Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 9/6/2022

    Almost 10K Credentials Stolen, More Than Half with Multi-Factor Authentication (MFA) Codes

    Overview

    According to research by Group-IB, the threat actor group dubbed “Oktapus” launched a multi-pronged attack against at least 136 Software-As-A-Service (SAAS) organizations. 

    This attack resulted in the compromise of more than 9,931 credentials, 5441 of which captured MFA codes. Group-IB’s research suggests that the Oktapus group derived its target list from an initial compromise of “mobile operators and telecommunications companies .”The phishing campaign described by Group-IB was launched by sending text messages to victims. 

    The “Oktapus” name was given because the group successfully targeted Okta MFA customers.

    Potential Impact

    The victims of this credential compromise included “companies providing IT, software development, and cloud services .”The possibility of this threat actor group leveraging these compromises to launch supply-chain attacks is concerning and speaks to the need for increased vigilance for organizations in all market sectors.

    Recommended Actions

    Train users to never trust unsolicited text messages, especially those containing links. 

    Businesses should closely monitor their environment and act on any detected anomalies; this careful monitoring may make the difference in detecting supply-chain attacks.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Industry - select one:

      QNAP Zero-Day Vulnerability

      Overview

      A new campaign targeting QNAP devices has been discovered as threat actors exploit a vulnerability in Photo Station to encrypt NAS devices with Deadbolt ransomware. This variant has been observed through 2022, targeting vulnerable QNAP devices accessible from the Internet.  

      Potential Impact

      This vulnerability, which has been detailed in security advisory QSA-22-24, allows threat actors to encrypt all data stored on QNAP devices from an unauthenticated perspective. The lateral movement to other systems has not been widely observed but remains a possibility. 

      Recommended Actions

      QNAP is urging administrators to update Photo Station to the latest available version. Furthermore, those that leverage Photo Station should consider alternatives such as QuMagie. QNAP NAS devices should also not be directly accessible from the Internet. 

      Performing external vulnerability assessments to identify vulnerabilities on public-facing systems is strongly recommended to ensure a.) that public access to unnecessary services and ports is removed and b.) to reduce your potential attack surface overall.

      Sources
      https://www.bleepingcomputer.com/news/security/qnap-patches-zero-day-used-in-new-deadbolt-ransomware-attacks/
      https://www.qnap.com/en/security-news/2022/take-immediate-action-to-update-photo-station-to-the-latest-available-version
      https://www.qnap.com/en-us/security-advisory/qsa-22-24

      Zero-Day Apple Vulnerabilities Impact Healthcare

      Overview

      The HHS Health Sector Cybersecurity Coordination Center (HC3) alerted Healthcare organizations regarding the active exploitation of two zero-day vulnerabilities (CVE-2022-32893 and CVE-2022-32894) in Apple devices. Because Apple iOS devices are gaining popularity in healthcare environments, it is recommended that affected devices be updated as soon as possible. 

      Potential Impact

      Exploiting these vulnerabilities could allow an attacker remote code execution and kernel-level privileges. Attackers would then access data stored on those devices, including PHI, credentials, Internet history, and other potentially sensitive data. 

      Recommended Actions

      Affected devices include: 

      • iPhone 6s and later
      • Macs that run macOS Monterey
      • All iPad Pro models
      • iPad Air 2 and later
      • iPad 5th generation and later
      • iPad mini 4 and later
      • 7th generation of iPod touch

      It is strongly recommended that these devices be updated as soon as possible. 

      Sources
      https://www.hhs.gov/sites/default/files/apple-fixes-two-zero-day-exploits.pdf

      Crypto Miners Disguising as Free Software Apps

      Overview

      Check Point Research (CPR), and turkey-based security firm Nitrokod has produced reports depicting a new campaign for crypto miner malware disguising itself as free software applications. These applications are disguised as desktop applications for common services that do not currently offer official desktop apps. These can include YouTube Music, Yandex Translate, Google Translate, Microsoft Translate, and more, according to Cyware News.

      Potential Impact

      The primary malicious logic embedded in these applications is crypto mining logic that will dominate the CPU and RAM performance for those devices upon which it is installed. The software will continue to conduct crypto mining activities until uninstalled. 

      CPR also reports that some applications quietly contain delay mechanisms to malicious embedded logic to conduct long, hidden crypto mining operations. Nitrokod has attributed over 111,000 compromised victims in 11 countries since 2019.

      Recommended Actions

      Organizations can protect themselves from malicious software like crypto miners by deploying advanced Endpoint Detection and Response (EDR) security controls. These controls should be up-to-date on patches and logic to detect crypto mining software and react accordingly. Organizations should also monitor and prevent the installation of unauthorized software on corporate devices and encourage users to avoid risky software on personal devices.

      Sources
      https://thehackernews.com/2022/08/nitrokod-crypto-miner-infected-over.html?&web_view=true
      https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/
      https://cyware.com/news/nitrokod-crypto-miner-disguises-as-free-software-apps-26ab030a

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us