Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 4/4/2022

RAT Campaign Looks to take Advantage of the Tax Season 

Overview

A remote access trojan or RAT has been identified a phishing campaign that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. 

Potential Impact

This campaign leverages Netsupport Manager, a troubleshooting and screen control program, as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems. The PDC has seen tax related campaigns in the past that have been used to steal employee credentials; however this attack is unique in that it is installing malware.

Recommended Actions
  • Utilize a Secure Email Gateway or SEG to prevent Command and Control (C2) actions
  • Give strong consideration to an AI based tool for enhanced email security
  • Look closely at what remote access tools are being utilized in your organization and how they are configured

Sources
Cofense Phishing Defense Center (PDC): https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season

SpringShell:  No Need to Panic, But Please Follow Recommendations

Overview

Security teams around the world got another shock on Thursday when news of disclosure of a PoC for an unauthenticated RCE zero-day vulnerability in Spring Core, a massively popular framework for building modern Java-based enterprise applications. Unlike Log4Shell, this new flaw – CVE 2022-22965 — Spring4Shell – seems to only be exploitable in certain configurations.

Potential Impact

A Java Springcore RCE 0 day exploit has been leaked. It was leaked by a Chinese security researcher who, since sharing and/or leaking it, has deleted their Twitter account.

Spring4Shell is a bypass of an incomplete patch for CVE-2010-1622, an old code injection vulnerability in the Spring Core Framework, and affects Spring Core on Java Development Kit (JDK) version 9 or later.

The existence of the vulnerability was made public when a Chinese-speaking researcher released PoC exploit code for it on GitHub and told the world about it on Twitter (the post and the tweets have been deleted soon after).

Several PoCs for Spring4Shell have since appeared online, and the effectiveness of some of them have been confirmed.

General Recommended Actions
  1. There is a vulnerable test-application found in this GitHub repository: https://github.com/lunasec-io/spring-rce-vulnerable-app/blob/main/src/main/java/fr/christophetd/log4shell/vulnerableapp/MainController.java
  2. Or you may use the following non-malicious request from Randoori to test susceptibility:
     – to the springframework  0day RCE. An HTTP 400 return code indicates vulnerability.
     – $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0
  3. Spring has confirmed the zero-day vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 and Spring Boot (which depends on the Spring Framework) 2.5.12 and 2.6.6, to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31,2022.

Sources

Rapid 7 : https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
HelpNet Security : https://www.helpnetsecurity.com/2022/04/01/cve-2022-22965/
Mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965

Additional Details Regarding Okta Breach; Okta’s Slow Release of Information

Overview

Details about the online identity management service Okta were revealed last week, indicating that Okta was very slow in revealing the extent of the malicious activity it experienced.

How do you know if you are vulnerable?

Okta has reached out to its customers who are known to have been affected. Considering the slow release of information from Okta, there may be more to come.  As of this morning (April 4, 2022), Okta states that it is still investigating the breach.

Potential Impact

For affected customers, it is possible that attackers could have taken over some accounts.  

Recommended Actions

If Okta customers are concerned about the potential impact of this breach, resetting credentials for any users who have changed their passwords since January should ensure that threats stemming from this breach are mitigated. Companies should remind employees to pay careful attention when approving multi-factor authentication prompts.  

Active Exploitation of Log4Shell Vulnerabilities on VMware Horizon servers

Overview

Sophos has reported that attacker groups, specifically Initial Access Brokers, have been actively exploiting Log4Shell vulnerabilities on unpatched Internet-facing VMware Horizon servers.

Potential Impact

Initial Access Brokers aim to establish backdoor access within targeted networks and later sell access to groups wanted to deploy ransomware. Post-exploitation activity might include deploying Remote Monitoring and Management tools (RMM), PowerShell based scripts, or cryptomining software. 

Recommended Actions

Review VMware Horizon services and update Log4j components as soon as possible. Internet facing servers should be priority. Ensure endpoint security tools are properly functioning on such systems. 

Sources
https://www.sophos.com/en-us/press-office/press-releases/2022/03/attackers-are-using-the-log4shell-vulnerability-to-deliver-backdoors-to-virtual-servers

Android Process Manager Spyware

Overview

Android users may be spied on by an application that disguises itself as “Process Manager” but is instead spyware. The application then removes its icon and continuously runs in the background appearing as a system service to further hide. Users are at risk if they see the notification remains and is constantly running in the background.

Potential Impact

From the first time the application launches, 18 permissions are allowed, including access to fine and coarse locations, network and Wi-Fi state, the camera and microphone, the internet, call log access, contacts, messages, external storage, and the device’s wake log. Considering that threat actors have access to many components of people’s personal lives, this poses a great privacy risk to individuals and the nation.

Recommended Actions

To ensure security, Android users are directed to assess application permissions they have granted and change the permissions that are not necessary. Users running Android 12 can pay attention to the alert notifications when the camera and microphones are on. Users operating older versions should update their software and be mindful that threat actors may install other suspicious applications for their benefit, such as applications that earn “wallet cash”.

Sources
Newly found Android malware records audio, tracks your location (bleepingcomputer.com)

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us