Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations.

Thursday, February 9, 2023 14:02

Welcome to this week’s edition of the Threat Source newsletter.

Our hearts are with the people of Turkey and Syria and all those impacted by the tragic earthquake. The Cisco Foundation has launched a matching campaign to support local disaster relief organizations. As a person it’s always difficult to try to find impactful ways to help people so far removed from us.. As a security practitioner it’s my duty to remind you that criminals will exploit your empathy and this situation for their own profit. Be acutely aware of phishing scams, malvertising, and typosquats that will leverage your kindness for their gain. Give freely but take a moment when you do to ensure that you are donating to sources that can help and that above all you aren’t padding the pockets of cybercriminals.

**The one big thing**

Ransomware and commodity loaders remain at the forefront of the threat landscape. The ransomware space is dynamic, continually adapting to changes in the geopolitical environment, actions by defenders, and efforts by law enforcement, This leads groups to rebrand under different names, shut down operations, and form new strategic partnerships. Cisco Talos observed several related trends across 2022 and this activity is highlighted in the Ransomware and Commodity Loader Topic Summary Report.

**Why do I care?**

Understanding the most recent trends in ransomware, including the goals, victimology, and TTPs will increaser your ability to defend, understand, and react to these events. We've seen seismic shifts in how state sponsored actors attack and this will migrate to every level of threat actor.

**So now what?**

Education is key and continuing to follow the research that Talos releases and validating your environment against that research is critical.

**Top security headlines of the week**

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.( DarkReading)

Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles. GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. (Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/ransomware-and-commodity-loader-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: A9CE7F0974.tmp

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: software.Scr

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423

MD5: 954a5fc664c23a7a97e09850accdfe8e

Typical Filename: teams15

Claimed Product:  n/a

Detection Name: Gen:Variant.MSILHeracles.59885

Threat Source newsletter (Feb. 9, 2023): Don't let criminals exploit your empathy

AI and phishing-as-a-service (PaaS) kits are making it easier for threat actors to create malicious email campaigns, which continue to target high-volume applications using popular brand names.

Phishing is having a moment, with a massive spike in campaign volumes in the latter half of 2022. In fact, total phishing emails increased by 61% in the second half, according to an analysis this week. That could also be set to accelerate, as the rise of ChatGPT and other new tools are making their mark on the sector too. 

That's according the "Q4 2022 Phishing and Malware Report" from email security firm Vade, published Feb. 9. Phishing volumes increased 36% between the third and fourth quarters, with researchers tracking 278.3 million unique phishing emails in the last three months of the year, according to the report.

Malware volumes overall also increased, 12% quarter for quarter, with Vade detecting 58.9 million emails in the fourth quarter of 2022 that included malware, the researchers found.

Email remains the top channel for distributing phishing and malware, giving hackers a convenient, scalable, and efficient vehicle for exploiting users and compromising accounts, Todd Stansfield, content marketing manager, noted in the report.

"Email threat activity continues to increase, creating the need for organizations of all sizes to fortify their cybersecurity," he wrote.

Breaking down the numbers by the month, phishing volumes remained relatively stable through the first half of the fourth quarter, with 62.3 million phishing emails tracked in October and 47 million in November, according to the report.

Then, as is typical during the annual holiday season — in which phishers use a range of year-end and holiday-themed lures to try to snare victims — December saw a big jump in phishing emails with 169 million, representing a 260% month-over-month increase, the researchers found. This pattern is similar to what happened in the fourth quarter of 2021, they said.

**Reliable Targets & Tactics**

In terms of who they target and how they do it, phishing threat actors aren't getting especially creative given the current way enterprise users work and collaborate.

Facebook remained the top brand in terms of impersonation for the second consecutive quarter, with researchers observing 6,700 unique phishing URLs impersonating the social networking giant in the fourth quarter of 2022, they reported. The company was followed by Microsoft, PayPal, Google, and Netflix in descending order as the brands that threat actors prefer to impersonate.

In terms of targets threat actors continued to find value in campaigns targeting productivity applications, for which they have a wide pool of corporate users and are most likely to find success, the researchers found. Microsoft 365, which has more than 345 million users, and Google Workspace, the second-most popular productivity suite, continued to be the top targets for phishers in the second half of 2022, according to Vade.

"With the growing popularity of productivity suites, users are increasingly using email to access and use productivity apps such as file sharing and instant messaging," Stansfield wrote, adding that threat actors have taken notice and are crafting phishing campaigns to target the specific behavior of corporate productivity-suite users.

**AI & New Tools Bolster Phishing**

While some things remained the same in terms of phishing campaigns, changes are afoot in other aspects of this type of threat, the researchers found. In particular, new tools have emerged that can make anyone, even with limited skills, a phishing threat actor thanks to more sophisticated phishing-as-a-service (PaaS) kits, and the meteoric rise in popularity of the AI platform ChatGPT.

"By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets," Stansfield acknowledged.

One recent enhancement to these kits is the ability to automatically localize phishing pages based on a victim's native language, a handy tool that allows threat actors to target various regions quickly without being multilingual themselves, the researchers said.

The feature works by identifying the language settings of the targeted user's browser and leveraging it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns, according to Vade.

ChatGPT — the chatbot that can assist anyone in producing instantaneous, high-volume content that's already become notorious for its cybersecurity implications since its November release by OpenAI — also is becoming a phisher's best friend, according to Vade analysts.

Hackers can weaponize ChatGPT to produce sophisticated phishing kits efficiently by using commands that empower the AI tool to write phishing emails and malicious code in seconds, they said.

**Protecting the Enterprise From Phishing**

With phishing showing no sign of letting up despite being one of the oldest forms of cybercriminal activity, it's clear enterprises need to roll with the changes in the technology landscape just as attackers are.

"In the past year, nearly seven out of 10 businesses experienced a serious data breach that bypassed their email security," Stansfield noted, citing previous research from Vade.

Moreover, the problem with phishing is that it doesn't just end with an attacker giving up credentials, but ultimately, they can use these credentials as a way into corporate networks to steal data, distribute ransomware and other malware, and engage in other nefarious activity.

Enterprises need to move beyond traditional email security solutions and adopt ones that can respond to the more sophisticated tactics of attackers, the researchers said. Specifically, collaborative and AI-enhanced solutions that can provide "predictive defense against known and unknown threats using the latest threat intelligence and a core set of AI technologies," are the way forward, Stansfield said.

Indeed, just as AI is empowering attackers through technology like ChatGPT, it also can empower enterprises with new types of security, Adrien Gendre, co-founder and chief tech and product officer at Vade, tells Dark Reading.

"On the flip side, we use AI to detect anomalies in email, from the content itself to the behavior of files that might be included in those emails," he says. "There will be a battle between what you might call good and bad AI."

If phishing emails do slip through an organization's security protections, training employees to identify phishing emails before they click on them can also be a reliable way to prevent credential or malware compromise before it occurs, Scott Caveza, senior research manager at cyber exposure management firm Tenable, tells Dark Reading.

"Phishing attacks continue to be successful as they target our weakest link in security, humans," he says. "Regardless of the author of the email, be it AI or an actual human, organizations need to invest in and develop mature security programs where security awareness training, including specific training on spotting phishing attacks, are priorities for the organization."

Phishing Surges Ahead, as ChatGPT & AI Loom

By Habiba Rashid
The stolen Weee! database has been leaked on the infamous BreachForums and Russian-speaking cybercrime forums.
This is a post from HackRead.com Read the original post: Weee! Grocery Service Hacked, 1.1m Accounts Leaked

In total, hackers managed to steal 11.3 million order details, including 1.1 million email addresses belonging to Weee! customers.

A data breach affecting the US-based online grocery delivery platform, Weee!, has resulted in 1.1 million customers’ data being leaked online. On Monday, a threat actor named IntelBroker posted the database on BreachForums.

It is worth noting that BreachForums is a hacker and cybercrime forum that surfaced as an alternative to the popular and **now-seized Raidforums**.

Hacker announcing the breach (Screenshot: Hackread.com)

“Weee!” is particularly popular amongst Asian and Hispanic communities, delivering food across 48 states in the USA via warehouses spread throughout the country. Its delivery app has been downloaded over 2.6M times. 

The breach forum post reads, “In February 2023, a database of 11 million customers belonging to Sayweee was stolen by hackers.”

However, security researcher Troy Hunt of Have I Been Pwned, a data breach notification service, confirmed that the leaked data only includes 1.1 million unique email addresses. The additional entries are likely due to multiple orders placed by the same customer.

The leak contains information such as Weee! customers’ first and last names, email addresses, phone numbers, device type (iOS, PC, Android), order notes, dates, and other data the delivery platform uses.

Sample data as seen by Hackread.com

Some of the logs also included delivery notes that customers of Weee! left for couriers, such as codes to enter residential or office buildings.

The company’s spokesperson stated that “Weee! is aware that a data breach has affected some of its customers.” They also confirmed that the breach did not impact user financial data, as the online grocery delivery platform does not retain any payment details.

“For customers that placed an order between July 12, 2021, and July 12, 2022, information such as name, address, email addresses, phone number, order number, and order comments may have been impacted,” the company’s representative said.

“We have notified all customers of the issue and will be notifying all impacted customers individually if their information was exposed,” Weee!’s spokesperson explained.

“Security is a top priority for us and we are undertaking a thorough review to ensure we continue to deliver on the trust the Weee! Community places in us.”

The personally identifiable information (PII) in the leak can be abused by hackers in numerous ways. Exposed home addresses put users at a heightened risk of targeted scams and spear phishing campaigns, tracking, and unwanted contact.

On the other hand, leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud. In extreme cases, PII information could be used by attackers to attempt identity fraud. 

1.  Uber Eats User records leaked on Dark Web
2.  Google-funded delivery service Dunzo hacked
3.  Chowbus food delivery service suffers breach
4.  Instant Checkmate and TruthFinder Data Leaked
5.  Foodora data breach 700k users in 14 countries affected

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Weee! Grocery Service Hacked, 1.1m Accounts Leaked

Restricting the Twitter API will have implications across Twitter, the broader Internet, and society, experts say. Is there a cybersecurity silver lining, or will threat actors pay to play?

Twitter's new policies surrounding its application programming interface (API) have just gone into effect — and they will have broad implications for social media bots, both good (RSS integrations, say) and evil (political influencer campaigns), researchers note.

On Feb. 2, the Twitter dev team announced that the site would no longer provide free access to its API, starting on Feb. 9. After some negative publicity, Elon Musk personally provided an amendment — that Twitter would continue to service "a light, write-only API for bots providing good content that is free."

APIs are what enable different computer programs to communicate with one another. Just as your computer provides an interface so that you can easily interact with its many complex functions, an API provides an interface for two software programs to interact with one another. Twitter's API is necessary for any enterprises, academics, or bot developers whose applications rely on the social platform.

The choice between a limited or subscription model threatens to push away smaller, more cash-strapped developers and academics who have used the free access to create useful bots, applications, and research.

On the other hand, bad bots have also ravished Twitter since the beginning. They're regularly used by hackers to spread scams and by evil regimes to spread fake news, to say nothing of their smaller-scale negative impacts in influencer culture, marketing, and general trolling.

Is a paid API the answer to Twitter's influence campaign and bot-driven ills? Some experts think the new move is just smoke and mirrors.

**Twitter's Bad-Bot Problem**

In May 2018, the National Bureau of Economic Research (NBER) in Cambridge, Mass., published a working paper on the role of social media bots in shaping public opinion. The study focused on Twitter, and its bots' impacts on two 2016 elections: the US presidential race, and the UK vote to leave the European Union. The data indicated that "the aggressive use of Twitter bots, coupled with the fragmentation of social media and the role of sentiment, could contribute to the vote outcomes."

They found that in the UK, the greater volume of automated pro-"leave" tweets may have "translated into 1.76 percentage points of actual pro-'leave' vote share." And in the US, "3.23 percentage points of the actual vote could be rationalized with the influence of bots."

Three crucial swing states in that election — Pennsylvania, Wisconsin, and Michigan — with enough collective electoral votes to swing the result the other way — were won by less than a percentage point.

Bots don’t always have to sway world history — sometimes, they're just a useful tool for hackers looking to commit cybercrime at scale. Cybercriminals have been observed using Twitter bots to distribute spam and malicious links, and to amplify their content and profiles.

"Bots are an amazingly huge problem," David Maynor, director of the Cybrary Threat Intelligence Team, explains to Dark Reading. "If Twitter were the real world, you would see random inanimate objects trolling people, and the victims would spend hours or days trying to prove a random object wrong. Bots also give astroturfed efforts a real feel of legitimacy."

Astroturfing is the practice of presenting choreographed marketing in such a way as to make it appear to come from the general public (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments).

**Is Twitter Hiding Its True Motives?**

Some speculate that Twitter's real motives for putting its API behind a paywall have nothing to do with security. After all, is a basic subscription plan going to stand in the way of a cybercrime group, or even a lone scammer? Certainly not the government of Russia, one of the largest operators of social media influence campaigns.

In fact, notes Ted Miracco, CEO at Approov, "there are numerous mobile app security platforms and cloud based solutions that could easily eliminate the bot traffic overnight, and Elon Musk is well aware of these technologies."

Indeed, there are a number of strategies and tools for social media sites (and website owners and admins of all kinds) to use to snuff out botnets. For one thing, bots tend to follow specific behavioral patterns, like posting in regular intervals and only in limited ways. And after identifying even just a few suspect accounts, clever specialized tools can help reveal entire networks of connected bots.

Maynor noted that in addition to sussing out malicious automated tweets, naming and shaming might be important: "This isn't popular, but to fight bots and information operations you have to tie accounts to real-world people and organizations."

He adds, "This raises issues about privacy and misuse of data, but remember: they are already mining every bit of data they can get. Tying accounts to real-world identities won’t affect the platforms' data harvesting, but instead will stomp bots and \[astroturfing\]."

Why go so far as to remove free access to the API, before exhausting other available cybersecurity measures?

The reason is an open secret — an elephant in the room — in Silicon Valley, Miracco argues. Simply put, social media companies like their bots, according to Miracco.

The premise is this: Twitter makes money by selling ads. Bots look like users, to advertisers, so they bring in revenue all the same. More bots, more money.

In January, Musk threatened to back out of his Twitter buyout on the grounds that a large portion of the company’s stated users were, in fact, secretly bots. Perhaps his mood changed, however, after transitioning from an interested party to the outright owner. Miracco guesses that "revealing the problem now will result in a precipitous fall in traffic, so there needs to be some found revenue along the path to reduced traffic in order for the company to stay relevant, hence the API paywall."

He puts it in plain terms: "the paywall is dressed up to stop bots, but is really only to drive revenue."

The paywall just took effect. Time will tell whether it really does put a dent in Twitter's bot problem, or if it merely lines Musk's pockets.

Twitter did not immediately respond to a request for comment from Dark Reading.

Twitter Implements API Paywall, but Will That Solve Its Enormous Bot Crisis?

An active defense posture, where the defenders actively use threat intelligence and their own telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt threat actors.

Thursday, February 9, 2023 08:02

**Active defense a key approach to protecting against major threats**

Having an active defense posture, where the defenders actively use threat intelligence and their own environment telemetry to uncover potential compromises, is the next stage in the cyber security maturity road. Instead of waiting for detections to trigger, defenders can take initiative and hunt down threat actors inside their environment, putting a halt to their malicious activities before they can fully accomplish their goals.  

Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.  

Conducting periodic threat hunting exercises increases the chances of detection. However, despite the potential benefits of threat hunting, the odds are against defenders, as the hunter has limited time and resources, their target is unknown, and the type of activity the defender is searching for is often undefined. As threat hunting becomes more routine and as the hunter becomes more familiar with the environment, this exercise will become more efficient, the findings and analysis will become more useful, and the defender’s visibility of the environment will improve.  

Besides the possible detection results, there are two important outcomes of threat hunting:  

*   **Identifying weak spots in the organization’s overall defense.** By analyzing successful detections at a deeper level, defenders can understand what failed and on which levels.  
    
*   **Exposing the blindspots in defenders’ network visibility.** Threat hunting is about analyzing the available information and searching for what shouldn't be there as well as identifying potentially useful data that we don’t have access to.  This type of assessment provides valuable information on what can be improved in the visibility of the environment.  
    

There is no “one size fits all” approach or “magic bullet” solution that will get organizations to their best defense posture. Rather, it's an iterative process that greatly improves with repetition. Threat hunting supports—and can dramatically improve—active defense, particularly when hunt results can be leveraged to  improve the environment. In the next sections, we introduce some of the quick wins that can help organizations implement an effective active defense approach.  

**Monitor DNS queries**

Monitoring the domain name system (DNS) queries provides a unique view into what is going on in the network. Analyzing the DNS query logs and singling out the systems that resolved recently created domains provides a good starting point. The analysis of known malicious domains should also be done, as that would provide visibility into the effectiveness of the first line of defense. Keep in mind that this is about searching for what was not detected, as known malicious domains should already be blocked.  

On the other hand, If a compromise did occur, the DNS query logs may also provide a good source of information about the adversary’s actions and the extent of their malicious activities on the network.

**Create high-priority alerts**

Implement high-priority triggers with near-zero false positive alerts. No organization has unlimited resources to monitor security events, as alert fatigue is a real problem in security operation centers. High-priority triggers won’t eliminate security incidents, but they will help focus on critical events.There are two types of these triggers: generic and intelligence-driven.  

The generic triggers are those that are designed to alert in the event of abnormal behavior usually triggered by attackers while trying to establish a foothold or while in search of relevant information. Here are a couple of examples of such triggers:  

*   Canary accounts - Accounts that are not used by the organization but are instead intended to lure malicious actors to use in their operations. Create triggers to events regarding these accounts’ usage.  
    
*   Monitor and raise alerts on administrative accounts - Newly created accounts where privileges are added, or password changes on already existing accounts are good events to monitor.  
    
*   Domain controllers contacting unknown systems - Communications on the domain controllers should be well known. Any communication starting from a domain controller to an unknown system should be targeted for in-depth analysis.  
    
*   Profile key systems’ dual usage tools executions - Attackers often hide their actions by using dual-use tools. Starting with the critical systems, profile the execution of such tools so that abnormal usage can be detected and investigated.  
    
*   Remote administration tools - Having a well-known usage pattern of such tools allows defenders to monitor for  unusual or anomalous usage.  
    

Intelligence-driven triggers, by comparison, are created by analyzing the dynamic tactics, techniques, and procedures (TTPs). Therefore, these triggers should alert on adversaries’ behaviors rather than more static indicators of compromise (IOCs), such as known lists of IPs or domains. Such activity should be detected by basic cyber security tools that are already in place, and these triggers should cover the TTPs generically used by threat actors that are applicable to one's organization. For example, if your organization doesn't use ConnectWise, TeamViewer or Anydesk, create a trigger in your monitoring system that will generate a high-priority alert whenever those tools are executed, as they are commonly used by threat actors. If a defender concludes that there is no way to create such an alert, then a blindspot has been found. The resolution of such an issue should be prioritized based on that organization’s resources and other competing issues that require attention.

**Perform root cause analysis on deep alerts**

The most important question a threat hunter must try to answer while doing detection systems log analysis is, “How did the malware get to the endpoint?” Deep alerts like this, that come from the most inner layer of the security architecture, need to be analyzed.  

Most organizations have a multi-layered, in-depth security architecture. When an endpoint defense system detects and blocks some malicious software, this is good news for the defenders. It's also an opportunity for the threat hunter to identify and improve the security in the organization. Having a multi-layered and in-depth architecture means that there are several security systems between the production systems and the untrusted environments. If a threat was detected and stopped in an organization’s most inner systems, then some outer layer defense failed.  

Conducting a root cause analysis is essential to determining what failed and how, as this will provide invaluable information to the continuous improvement process.  There can be multiple explanations for initial infection. For example, an endpoint can be compromised somewhere else and then connected to the organization’s environment, or credentials can be compromised and used to establish a malicious VPN connection.

**Monitor communications on critical systems**

Critical systems’ communications patterns can be the first high-priority alert indicating the potential exfiltration of information. Organizations don’t have infinite resources, and not all systems have the same value.  For example, a file server will have communications from a lot of systems, but not all systems/endpoints will transfer an abnormal quantity of information in a short amount of time. Or, if all the systems in the environment must use a local DNS server if a system attempts to contact Google or Cloudflare DNS servers, those systems should probably be reviewed. Having a list of critical systems is one of the basic steps that organizations with a mature security posture can take to help detect malicious activity early.  

**Improve your visibility**

Having good visibility into what is happening in the defender's environment is the first step to  performing threat hunting. However, the mere exercise of threat hunting will also show defenders if there are any blindspots, thus providing opportunities for improvement. Visibility should also be seen as a powerful source of information when recovering from a compromise. Organizations often don’t have the means to implement a complete, comprehensive detection system on their entire environment. However, that does not mean that some kind of logging should not be performed. Logs may be extremely relevant during the recovery phase of a compromise. Knowing how and when a compromise occurred, even after the fact, is crucial. Proper logging can be extremely useful in determining this information, especially when analyzed from a threat hunter’s point of view, so that they can also provide information that leads to the development of proper detections.  

**Deploy tiered accounts**

Have administration accounts that are only used on specific systems. Not all systems need to contact all the systems or the internet, and, likewise, not all accounts need to be used on all systems, especially if they are high-privilege accounts. Have specific domain administrator accounts, which are only used on domain controllers, complemented by second-tier administrator accounts. This tiering is done at the functional level and not at the privilege level. These two different account tiers may ultimately have the same privileges, but by tiering their access based on their functions,  it’s possible to set high-priority alerts to trigger when they behave abnormally.

Beyond the basics: Implementing an active defense

A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.
"The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said.
PIMEC, short for

Cyber Attack / Cyber Threat

A previously unknown threat actor dubbed **NewsPenguin** has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.

"The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said.

**PIMEC**, short for Pakistan International Maritime Expo and Conference, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to "jump start development in the maritime sector." It's scheduled to be held from February 10-12, 2023.

The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document.

Once the document is launched, a method called remote template injection is employed to fetch the next-stage payload from an actor-controlled server that's configured to return the artifact only if the request is sent from an IP address located in Pakistan.

BlackBerry said it found the server to be hosting two ZIP archive files sans any password protections, one of which includes a Windows executable (updates.exe) that functions as a covert spying tool capable of bypassing sandboxes and virtual machines.

What's more, the contents of the binary are encrypted with the XOR encryption algorithm, where the XOR key is "penguin." The HTTP response containing the backdoor also comes with the name parameter in the Content-Disposition response header set to "getlatestnews."

The name NewsPenguin is a reference to the uncommon XOR key and the name parameter, with BlackBerry finding no tactical overlaps that connect the malware to any currently-known threat actor or group.

An analysis of the domain hosting the payloads shows that it has been registered since June 30, 2022, indicating some level of advance planning for the campaign while simultaneously taking steps to iterate its toolset.

"As the target is an event run by the Pakistan Navy, it implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack," BlackBerry said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.
The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.
"The threat actor

Threat Intelligence / Malware

The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.

The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.

"The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours," Cybereason said in an analysis published February 8, 2023.

Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads.

The shift in tactics was first uncovered by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files that are served through compromised WordPress sites ranked higher in search engine results through poisoning techniques.

The attack chain relies on luring victims searching for agreements and contracts on DuckDuckGo and Google to the booby-trapped web page, ultimately leading to the deployment of Gootloader.

The latest wave is also notable for concealing the malicious code within legitimate JavaScript libraries such as jQuery, Chroma.js, Sizzle.js, and Underscore.js, which is then used to spawn a secondary 40 MB JavaScript payload that establishes persistence and launches the malware.

In the incident examined by Cybereason, the Gootloader infection is said to have paved the way for Cobalt Strike and SystemBC to conduct lateral movement and possible data exfiltration. The attack was ultimately foiled.

The disclosure comes amid the ongoing trend of abusing Google Ads by malware operators as an intrusion vector to distribute a variety of malware such as FormBook, IcedID, RedLine, Rhadamanthys, and Vidar.

The evolution of Gootloader into a sophisticated loader is further reflective of how threat actors are constantly seeking new targets and methods to maximize their profits by pivoting to a malware-as-a-service (MaaS) model and selling that access to other criminals.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

By Habiba Rashid
Has your Tor browser been slow for the past few months? Well, you are not alone; the ongoing DDoS attacks on the Tor network are keeping it slow worldwide.
This is a post from HackRead.com Read the original post: Tor Network Hit By a Series of Ongoing DDoS Attacks

The Tor Project revealed that its network has been suffering from “several different types of ongoing DDoS attacks (Distributed Denial of Service attacks) for at least seven months.

For Tor Browser users who have been wondering why the onion has been having network connectivity and performance issues lately, you are not alone; many others have had problems with the sites loading altogether. 

The Tor Project’s Executive Director, Isabela Dias Fernandes, reported on Tuesday that the network has been targeted by a wave of DDoS attacks (Distributed Denial of Service attacks) for at least the past seven months.

“At some points, the attacks impacted the network severely enough that users could not load pages or access onion services,” Fernandes said on Tuesday.

“We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue.”

Fernandes also promises that the Tor team will keep tweaking and improving the network defences to counter the ongoing issue. However, they have not yet discovered the goal of these attacks or the identity of the attackers behind them. The Tor Network team will also be expanded to include two new members focusing on .onion service development.

“To clarify, our services have not been down, but on occasion slow for some users, and it is important to note that the user experience is affected by a variety of factors, including what onion services are being used, or which relays get picked when they build a circuit through Tor.”

**_Quick FAQs_****What is Tor Browser?**

Tor Browser or “The Onion Router,” is a free, open-source web browser that allows users to browse the internet anonymously. It was originally developed for US Naval Intelligence in the mid-1990s and was released into the public domain in October 2002.

It is worth noting that the Tor browser utilizes multi-layered encryption of data packets, making it difficult, but not impossible, for anyone to track or monitor user activity on the internet.

The core concept behind Tor is that it creates a network of nodes with each layer acting as an encrypted tunnel so that when a user sends out information, they are virtually untraceable. With every node encrypted; no one can trace where the data originated from or who may have accessed it during transmission. As such, this makes Tor ideal for those looking to keep their online activities private and secure especially journalists and whistleblowers.

**What is a DDoS Attack?**

A DDoS attack stands for Distributed Denial-of-Service attack. It is a type of cyberattack that uses multiple compromised Internet of Things (IoT) or smart devices including computers, routers, cameras, etc. to create a botnet and send massive amounts of traffic to a single targeted server or website to overwhelm it and make it inaccessible for regular users.

1.  23% of Tor browser relays steal Bitcoin
2.  Tor Browser Flaw Leaks Your Real IP Address
3.  Best Dark Web Search Engines for Tor Browser
4.  Fake Tor Browser Spreads Malware Via YouTube
5.  Download official Tor browser on Android devices
6.  What Are Dark Web Search Engines – How to Find Them?

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tor Network Hit By a Series of Ongoing DDoS Attacks

The malware has affected thousands of VMware ESXi hypervisors in the last few days.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for victims of the ESXiArgs ransomware variant that affected thousands of organizations worldwide this week.

CISA's ESXiArgs-Recover tool is available for free on GitHub and organizations can use it to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have encrypted. Some organizations that used the tool have successfully recovered their encrypted files without having to pay a ransom, the agency noted.

However, any cybersecurity team that plans to use the tool should first make sure they understand how it works before attempting to recover files that EXSIArgs might have encrypted, CISA cautioned. "CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is \[a\] fit," for their environments, it noted.

ESXiArgs is a ransomware variant that France's Computer Emergency Response Team (CERT) first spotted Feb. 3 targeting VMware ESXi hypervisors worldwide. The malware exploits a 2-year old — and long-patched — remote code execution vulnerability (CVE-2021-21974) in Open Service Location Protocol (OpenSLP), an ESXi service for resolving network addresses.

**What is ESXiArgs?**

ESXiArgs has already infected more than 3,000 unpatched servers in the US, Canada, and multiple other countries. Victims have reported receiving a ransom demand of around 2 Bitcoin (or around $22,800 at press time) for the decryption key. Affected organizations have also reported the threat actor behind the campaign warning them to pay up within three days or risk having their sensitive information released publicly.

Security researchers that have analyzed ESXiArgs describe the malware's encryption process as specifically targeting virtual machine files so as to render the system unusable. In an alert earlier this week, Rapid 7 reported the malware was trying to shut down virtual machines by killing a specific process in the virtual machine kernel that handles I/O commands. In some cases, though, the malware was only partially successful in encrypting files and gave victims a chance to recover data, according to Rapid7.

In a Feb. 8 update, Rapid7 said its threat intelligence shows that multiple ransomware groups, in addition to the operator of ESXiArg, are targeting CVE-2021-21974 and other VMware ESXi vulnerabilities.

**Recovery Tool Based on Published Information**

CISA's recovery script is based on the work of two security researchers — Enes Sonmez and Ahmet Aykac — who showed how victims of ESXiArgs could reconstruct virtual machine metadata from disks that the ransomware might have failed to encrypt.

"This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs," CISA said. "While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit."

VMware itself has urged organizations to implement the patch it issued two years ago for the flaw that ESXiArgs is exploiting. As a temporary measure, organizations that have not patched the flaw should disable ESXi's service location protocol (SLP) to mitigate the risk of attack via ESXiArgs, VMware said. Another measure: Disable port 427 (the one SLP uses), where possible, Singapore's SingCERT advised in a notice.

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

Apps like Telegram, WhatsApp, and Discord are a hotbed of cybercriminal communication and scams.

This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.

Over the last year, experts have increasingly found that cybercriminals are moving away from Dark Web forums in favor of messaging apps and encrypted communications channels. And more broadly, security analysts and researchers have released details showing how legitimate platforms like Telegram, WhatsApp, and Discord are becoming a hotbed of criminal activity — not only for cybercriminal communications but also for a wide range of scams and exploit campaigns.

**Exclu's Demise**

According to Dutch authorities, the action against Exclu, its creators, and its users was the culmination of an investigation that took nearly two years. The authorities estimated the app had about 3,000 users, those who utilized Exclu on smartphones through a licensing scheme for about €800 (approximately US $857) every six months. In exchange, they got access to a highly secure, encrypted platform that enabled them to privately exchange messages, photos, notes, chats, and other information to support their criminal activity.

Police in the Netherlands said they worked closely with different agencies across Europe, including Eurojust, Europol, and police forces in Italy, Sweden, France, and Germany. Dutch authorities particularly thanked the German Landeskriminalamt (LKA) Rheinland-Pfalz for its early investigations in June 2020 that first brought Exclu to their attention and provided key evidence for investigation. They say the longtime operation was able to crack Exclu using both hacking methods and traditional police investigative work.

The crackdown follows relatively closely on the heels of similar shutdowns of services like Sky ECC and EncroChat.

**The Messaging App Migration**

Many cybercriminals aren't resorting to private criminal messaging networks Exclu when they can just as easily (and cheaply) use and abuse legitimate messaging apps like Telegram, WhatsApp, and Discord.

Just last week, analysts with threat intelligence firm Flare ranked Telegram as one of the top illicit sources to monitor for cybercriminal activity in 2023. They report that cybercriminals are starting to utilize Telegram Groups as an extension of the reach of Dark Web forums for its anonymity and encrypted communications.

"Telegram has no traditional admins monitoring its groups and one-to-one chats, which is attractive for anonymity. Threat actors can also hide their phone numbers on the service," according to Flare's analysis in a recent blog post. "Telegram offers end-to-end encryption for messages by default, which helps to avoid potential man-in-the-middle attacks that can snoop on messages in transit. Dark Web forums and marketplaces also have an encryption option but threat actors need to use something like Pretty Good Privacy (PGP) to ensure encryption, which is less convenient."

This echoes similar research out last summer by Intel 471, which noted that the cybercriminal groups it was observing were leaning toward Telegram as the preferred method of anonymous communication compared to in-forum messaging services.

"Of the cybercriminal groups Intel 471 has observed, Telegram is considered the preferred method of anonymous communication as opposed to in-forum messaging services monitored by administrators. Telegram provides actors with near real-time, encrypted communication if both parties are online simultaneously, whereas in-forum messaging requires waiting for unencrypted mail notifications," Intel471's researchers wrote. "This lag time, along with other security risks associated with forum communications, regularly encourage actors to provide other contact details in forum advertisements, such as email addresses and Telegram IDs."

This finding came directly on the heels of another one from these researchers, which pointed out that Telegram and Discord aren't just for communiques — they're also being hijacked to launch an array of cyberattacks. More recently, KELA researchers reported that Telegram in particular is being used to sell and leak stolen data, use it as a channel for selling other illegal products, publicize information about their attacks, and build bots to bolster their infrastructure that launches attacks and exfiltrates data.

The Telegram bot problem has particularly been growing in its profile on security analyst radars.

"Telegram bots have become a popular choice for threat actors as they are a low-cost or free, single-pane-of-glass solution," says Joe Gallop, intelligence analysis manager at Cofense, who points to his firm's recent report that noted that the use of Telegram bots as exfiltration destinations for phished information exploded by more than 800% between 2021 and 2022. "Telegram bots are easy to set up in private and group chats, are compatible with a wide range of programming languages, and are easy to integrate into malicious media such as malware or credential phishing kits."

Tag

#intel