Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 11/17/2022

    KmsdBot Malware Hijacking Systems

    Overview

    Evasive malware dubbed KmsdBot has been discovered that targets the Secure Shell (SSH) protocol to gain access to targeted systems. This botnet has been targeting a wide range of organizations rather than a particular industry. The primary root cause of a system being compromised by this malware is the use of weak SSH credentials. 

    Potential Impact

    Post exploitation activities include cryptocurrency mining and launching denial-of-service attacks (DoS). The malware is also capable of performing network scanning and propagate via additional brute force attacks. The malware does not stay persistence on infected systems to evade detection.

    Recommended Actions

    Review any Internet-facing SSH interfaces and remove them if they are not necessary for business operations or restrict access by source IP address. Furthermore, ensure SSH credentials are creating using strong password policies, or SSH keys where possible. Performing an external vulnerability assessment is a great to understand what ports/services are publicly visible.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Extortion Scam Targeting Website Owners

      Overview

      Four vulnerabilities have been disclosed affecting Checkmk IT infrastructure monitoring software. The vulnerabilities include code injection, arbitrary file reading, line feed injection, and Server-Side Request Forgery (SSRF).

      Potential Impact

      The attackers claim they will leak stolen data, damage reputation, and get the targeted site blacklisted for spam if the ransom demand is not paid. However, there is essentially no impact to an organization who receives this email.

      Recommended Actions

      It is best to mark the messages as spam and delete them. There is no need for an investigation. Though this campaign is a scam, it is important to perform web application testing and external vulnerability assessments to understand the risks of Internet-facing assets so the proper security controls can be implemented to prevent an attacker who actually attempts exploitation.

      Sources

      https://www.bleepingcomputer.com/news/security/new-extortion-scam-threatens-to-damage-sites-reputation-leak-data/

       

      Increase in Phishing Rates

      Overview

      Security research by Hornetsecurity has indicated that over 40% of work emails are unwanted spam or malicious phishing. Hornetsecurity’s 2023 Cyber Security Report considered more than 25 billion work emails to identify the current trend of suspicious/malicious emails.

      Potential Impact

      This 2023 report has found that phishing equates up to 39% of all detected attacks in today’s security landscape. Most often these emails contain malicious archive files like Zip and 7z files, making up for 28% of all phishing mail. Hornetsecurity has also found that modern phishing attacks have chosen brand impersonation as a primary attack vector. In these types of attacks, the malicious email(s) will impersonate popular and trusted brands to lure victims into interacting with embedded links or attached files.

      Recommended Actions

      The most common attack vector seen by GreyCastle Security’s Incident Response Team is indeed a phishing-compromise.  Despite the surprising success rate for phishing emails, organizations can implement effective preventatives for these attacks. As a front-line defense, it is important to have a strong email-security solutions to filter out the vast majority of spam and malicious emails. Additionally, organizations must conduct intelligent and routine email security training. This includes security awareness training and communication, and routine phishing tests and assessments against employees.

       It is recommended to tailor phishing tests to your organization to maximize training effectiveness. Organizations can also focus on users who have access to highly confidential material like Personally Identifiable Information (PII), or organization Intellectual Property (IP).s

      Sources
      https://www.helpnetsecurity.com/2022/11/14/email-security-threats

      StrelaStealer and IceXLoader Info-Stealer Campaigns

      Overview

      New waves of information-stealing malware campaigns have been observed across the globe. Two campaigns of note are the StrelaStealer and IceXLoader malware strains, both leveraging malicious email attachments to target victims. 

      Potential Impact

      First reports of StrelaStealer spread in early November, with reports of the malware targeting users in Spain. This malware steals credentials, attachments, and browser data. Additionally, StrelaStealer can be configured to drop second-stage malware to introduce even further compromise.

      IceXLoader has been observed targeting thousands of enterprises around the world. This malware attempts to not only collect sensitive data but also install Remote Administration Tools (RATs) and cryptocurrency mining software. IceXLoader is most successfully installed via successful phishing campaigns.

      Recommended Actions

      Information-stealing malware such as these are highly-advanced and often written in obscure coding languages in order to bypass security tools, such as NIM or encoded .NET. However, since their primary approach is phishing email attachments organizations can defend against these with well-implemented security awareness training and email security

      Sources
      https://thehackernews.com/2022/03/emotet-botnets-latest-resurgence.html
      https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us