Get A Quote
Written by Cyber Threat Intelligence Unit on 16 March 2023

Critical Microsoft vulnerability exploited in the wild

CVE-2023-23397 is a critical vulnerability in Microsoft Outlook that allows threat actors to remotely steal hash passwords by receiving an email. According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors. Around 15 organizations are believed to have been attacked with CVE-2023-23397. After getting access, threat actors often use Impacket and PowerShell Empire to extend their grip and move to more valuable systems on the network to gather information. Once that is done, they can perform more malicious activities. Microsoft released a patch this week for CVE-2023-23397 but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022. This is common in 0day exploit. We recommend updating your systems as rapidly as possible for the patch to be effective and minimize the risk of being victimise by this vulnerability. 

 

Microsoft fixes Windows 0day exploit used in ransomware attacks a year later

The vulnerability CVE-2023-24880 has been patched after being discovered on February 16th by Google Threat analysis Group. This vulnerability used by threat actors to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags. Threat actors have been using malicious MSI files signed with a specially crafted Authenticode signature to it. It is important to remember that the 0day are exploited long before they are discovered and then patch. 0day exploits then continue to be effective until every computer has it patched. 

 

Emotet is back

After a three month period of no show, a new Emotet malware campaign has been detected trying to infiltrate corporate networks via malicious emails in order to sell access to ransomware groups. The ransomware group has recently been observed sending malware in malicious Microsoft Word files that include macros that, if enabled, start the infection chain. Last November, Emotet was sending malicious Excel files. The infection is delivered via malicious email messages, deploying various additional malware on victim’s network. In that way, Emotet is using the same method as in November, however, this time the attached zip files are not password protected.

To avoid security products and sandboxes detection, Emotet uses stealth tactic sending payload’s large size (over 500 megabytes) which decreases detection and neutralization of the malicious files due to their size. Cybersecurity solutions that rely solely on static detection and analysis are not effective against attacks such as the most recent Emotet campaigns.

The return of Emotet should alert for more attacks, as the group specializes in breaching and selling access to other ransomware groups. Segmentation of the ransomware industry is a way to optimize and secure operations and therefore profits.

 

GoBruteForcer: the new malware on the block

GoBruteForcer is a new Golang-based brute force malware which has been seen targeting web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet. This malware is a little different than the common single IP address target; instead GoBruteForcer choses CIDR block scanning to get a wide range of target hosts within a network. The malware attempts to obtain access via a brute-force attack using a list of credentials hard-coded into the binary. If successful, an internet relay chat (IRC) bot is deployed on the victim server to establish communications with an actor-controlled server. We do not have the information on the exact initial intrusion vector. 

 

Threat actors exploit SVB collapse to steal money and data

After the collapse of the Silicon Valley Bank last week, threat actors got busy exploiting this new opportunity. Threat actors are registering suspicious domains, creating phishing pages, and preparing to launch up for business email compromise (BEC) attacks. Here is a list of domains published on the SANS ISC website:

  • login-svb[.]com
  • svbbailout[.]com
  • svbcertificates[.]com
  • svbclaim[.]com
  • svbcollapse[.]com
  • svbdeposits[.]com
  • svbhelp[.]com
  • svblawsuit[.]com

These domains could be used to launched BEC attacks. This is wage will be dangerous. Some attackers have already started. One has been using "cash4svb.com" to phish former SVB customers' contact information, who are trade creditors or lenders, promising them a return between 65% and 85%. Threat actors could very well pretend to be support, legal services, loans or other fakes services as a ruse to contact ex-clients of SVB. We recommend ignoring all email from unusual domains and triple-checking any request from SVB (ignore it if you have no business with them) to limit the chances of being victimised by one of these scams. 

 

Which brand names lead phishing lures?

In 2022, credential-seeking threat actors were the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and technology organization. Phishing campaigns causes significant damages yearly as it is often the first step in a larger attack. There is a top-50 list representing typical targets. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The bottom five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A. Threat actors can either attempt to attack these companies or usurped their identities to targets individuals. It is important to keep in mind that financial institution continue to be a favoured targeted and with tax season upon us, we need to double our vigilance. 

 

 

Related Posts

phone-handsetcrossmenu