingly successful due to their relatively simplistic techniques.