Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 4/18/2022

ZLoader2 a.k.a The Silent Night

Overview

Microsoft recently announced a joint investigation of multiple security companies and information sharing and analysis centers (ISACs) with the aim to take down the Zloader botnet and took the whole case to court. 

Potential Impact

Zloader 2 (also known as Silent Night) is a multifunctional modular banking malware, aimed at providing unauthorized access to online banking systems, payment systems, and other financial-related services. In addition to these functions it’s able to download and execute arbitrary files, steal files, inject arbitrary code to visited HTML pages and so on. In 2021, the attackers abused Google AdWords to advertise sites with fake Zoom communication tool which actually installed Zloader. Downloaders are distributed in a packed form sometimes signed with a valid digital signature.

Ursnif, also known as Gozi and ISFB is another banking malware family with similar functions that became very popular during the early part of the Pandemic period in mid-2020. 

Recommended Actions

The best advice for prevention is ordinarily quite simple: to not click on links or download attachments contained in emails from unknown senders. 

Below are some additional tips for preventing ZLoader:

  • Deploy an antivirus, anti-malware, endpoint detection and response or email security solution to help you catch email-spread threats such as ZLoader
  • As always, change your passwords regularly

Sources
Avast Labs :  https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/

Carbanak Group Extends Their Cybercrime to Ransomware

Overview

Recent changes in the Carbanak cybercrime group’s TTPs became evident in several attacks that used its PowerPlant malware. Carbanak is highly resilient, continuing to operate despite law-enforcement operations that resulted in the arrest of three members in 2018.

Carbanak is known to be a innovator in the world of cybercrime, with a highly sophisticated approach.

Potential Impact

Carbanak reportedly delivered PowerPlant to targeted companies via a supply-chain attack, modifying download links on the websites of companies selling digital goods. The modified links redirected site visitors to an Amazon S3 bucket1 that hosted a legitimate remote management tool, which deployed the malware to the victims’ systems.

General Recommended Actions

Carbanak/FIN7 is very sophisticated and requires tools that provide visibility, correlated detection, and behavior monitoring across multiple layers: email, endpoints, servers, cloud workloads.

Additionally, the ability to stop the establishment of Command-and-Control channels and the use of Multi-Factor Authentication are both key in stopping credential access, lateral movement, discovery, data collection and defense evasion, all functions utilized by the Carbanak unit. 

Sources
TrendMicro : https://www.trendmicro.com/en_us/research/21/d/carbanak-and-fin7-attack-techniques.html
Mitre.org : https://attack.mitre.org/groups/G0008/

Cisco WLAN Controller Software Critical Vulnerability

Overview

CVE-2022-20695 allows attackers to manipulate the management interface and login into the victim device without legitimate credentials. Vulnerable CISCO WLC systems include those running 8.10.151.0 or Release 8.10.162.0, with “macfilter radius compatibility” configured as “Other.” 

Furthermore, the products affected include the 3504 Wireless Controller, 5520 Wireless Controller, 8540 Wireless Controller, Mobility Express, and Virtual Wireless Controller (vWLC).

Potential Impact

This vulnerability is critically vulnerable and earned a CVSS score of 10, as standard authentication procedures are bypassed due to the weak password validation algorithm.  If the custom device configurations match the vulnerability, the threat actor will be able to use their own constructed credentials to gain privilege and become an administrative user.

Recommended Actions

Check to see if you are vulnerable by entering the “show macfilter summary” command and ensure that Radius Compatibility Mode is not set to other. Yet if it is, update the version to 8.10.171.0 or later to mitigate the issue, regardless of if the Radius Compatibility Mode used is set to “other”.  

Sources
Cisco vulnerability lets hackers craft their own login credentials (bleepingcomputer.com)

Critical VMware Workspace ONE Vulnerability

Overview

Critical VMware Workspace ONE vulnerability is observed being actively exploited in the wild. The vulnerability is tracked as CVE-2022-22954 and relates to a server-side infection in VMware Workspace ONE Access and Identity Manager. 

Potential Impact

Malicious actors correctly positioned to exploit this vulnerability could gain remote code execution. Actors could use this vulnerability to gain foothold within a victim environment as an initial step in a more severe attack. 

Recommended Actions

A patch for CVE-2022-22954 is available and should be applied immediately. Workarounds are not recommended as they make introduce additional risk to systems. Continue to monitor for new security advisories for VMware products as exploitation of these products is recurring by nation-state groups.

Sources
https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us