Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 11/29/2022

    Malicious Browser Extension Steals Passwords

    Overview

    A malicious browser extension named VenomSoftX is primarily being distributed through cracked software for Adobe products and Microsoft Office. Cracked software is typically found being hosted on file sharing sites. When downloading cracked software, an installer for a Windows information stealer, ViperSoftX, is also downloaded. The ViperSoftX software is used as a means to install the malicious browser extension.

    Potential Impact

    The VenomSoftX extension might try to disguise itself as a legitimate extension. This software allows for stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, and potentially the downloading and execution of additional payloads.

    Recommended Actions

    Ensure that policies are in place stating that only approved software should be used on organization assets. Additionally, it is strongly recommended that endpoints be protected by Endpoint Detection & Response Software, which will monitor for anomalous behavior. Lastly, PowerShell logging audit policies should be adjusted to include module and script block logging, which should be monitored regularly.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Industry - select one:

      Malicious Docker Hub Repositories

      Overview

      Researchers from the Sysdig security team have analyzed over 250,000 unverified Linux docker images and found over 1,600 malicious containers. These containers have been found to contain a wide variety of malware strains embedded within the code, ranging from cryptomining tools to full post-exploitation frameworks.

      Potential Impact

      When malicious docker containers are deployed within an organization’s environment, it creates an avenue for threat actors to penetrate networks without the need for initial access tactics. This can allow for silent post-exploitation activities via the implemented system. Although most of the identified malware contained lower-impacting tactics, the possibility of certain post-exploitation tactics such as ransomware and data exfiltration can pose a significant threat to organizations.

      Recommended Actions

      When implementing public open-source code into the corporate environment, organizations are encouraged to conduct thorough code reviews prior to any installation. It is also recommended that organizations maintain lists of authorized open-source projects and create standard procedures to get additional projects added before implementation.

      Sources

      https://cyware.com/news/hackers-abuse-docker-hub-repositories-to-disguise-malicious-containers-895e37fc

      Black Basta and Qakbot

      Overview

      Cybereason Security researchers identified the Black Basta ransomware gang conducting Qakbot phishing campaigns across the United States.

      Potential Impact

      The Qakbot malware is often used as a first-stage dropper for post-exploitation tools like Cobalt Strike. It has advanced defense evasion capabilities, allowing it to be extremely successful even in heavily fortified networks. After the deployment of Cobalt Strike, the Black Basta ransomware gang primarily conducted exfiltration and ransomware detonation activities across the network.

      Recommended Actions

      As these most recent campaigns have focused on phishing as the primary initial access vector, organizations are advised to continue focusing on anti-phishing measures. This includes up-to-date social awareness training, internal phishing campaigns, and general user training to identify malicious emails.

      Sources

      https://cyware.com/news/black-basta-and-qakbot-join-hands-to-attack-us-companies-a1c8fbc9

      Joint Cybersecurity Advisory (CSA) Published Regarding Hive Ransomware Group

      Overview

      The Internet Crime Complaint Center (IC3) issued an advisory regarding the Hive ransomware group. The advisory highlights that the Hive group has victimized more than 1,300 companies worldwide and has received more than $100 million in ransomware payments.

      Potential Impact

      The impact of ransomware is devastating. Advisories such as this one can help organizations avoid being victimized.

      Recommended Actions

      The advisory is a straightforward read for anyone involved in systems administration or cybersecurity. The recommendations in the mitigation section should be on the roadmap for every organization concerned about the threat of ransomware.

      Sources

      https://www.ic3.gov/Media/News/2022/221117.pdf

      Microsoft Reports Widespread Usage of Outdated “Boa” Webserver

      Overview

      While investigating attacks against India’s power grid, researchers at Microsoft identified a vulnerable piece of software common to many compromised systems. Microsoft researchers highlight that the Boa web server is “widely implemented across a variety of IoT (Internet of Things) devices” and that “Boa web servers remain pervasive in the development of IoT devices.” In a week of scanning, Microsoft discovered more than one million Boa web servers exposed to the internet. Support for the Boa web server was discontinued in 2005.

      Potential Impact

      Exploitation of the web server in question will give attackers a foothold in the victim’s environment, leading to potential privilege escalation and further attacks.

      Recommended Actions

      Ensure that your organization keeps accurate hardware and software inventory records and that any patches released by vendors are applied. Unfortunately, the Boa server is just one component of the IoT devices in question and may not receive updates in device vendor patches. That being the case, ensure that external-facing services are minimized and require VPN usage for any connections to internal devices, unless widespread access from the internet is required. Last but not least, ensure that web interfaces for IoT devices are placed in a network segment with strictly defined access control measures in place.

      Sources

      https://thehackernews.com/2022/11/hackers-exploiting-abandoned-boa-web.html

       

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us