Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 05/09/2023

    New Cactus Ransomware Targets VPN Appliances

    Overview

    A new ransomware group called Cactus has been observed targeting known vulnerabilities in Fortinet VPN appliances to gain a foothold in target environments and pivot using VPN service accounts. Additionally, Cactus ransomware can potentially evade monitoring and prevention tools by encrypting itself, making it critical that organizations recognize and respond to early indicators of compromise.

    Potential Impact

    Potential impact includes data exposure or exfiltration and encryption of files across the network. Prior to encryption, environmental impact indicators include network scanning tools, PowerShell commands to enumerate network information, remote access tools like AnyDesk, and batch scripts to disable antivirus processes.

    Recommended Actions

    Ensure Internet-facing systems and network devices are patched and scanned for vulnerabilities. It is also critical that all systems are protected by Endpoint Detection & Response (EDR) software with 24/7/365 monitoring. Organizations should also have a handle on baseline application usage for easier anomaly detection as some tools deployed by attackers are legitimate and not flagged by antivirus software.

    Request Consultation

    For a complimentary consultation, fill out the form below and we will be in touch soon.

      Number of Employees - select one:
      Industry - select one:

       

      BabyShark Recon Tool Undergoes Development

      Overview

      The North Korean-linked hacking group Kimsuky recently launched a reconnaissance tool called ReconShark. The group targets government entities, think tanks, research universities, and IT firms worldwide using spear-phishing emails, OneDrive links, and malicious macros. ReconShark can steal sensitive data, including system information, connected batteries, and endpoint threat detection mechanisms. It also abuses Windows Management Instrumentation (WMI) and can detect endpoint security software, making it harder to detect. Kimsuky has equipped ReconShark with additional capabilities to evade defenses and exploit vulnerabilities in platforms.

      Potential Impact

      Kimsuky’s campaign using ReconShark can result in a significant data breach of sensitive data, leading to financial and reputational damage to companies. The malware can evade endpoint security software, making it harder to detect and protect against. If successful, the attack can also lead to the theft of credentials and unauthorized fund transfers.

      Recommended Actions

      Companies should take proactive measures to mitigate the risk of such attacks by implementing security measures like multi-factor authentication, email security solutions, and endpoint protection. Educating employees on the importance of security protocols, including not clicking on unknown links and suspicious emails, is crucial.

      Furthermore, companies should monitor their systems for suspicious activity and ensure they are updated with the latest security patches.

      Sources

      https://cyware.com/news/kimsuky-enhances-its-babyshark-recon-tool-in-a-global-campaign-01e6faca

      CERT-UA Warns of SmokeLoader Campaign

      Overview

      Ukraine’s CERT-UA has issued an alert warning of an ongoing phishing campaign that distributes the SmokeLoader malware as a polyglot file. Threat actors are using emails sent from compromised accounts with the subject “bill/payment” with an attachment in the form of a ZIP archive. The JavaScript used in the attack deploys a PowerShell to download and execute an executable to launch the SmokeLoader malware.

      SmokeLoader acts as a loader for other malware; Once it is executed, it will inject malicious code into the currently running explorer process and downloads another payload to the system. The financially motivated threat actor UAC-0006, active since 2013, is attributed to this campaign, focusing on compromising accountants’ PCs, stealing credentials, and making unauthorized fund transfers.

      Potential Impact

      The phishing campaign distributing the SmokeLoader malware can compromise a company’s financial activities, such as access to remote banking systems, by stealing credentials and making unauthorized fund transfers. Companies that use compromised VPN credentials risk being targeted by threat actors such as the Russia-linked Sandworm APT group. The impact on businesses includes loss of data, financial loss, and reputational damage.

      Recommended Actions

      Companies should take preventive measures, such as training employees to recognize phishing emails and avoid opening attachments from unknown sources. They should also implement security solutions such as firewalls, antivirus software, and intrusion detection systems to detect and block malicious traffic. In addition, companies should regularly update their software and apply security patches to minimize system vulnerabilities. Finally, companies should monitor their networks for any unusual activity and have a response plan in place in case of a security breach.

      Sources

      https://securityaffairs.com/145911/malware/cert-ua-smokeloader-campaign.html?web_view=true

      https://securityaffairs.com/138251/malware/smokeloader-delivers-laplas-clipper.html

      Vulnerability in Popular WordPress Plugin

      Overview

      The plugin, “Advanced Custom Fields,” for WordPress is affected by a new reflected cross-site scripting vulnerability that could potentially be exploited to inject code into websites. The vulnerability is tracked as CVE-2023-30777. There are about 2 million active installations of this plugin.

      Potential Impact

      The vulnerability allows malicious code to be executed in an end user’s browser after visiting a crafted link distributed by attackers or the affected site.

      Recommended Actions

      All users of Advanced Custom Fields should upgrade to version 6.1.6 or later as soon as possible. It is recommended that administrators establish processes for monitoring WordPress plugin vulnerabilities and addressing them efficiently.

      Sources

      https://www.bleepingcomputer.com/news/security/wordpress-custom-field-plugin-bug-exposes-over-1m-sites-to-xss-attacks/

      https://thehackernews.com/2023/05/new-vulnerability-in-popular-wordpress.html

      Meta Introduces New Security Controls for Business Accounts

      Overview

      On May 3, Meta published a blog post describing recent efforts to combat malware and introduced some new controls available for business users. These include enhanced visibility and control over business administrator accounts, “increased protection for sensitive account actions”, and the introduction of “Meta Work accounts”, which will allow users to administer Meta Business Manager without having a personal account.

      Potential Impact

      These measures will help businesses keep their Meta accounts and account data secure.

      Recommended Actions

      Recovering from a social media account compromise can be costly. Take this as a reminder to review the security measures offered by all of the social media platforms used by your company and update controls and settings accordingly. Read the article below, and utilize any settings relevant to your business.

      Sources

      https://about.fb.com/news/2023/05/how-meta-protects-businesses-from-malware/

      https://www.wired.com/story/meta-attacker-tactics-business-tool/

      Woman Loses $20k After Scanning a QR Code and Downloading Malicious App

      Overview

      The Straits Times reported on May 7 that a woman in Singapore scanned a QR code at a bubble tea shop inviting her to take a survey. The survey was a scam that tricked the woman into installing an app on her phone, resulting in attackers stealing $20,000 from her bank account.

      Potential Impact

      Singaporean police told the Straits Times that 113 people had been victimized by similar scams, with the reported losses by victims totaling more than $445,000.

      A malicious app can lead to devastating consequences for individuals and corporations if it provides attackers access to the right pieces of sensitive information. The impact of this type of scam will grow over time. One only needs a little imagination to envision how much more of our sensitive data will be housed in smartphones in the coming years.

      Recommended Actions

      Exercise caution whenever adding apps to your mobile device, and install apps sparingly. Be cautious of scanning QR codes in public and always check if the website you are redirected to looks legitimate.  

      Sources

      https://www.straitstimes.com/singapore/woman-who-scanned-qr-code-with-malware-lost-20k-to-bubble-tea-survey-scam-while-she-was-sleeping

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us