SISA Weekly Threat Watch – October 03rd, 2022

SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.

Organizations can also opt-in for our free daily threat advisories by subscribing here.

SISA Weekly Threat Watch 03 October 2022

Attackers are rapidly maximizing the newly discovered tools and widely accessible malware to exploit new and old vulnerabilities. With the increase in popularity of communication through cloud-based platforms and online gaming programs, hackers now have a large target pool to launch attacks and steal login details. While the attackers continue to evolve their tactics, security teams are concerned about these attacks being run for years without getting detected and exposing the security flaws to new threat groups.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New Malware in the cloud by TeamTNT

TeamTNT has emerged as a threat actor that primarily targets cloud environments. These environments include incorrectly configured Docker APIs, Kubernetes UI tools, misconfigured Kubernetes clusters, and more. The three attacks, called the Kangaroo Attack, the Cronb Attack, and the “What Will Be” Attack involve downloading a shell script to a C2 server, using rootkits, cron jobs and cryptominers to seize resources, and SSH and steal keys to perform lateral network movement.

The threat actor ran the default Alpine container image with a malicious command that was intended to download and run the shell file using a misconfigured Docker API. Two highly intriguing functions present in this file can be used to take advantage of the release agent vulnerability and escape the container. Organizations are strongly recommended to empower their security teams with Cloud Native Application Protection Platform (CNAPP) solutions that cover various stages of the cloud development pipeline and enable greater visibility and context.

2. Hackers steal Steam Accounts in new Browser-in-the-Browser attacks

A growing phishing method known as “Browser-in-the-Browser” is being used by hackers in new attacks to steal Steam user credentials. It entails the creation of fake browser windows within the window, that are then created to appear like sign-in pop-up windows for specific login services. The targets receive invitation links inviting them to join a team for LoL, CS, Dota 2, or PUBG contests.

When the link is clicked, a phishing website hosting esports contests lures visitors to log in using their Steam Account to participate. However, the victim is unaware that the new login page window is a fake window generated by the hackers to perform the phishing attack. Threat actors change the victims’ passwords and email addresses after taking control of their accounts to make it harder for them to retake control. Employee awareness on pop-up window’s address bar, fake browser windows and control button design and fonts are necessary to prevent such attacks.

3. Russian Sandworm hackers pose as Ukrainian Telcos to drop malware

Russian-sponsored threat group UAC-0113 has been masquerading telecom companies to target Ukrainian entities. The researchers linked this recent operation with the Sandworm group by connecting it with the data gathered by CERT-UA, creating a link between the two. Attackers used domains that appeared to belong to the Ukrainian telecom firms Datagroup, Kyivstar, and EuroTransTelecom during the attack campaign.

To trick potential victims into accessing the domains, the attack usually begins with emails sent from fictitious domains. A website is accessed by HTML smuggling and a base64-encoded ISO file that was inserted in the HTML gets downloaded automatically. The malware known as Warzone RAT is the payload present in the picture file. It is recommended to implement CERT-UA directives in both private and public organizations in Ukraine to minimize the risks of being the next target of these attacks.

4. LockBit ransomware builder leaked online by angry developer

According to reports, the developers of the LockBit ransomware version 3.0 (LockBit Black), have leaked it online. A newly registered Twitter account claimed that his team had infiltrated LockBit’s servers and found a builder for the LockBit 3.0 encryptor. Research group VX-Underground revealed that they had also been contacted on September 10 by a user who had shared a copy of the builder.

It was revealed that the leaker was a programmer the ransomware group had hired, and he leaked the builder because he was angry with LockBit’s leadership. The LockBit ransomware campaign has suffered a major blow because of this leak. The leaked files can give anyone the ability to create executables for their own operations, including encryptors, decryptors, and tools to execute the decryptor in particular ways. Organizations must ensure that all machines have up-to-date antivirus and anti-malware software. It is recommended to enable and enforce multi-factor authentication (MFA) across the network to stay protected.

5. Microsoft: Exchange servers hacked via OAuth apps for phishing

Microsoft recently issued an alert that one of its Exchange servers has been compromised by a threat actor using credential stuffing attacks put out via rogue OAuth applications on exposed cloud tenants. The threat actors initially gained access to highly vulnerable accounts that are not MFA enabled by using unsecured administrator accounts. After getting access, the hacker made a rogue OAuth application and changed the Exchange Server settings to add a malicious inbound connector to the email server.

The threat actor then sent phishing emails, enticing recipients to click on a link which leads them to a landing page that requests their credit card details and enables them to sign up for recurring paid subscriptions. These email campaigns have been sent using popular bulk e-mail marketing tools like Amazon SES and MailChimp. To reduce the risk of data compromise, it is recommended to ensure Conditional access policies are evaluated and enforced every time the user attempts to sign in.


To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider