Weekly Intel Report - December 21, 2022
Weekly threatscape analysis that keeps you two steps ahead of the bad guys.
Ransomware, Malware & Phishing
Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems
Recommendation: Phishing Campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. The new distribution method spotted by researchers has identified fraudulent email messages featuring HTML attachments with encoded SVG images that incorporate HTML script tags.
HTML smuggling is a technique that relies on using legitimate features of HTML and JavaScript to run malicious code contained within lure attachments and assembles the payload on a victim's machine as opposed to making an HTTP request to fetch the malware from the remote server.
Looking at the attack chain, when the victim or target opens the HTML attachment from the phishing email, the smuggled JavaScript code inside the SVG image springs into action. It creates a malicious ZIP archive and then presents the user with a dialog box to save the file. The ZIP archive is password-protected, requiring users to enter a password that is displayed in the HTML attachment, following which an ISO image is extracted to run the Qakbot Trojan. It is likely that we will see more attempted HTML smuggling attacks due to its ability to bypass content scanning filters, making the technique attractive to threat actors.
APT recommends these best practices to protect against such attacks:
First and foremost, it is essential to educate your employees regarding the dangers of phishing attacks. Making them aware of all the ways that they can be targeted, educating via security lunch and learns, teaching how to recognize and report a phishing email — including hovering over links to look for spelling mistakes, verifying the email with the sender or company, etc. — are all ways to secure your company
It is important to have endpoint detection and response within your environment to prevent any execution of malicious scripts or downloading executable content.
Mobile App Users at Risk as API Keys of Email Marketing Services Exposed
Recommendation: Analysis of over 600 applications on the Google Play Store by cyber researchers identified that at least 50% of apps were leaking application programming interface (API) keys to three popular marketing email service providers: Mailgun, MailChimp and SendGrid. An API is a piece of software that allows applications to communicate with each other without any human intervention. An API key is a special identification used by users, developers or calling programs to authenticate themselves to an API. The leaked API keys here allow threat actors to perform a variety of unauthorized actions such as sending emails, deleting API keys and modifying 2FA.
APT recommends first and foremost having a controlled business app store for all corporate devices. Managing what applications are in your environment is essential to ensure that you are not exposed through any unwanted or unauthorized applications that may not have been properly vetted for security. It is also essential to ensure that there are no API keys embedded into applications and should follow secure coding and deployment practices like standardized review procedures, rotate keys, hide keys and use vault.
Researchers Discover Malicious PyPI Package Posing as SentienlOne SDK to Steal Data
Recommendation: A new malicious package on the Python Package Index (PyPI) repository has been discovered that impersonated a software development kit (SDK) for SentinelOne. The package, which has been taken down, was published between December 8-11 and claimed to offer an easier method to access the company’s APIs. In actual fact, it harbors a malicious backdoor that is engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. The actor has also been observed releasing two more packages with similar naming variations, SentinelOne-sdk and SentinelOneSDK. The initial package mimics a legitimate SDK which is offered by SentinelOne to its customers, attempting to trick developers into downloading the module from PyPI. Although this specific attack is small in size, it is a reminder that threat actors and their tactics, techniques and procedures are constantly evolving.
APT recommends continued education and awareness around social engineering tactics that attackers may use to confuse and mislead users into downloading malicious code. It is essential to test users frequently within your organization with unique and specific phishing tests to ensure that they are better armed to face any potential attacks.
Iran-linked cyberspies expand targeting to medical researchers, travel agencies
Recommendation: A cyberespionage group aligned with Iran’s Islamic Revolutionary Guard Corps (IRGC) has been observed attacking new targets over the last two years, including medical researchers, an aerospace engineer and even a Florida-based realtor. The group is tracked as TA453, but it is largely known as Phosphorus, Charming Kitten, or APT42. Proofpoint found their targeting and tactics have shifted from attacks on the Middle East to now supporting IRGC’s intelligence needs. They have been seen attacking new targets and using new techniques with more hostile intent. They have most recently been seen starting to attack various North American Universities and a Florida realtor.
The actors create email accounts and use them to send phishing emails to potential victims. More recently, they have been seen using compromised email accounts to gain access. They also use GhostEcho, which is a backdoor that is used to deliver follow-on “espionage focused capabilities” once the group gains access to a victim, and leveraging a persona named “Samantha Wolf” for confrontational social engineering lures. Credential harvesting is a large part of their operations, where actors are seen attempting to gather valid usernames, passwords, private emails, and email addresses through infrastructure beaches.
APT recommends the following to protect against credential harvesting attacks:
Ensure that MFA is active throughout your entire organization.
Have a strong password policy that requires password resets on a frequent basis.
Learn more on how multi-factor authentication can secure your organization
Vulnerabilities
A vulnerability in macOS, revealed by Microsoft on Tuesday, would allow attackers to perform the same techniques as malware and malicious apps to bypass security protection. The flaw is a result of a bug in the way Apple’s OS handles third-party apps that use root certificates.
Recommendation: Apple confirmed that it is aware of the vulnerability and has released patches for both macOS and iOS in order to address the issue. The company also provided steps that users can take to protect themselves from malicious attacks.
APT recommends that users update their devices to the latest version of macOS and iOS as soon as possible. In addition, users can enable two-factor authentication for their Apple ID accounts as an added layer of security.
Veeam, a global software and services company, announced today that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.
Recommendation: The reported critical flaws that are being tracked as CVE-2022-26500 and CVE-2022-26501 could be leveraged to gain control of a target system. These issues were resolved in the latest releases 10a and 11a and it is strongly advised that impacted users update to these latest versions.
Microsoft is working to resolve an issue affecting users who have installed the Windows 10 KB5021233 cumulative update released during this month's Patch Tuesday. After installing the update on PCs, some users have experienced BSOD crashes with 0xc000021a errors.
Recommendation: The known issue may cause the update to get stuck at 99 percent and show one or more files in Windows File Explorer as "updated" even though no actual files were updated. These include hidparse.sys, which can cause signature validation to fail when cleanup occurs. So far, it appears the list of affected platforms ranges from Windows 10 20H2 through Windows 19 22H2. Microsoft does not have a fix for this yet but they have reported that once a fix is solutioned, it will become available ASAP. Microsoft has also provided a workaround (found in the full report) if you are affected by this issue.
APT recommends testing the update on a small group of Windows machines to test and observe first before pushing the update to everyone in your organization.
Microsoft announced that a future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems starting in February. The move is part of Microsoft’s efforts to fully transition users away from Internet Explorer and onto its latest browser, Microsoft Edge.
Recommendation: Microsoft will disable Internet Explorer 11 on certain versions of Windows 10 devices beginning February 14, 2023, in conjunction with an update for Microsoft Edge. This change is scheduled to happen on a date that falls after the support end date for these devices.
If your organization has not made the switch to Microsoft Edge, APT recommends that you start making the transition while there is still time before the February release that disables IE11.