Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 6/20/2022

    Abuse of Sophos Zero-Day Vulnerability 

    Overview

    In early March, security firm Volexity detected a sophisticated attack campaign against high profile clients by multiple Chinese Advanced Persistent Threat (APT) groups. Specifically, Volexity has attributed many of these attacks to CVE-2022-1040, a zero-day vulnerability in the Sophos firewall product. 

    Additionally noted was the used of the Behinder framework – a webshell management tool often deployed by APT groups. 

    Potential Impact

    The Sophos firewall vulnerability gave attackers remote control via webshell to target infrastructures. This allowed for unprecedented exfiltration abilities. Many attacks have seen the use of man-in-the-middle (MitM) activity by changing DNS responses for specific websites owned by compromised victims. This allows the interception of user credentials and session cookies. After compromising website accounts, many attacks saw the installation of File Manager plugins which were then used for file/data exfiltration.

    Recommended Actions

    Organizations should verify than any deployed Sophos firewall are properly patched and up to date. Additionally conducting routine threat intelligence gathering on the organization’s tech stack products is highly recommended to stay on top of critical vulnerability announcements. 

    Organizations should also deploy advanced network security monitoring mechanisms that detect and log traffic from gateway devices.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Increase in Cobalt Strike Attacks via Phishing

      Overview

      In early 2021 security researchers noticed a new malware-as-a-service project now named Matanbuchus. Matanbuchus has since then been analyzed by Palo Alto Network’s Unit 42, who have mapped many parts of its infrastructure. However, recently an uptick in Matanbuchus-based attacks has been seen, which combine the deployment of Cobalt Strike. This uptick has been attributed to an ongoing phishing campaign that lures users into interaction with malicious emails by emulating replies to previous emails, often featuring a ‘RE:’ subject line.

      These emails often carry a ZIP attachment containing a HTML file. This HTML file, if interacted with, will generate a second ZIP archive which carries the malicious MSI package malware. Additionally, this MSI has a valid digital certificate issued by DigiCert with a “Westeast Tech Consulting, Crop” attribute.

      If ran, the MSI package will deploy two Matanbuchus DLL payloads, a scheduled task, and establish command and Control (C2) communications primarily with Cobalt Strike.

      Potential Impact

      This new Matanbuchus phishing campaign has been shown to be successful at a larger than normal scale and should be seen as a potential threat to organizations. Since the primary MSI package is digitally signed some endpoint detection and response products might not alert on the package initially. If successfully installed Cobalt Strike becomes the next primary framework for post-exploitation actions. Cobalt Strike contains advanced lateral movement, persistence, and exfiltration capabilities and excels at ‘blending in’ with normal traffic.

      Recommended Actions

      To combat this new campaign and malware combination organizations should focus on security awareness training, with an emphasis on avoiding/preventing compromise via phishing emails. Additionally, some indicators of compromise (IoCs) have been noted by the Unit 42 team:

      • Westeast Tech Consulting, Corp digital certificate
      • “main.dll” – one of two malicious DLL files downloaded by the MSI package
      • SCAN-231112.zip – 9badba5d7900892e24216f2378a6b79a
      • SCAN-231112.html – 5303835908b6d8313a9e226f7b025217
      • SCAN-231112.zip – 01e4c8227b4c8d9dc8a310d1db9631a7
      • SCAN-231112.pdf.msi – 4d5da2273e2d7cce6ac37027afd286af
      • regsvr32.exe -n -i:”Install” C:UsersUserAppDataLocalAdobeFontPackmain.dll
      • main.dll – 1c5a0d343167085442299c29f3d88056
      • 7ef00000.dll – 8af3ff76ad8dad4ddff9c16929f74d52
      • notify.vbs – 0308aa2c8dab8a69de41f5d16679bb9b
      • telemetrysystemcollection.com – 213.226.114.15:443
      • collectiontelemetrysystem.com – 213.226.114.15:48195

      Sources
      https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-devices-with-cobalt-strike/?&web_view=true
      https://github.com/executemalware/Malware-IOCs/blob/main/2022-06-16%20Matanbuchus%20IOCs

      Kaiser Permanente Email Compromise Exposes More Than 69,000 Records

      Overview

      Kaiser Permanente reported in a notice on their website that on April 5, 2022, “an unauthorized party gained access to an employee’s emails” and that they “determined that protected health information was contained in the emails”.   Correlation with the Office of Civil Rights listing for cases under investigation indicates that the information of 69,589 individuals were affected.

      Potential Impact

      The impact from a breach such as this usually means identity theft for affected consumers, and fines for Kaiser Permanente.

      Commentary

      The remarkable thing about this breach is that the Protected Health Information (PHI) of almost seventy thousand people was contained in an email account.  Email is not often considered to be a secure method for transmission of sensitive information.  This breach suggests that emailing of PHI was business as usual for the affected employee.  It is also surprising that Kaiser was not employing an effective data leakage protection program to its email systems.  

      Recommended Actions

      Email data leakage protection should be part of corporate data security programs. Additionally, unless it’s part of a planned program complete with appropriate security controls, email should be considered an inappropriate means of exchanging sensitive information.

      Sources
      https://healthy.kaiserpermanente.org/content/dam/kporg/final/documents/member-services-information/policies/substitute-notice-wa-en.pdf
      https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

      More Active Exploits Against Atlassian Confluence Vulnerability

      Overview

      The recently discovered Atlassian Confluence vulnerability (CVE-2022-26134) is still being actively exploited. Exploitation of this vulnerability allows an attacker to open a remote shell and execute code in memory without writing to the local disk. 

      Potential Impact

      The impact of post-exploitation activity is growing. Attackers are deploying ransomware such as the Cerber variant and cryptominers such as z0miner. Other post-exploitation activity observed has included botnet variants such as Mirai and Kinsing, and post-exploitation toolkits such as Cobalt Strike.

      Recommended Actions

      All supported versions of Confluence Server and Data Center are affected. Administrators are advised to apply patches immediately or remove Internet access to these systems until they can be patched.

      Sources
      https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html

      ‘Panchan’ Botnet Targeting Linux Servers in Education Sector

      Overview

      Attackers are targeting Linux servers with a Golang-based peer-to-peer botnet. Researchers indicate that this has been targeting Linux servers in the education sector since March 2022. This botnet has been dubbed Panchan. Attackers are compromising Linux servers through a dictionary attack using a basic list of default SSH passwords. 

      Potential Impact

      After attackers are able to successfully authenticate to targeted servers, cryptominers such as XMRig and nbhash are being deployed. The miners are running without any local disk persistence. The malware also has the capability to harvest SSH keys are perform lateral movement.

      Recommended Actions

      Panchan can be mitigated by implementing multifactor authentication or restricting authentication to Linux servers from only trusted sources. Password hygiene, such as changing default SSH passwords would also mitigate the risk of this attack. Lastly, segmentation and access control can mitigate the risk in the event that SSH keys are harvested.

      Sources
      https://www.techrepublic.com/article/botnet-panchan-attacking-server/
      https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html

      Proofpoint Identifies Method for Ransoming Microsoft 365 Files

      Overview

      Cybersecurity company Proofpoint published an article on June 16, 2022, titled “Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive”.  The article identifies a way in which attackers can reduce the version history of Microsoft 365 files to one and follow through with encryption and ransom demands.

      Potential Impact

      Ransomware is a constant threat, and data, wherever it is stored, needs to be managed and secured.  This article is not a major discovery, but rather a reminder that vigilance and a carefully planned security program is essential to business management.

      Recommended Actions

      Implement a comprehensive data classification, security, and monitoring program to effectively protect information wherever it is stored.

      Sources
      https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us