SISA Weekly Threat Watch – November 14th, 2022

SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.

Organizations can also opt-in for our free daily threat advisories by subscribing here.

SISA Weekly Threat Watch - 14 November, 2022

Malicious organizations are constantly improving their tactics, techniques, and procedures (TTPs) and acquiring new weapons. This past week, threat actors were observed using publicly accessible malware and tools to exploit the social engineering concept of applications, revealing the time and resources they invest in analyzing a target’s network. The increasing number of highly coordinated, planned, and sophisticated cyber-attacks is a major point of concern for organizations around the world.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Fodcha RDDoS Botnet injects ransom in packets

Fodcha Botnet has come up with new capabilities and has upscaled to a large-scale botnet. The most notable improvement in this botnet version (v4) is the delivery of ransom demands directly within DDoS packets used against victims’ networks. The threat actors behind Fodcha have redesigned the communication protocol and started using ‘xxtea’ and ‘chacha20’ algorithms to encrypt sensitive resources and network communications to avoid detection at the file & traffic level.

For execution, Fodcha’s Bot checks the operating parameters, network connectivity and whether the ‘LD_PRELOAD’ environment variable is set and debugged. When the requirements are met, it first decrypts the configuration information and establishes network communication, further generating traffic for DDoS attacks. To avoid being a victim to such attacks, organizations are recommended to enroll into a DDoS (Cloud) Mitigation protection service along with developing and regularly testing DDoS response and business continuity plans.

2. APT-36 uses new TTPs to target Indian governmental organizations

The Pakistan-based advanced persistent threat group APT-36, also known as Transparent Tribe, primarily targets users working for Indian government organizations. Frequently, the threat actor registered new domains and hosted websites that appeared to be the official Kavach application download portal. LimePad, a brand-new, unreported method of data exfiltration employed by this APT group is offered as a VHDX file that contains a Python-based application.

The major objective of this new tool is to continuously upload new files from the victim’s computer to the attacker’s site. By maintaining a local, customized SQLite database, it synchronizes this file-stealing activity between the victim’s computer and the attacker’s server. Users should be cautious when downloading software and ensure that they obtain them only from authorized sources to prevent data compromise by such targeted attacks.

3. Researchers find links between Black Basta Ransomware and FIN7 Hackers

Similar to other “private” ransomware groups like Conti, TA505, and Evilcorp, the individuals behind the Black Basta ransomware create and maintain their own toolset and either exclude affiliates or only work with a select group of affiliates. Infections with Black Basta started with Qakbot, which was sent by email, as well as macro-based MS Office documents, ISO+LNK droppers and docx documents that make use of the CVE-2022-30190 MSDTC remote code execution vulnerability.

After the initial infection, a new instance of explorer.exe is launched when an operator connects to the backdoor, and a process hollowing operation is carried out to conceal harmful activity behind the legitimate process. The threat actor that created the impairment tool used by Black Basta is probably the same actor who has access to the packer source code used in FIN7 activities. It is recommended to install software updates to prevent hackers from exploiting known issues or vulnerabilities. Any unsolicited attachments, even from someone known, should also be avoided.

4. Azov Ransomware: A destructive Data Wiper

The new ‘Azov Ransomware’ is being distributed to a great extent through pirated software, key generators, and adware bundles. It falsely claims that the well-known security researchers listed in the RESTORE_FILES.txt are behind the attack. As these security researchers do not have decryption keys, the threat actors cannot be contacted to pay the ransom, and the malware should be treated as a destructive data wiper instead of a ransomware.

The initial ransomware executable is dropped under a random file in the Windows temp (%Temp%) folder and executed. The data wiper scans all drives, encrypts any file that does not have .exe, .dll, and .ini extensions and appends the .azov file extension to the encrypted filenames. It overwrites a file’s contents and corrupt data in alternating 666-byte chunks of garbage data. Users must exercise caution and carefully examine search results prior to clicking on links. It is also recommended to enable any form of multi-factor authentication (MFA) offered while choosing a more secure method where available.

5. Credential Roaming: Windows feature exploited by APT29

APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, has been found abusing a lesser-known feature of Windows called Credential Roaming. Among the queried LDAP attributes that usually relate to credential information gathering, one attribute that stood out was msPKI-CredentialRoamingTokens. This attribute is a part of an unpopular feature of Active Directory: Credential Roaming, which is described as a ‘storage of encrypted user credential token BLOBs for roaming.’

Mandiant has also highlighted an arbitrary file write vulnerability that could be exploited by a threat actor if it can control the msPKIAccountCredentials LDAP attribute to achieve remote code execution, posing as the victim account. Organizations need to check whether Credential Roaming is in use in their environment and if so, it is advised to apply the September 2022 patch to remediate CVE-2022-30170. It is also recommended to avoid using the Credential Roaming feature at all, if possible. It can be replaced with (virtual) smart cards or Mobile Device Management (MDM) solutions.


To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider