SISA Weekly Threat Watch – September 5th, 2022
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
The use of experimental tactics and upgraded malware by cyber attackers in this past week highlighted the advancing nature of their technological prowess. From leveraging pre-made commercial tools to install malware and steal confidential data to executing ransomware payloads targeted at institutions of select regions, threat actors appeared to be motivated and skilled enough to continue evolving their attacks.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Banking trojans updated with new tactics and targets
SOVA Android banking malware has been upgraded with a new ransomware feature that encrypts files on mobile devices along with other features and code updates. It now attempts to steal cookies and sensitive user data from over 200 banking, cryptocurrency exchange, and digital wallet applications. Furthermore, it has code that has been refactored and improved to let it run more discreetly on the infected device.
Researchers have also discovered a new variant of the infamous banking trojan – Grandoreiro that has updated C2 system to evade identification and analysis, among other new features. The targeted spear-phishing email contains a link that leads readers to a website that distributes ZIP files through which, the loader collects system information and sends it to the C2 along with a list of installed antivirus software, cryptocurrency wallets, and e-banking apps. To stay secure, organizations must use advanced security solutions, such as Data Loss Prevention (DLP) strategies and real-time threat detection to keep up with the malware’s changing TTPs.
2. Russian SEABORGIUM group targeting NATO deranged by Microsoft
Microsoft Threat Intelligence Center (MSTIC) has disrupted a hacking and social engineering operation linked to a Russian threat actor known as SEABORGIUM. The hacking group aims to steal private emails from individuals and NATO organizations and has obtained access to more than 30 of them since the start of this year.
The threat group first creates an online persona using social media accounts to initiate a conversation with the victim before sending phishing email with PDF attachment. While accessing the attachment, the victim is directed to a landing page where the threat group members swiftly gain user’s login information and any authentication cookies or tokens through the displayed login form. To avoid being the victim of similar threats, it is recommended to use IOCs to detect compromise, enable MFA on all accounts, and use FIDO security keys for additional security.
3. Agenda ransomware
‘Agenda’ ransomware strain, developed in the Golang programming language, was recently seen in the wild. The threat actor Qilin, is speculated to give affiliates the ability to customize the binary payloads for each victim, giving operators the choice of the ransom note, the length of the encryption, and the list of processes and services to stop before the encryption process starts.
Agenda can infect a complete network and its shared drives in addition to using local account credentials to run the ransomware code. The ransomware also includes methods for evading detection by using a device’s “safe mode” function to carry out its file encryption routine undetected, but only after changing the default user’s password and turning on automatic login. It is recommended to enable multi-factor authentication (MFA) to stop attackers from moving laterally inside a network. Operating systems and applications must also be kept up to date to stop hostile actors from taking advantage of any software vulnerabilities.
4. ModernLoader delivers multiple stealers, cryptominers and RATs
ModernLoader, the dangerous implant in question, provides adversaries with remote control of the victim’s computer, allowing them to install other malware, steal confidential data, or even entangle the computer in a botnet. The actors spread over a targeted network using PowerShell, .NET assemblies, HTA, and VBS files and drop additional malware, such as the SystemBC trojan and DCRAT, to enable different stages of their activities.
To load the final payload that was initially saved in the PowerShell loader script, it first spawns an instance of the svchost.exe process and uses process-hollowing to inject code. The use and maintenance of proper end-point security controls on all systems in an environment are strongly advised. It is quite likely that many steps of this infection chain can be stopped by most EDR solutions because this threat actor uses widely known tools and methodologies.
5. Spear-phishing and AiTM used to hack MS Office 365 accounts
The newly discovered business email compromise (BEC) campaign uses sophisticated spear-phishing and adversary-in-the-middle (AiTM) tactics to compromise Microsoft 365 accounts for corporate executives, even those that are MFA-protected. The phishing emails provide new payment instructions and inform the target business that the corporate bank account they usually use to send payments has indeed been frozen due to a financial audit. Consequently, the target is encouraged to switch to a new bank account of a so-called alleged subsidiary.
Another phishing email pretending to be from DocuSign directs victims to a phishing page on a fake domain when they click the ‘Review Document’ button to access it and are later encouraged to log in to the Windows domain. The AiTM attack is conducted by the attackers utilizing a phishing framework that steals the session cookie created by the Windows domain when a target enters their credentials and answers the MFA question. Corporate executives are therefore advised to tread cautiously. Windows administrators are recommended to use Azure AD Audit Logs to monitor MFA changes made to user accounts if they detect any incidents.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.