Cyber Hub

Phishing is still the most successful infection vector for most cyber-attacks. As such, threat actors continue to develop techniques to make phishing more effective and create new tools to ensure that users fall victims to these lures. This week, researchers discovered a new phishing campaign aimed at stealing credentials that impersonates document-sharing services. Additionally, a new tool that helps cybercriminals inject email into the victim’s inbox has been detected. And finally, new phishing campaigns distributing new Emotet variants have been uncovered.

Over the past week, multiple vulnerabilities have been found in various popular products used by organizations across the world. Successful exploitation of these vulnerabilities, some of which already have POCs and are actively exploited by threat actors, can help attackers elevate privileges and execute malicious code in an attempt to compromise systems. The most noteworthy vulnerabilities covered in this report include vulnerabilities in Intel CPUs that allow attackers to extract data from vulnerable systems, vulnerabilities in Ubuntu that allow attackers to gain root privileges, and vulnerabilities leading to the revival of DNS cache poisoning attacks.

This past week, researchers identified a new Russian Infostealer named Jupyter, which has notable backdoor functionalities. Researchers additionally observed a new malware campaign that leverages fake Microsoft Teams updates to deploy Cobalt Strike and other malware families. In addition, the DarkSide ransomware gang has announced new plans to enlarge its capabilities, including a new distributed storage system, and recruitments of new affiliates with a promise to make a fortune. Researchers also detected the Ragnar Locker ransomware gang taking extortion techniques to a new level, extorting victims via large-scale Facebook advertisement campaigns. Furthermore, this week, the Australian Cyber Security Centre (ACSC) warned its Health sector of increased targeting activity of the SDBBot RAT - a known precursor of the Clop ransomware.

Over the past week multiple vulnerabilities have been found in various popular products used by organizations around the world. Successful exploitation of these vulnerabilities, some of which already have POCs and are actively exploited by threat actors, can help attackers elevate privileges and execute malicious code in an attempt to compromise systems. The most noteworthy vulnerabilities that are covered in this report affect Oracle WebLogic Servers, Cisco AnyConnect VPN, Adobe Acrobat and Reader, and Windows Kernel.

As cybercriminal groups continue to demonstrate the financial success that comes from the use of ransomware (for example, the Ryuk group claims to have received $34 million from one victim alone), new ransomware gangs emerge. This week, a few new advanced ransomware strains were identified attacking multiple enterprises, such as Pay2Key and RegretLocker. Additionally, some well-known ransomware gangs have boosted their existing capabilities, like the REvil ransomware gang, who purchased the KPOT trojan in order to enhance their information-stealing capabilities. These topics will be covered further throughout this section of the CTI Weekly Report. Another ransomware to acquire new abilities this week was RansomExx, which can now encrypt Linux systems as well as Windows-based devices. As for noteworthy ransomware victims of this week, two large enterprises were hit by the infamous Ragnar ransomware: the Japanese game developer Capcom, who allegedly had 1 TB of data stolen from their corporate networks, and Campari, the Italian liquor company, who had 2 TB of data stolen with a ransom of $15 million demanded by the ransomware operators. The Brazilian Superior Electoral Court was also hit by a ransomware attack that impacted their backups. This incident was described as the worst cybersecurity incident ever reported in Brazil.

This past week, researchers detected another development in the ongoing Emotet campaign, which was observed utilizing parked domains to spread its payloads. Additional phishing campaigns that were uncovered this past week include a sophisticated phishing campaign attributed to the Chinese state-sponsored group known as APT 31, and a phishing campaign aimed at stealing Webex credentials.

This past week, analysts uncovered features of malware that make various threats more sophisticated, easier to operate, and easier to infect. This report will cover updates on Buer Loader, which has recently been active in ransomware operations, as well as an overview of the FickerStealer MaaS, which is being offered for sale on prominent Russian-speaking hacking forums.

Over the past week, we have seen several notable developments in the ransomware landscape. In addition to the potential deployment of DDoS as an extortion means by REvil, another major ransomware operation, Maze, is seemingly shutting down its operations. The new powerful ransomware that could potentially take over Maze’s place in the ”Big Game Hunting” league is Egregor. Moreover, the US government is warning of Ryuk attacks on the healthcare sector using different tools from the TrickBot family.

Over the past week, many threat actors launched several campaigns featuring new or tweaked methods designed to lure users into providing their credentials or opening attachments laced with malware. Emotet has started using a new lure as the template used in its wide campaigns, while other threat actors capitalize legitimate services as lures to collect corporate credentials. Among the credentials-aimed campaigns are impersonation attempts to an HR department, COVID-19-related documents, and fake Microsoft Teams notifications.

This past week, analysts uncovered features of malware that make various threats more sophisticated, easier to operate, and easier to infect. This report will cover the improvements of the Purple Fox exploit kit, an overview of the KashmirBlack botnet, and a RAT that is controlled via Telegram. This section will also review last week’s noteworthy updates in the world of ransomware.