Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.


Broadcom Software Discloses APT Actors Deploying Daxin Malware in Global Espionage Campaign

Original release date: February 28, 2022

Broadcom Software—an industry member of CISA’s Joint Cyber Defense Collaborative (JCDC)—uncovers an advanced persistent threat (APT) campaign against select governments and other critical infrastructure targets in a publication titled Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks. The Symantec Threat Hunter team, part of Broadcom Software, worked with CISA to engage with multiple governments targeted with Daxin malware and assisted in detection and remediation.

Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.

CISA urges organizations to review Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks for more information and for a list of indicators of compromise that may aid in the detection of this activity.

Report incidents related to this activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.


After Russia’s invasion of Ukraine, it’s time to hunker down

A cyberwar could spill over to the business world at any moment, so it’s time to lock things down tight.  A lesson in device and network hardening.


Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations

Original release date: February 24, 2022

CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.

MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.

CISA encourages users and administrators to review the joint CSA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.


SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors

Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries. In conducting further analysis of this campaign, we identified another sophisticated tool being used to maintain persistence, which we call SockDetour.

A custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers. One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors.  More,,,


Cybergang Mailing Malicious USB Flash Drives to Companies

Cybercriminals have been sending USB flash drives laced with ransomware to US businesses. Find out how this attack works and what to do about it.

If you receive a USB flash drive in the mail that you were not expecting, resist the urge to plug it into your computer. Cybercriminals have been sending USB drives laced with ransomware to US businesses, according to a security alert issued by the US Federal Bureau of Investigation (FBI) on January 6, 2022. The attackers have been using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the malicious drive.

FIN7 Behind the BadUSB Attacks

A cybergang named FIN7 carried out the attacks. It modified off-the-shelf USB drives so that they became what is known as BadUSBs. “BadUSBs are virtual keyboards that can be programmed in advance to type out characters on a computer without physically doing so,” according to security experts.

BadUSBs automatically start running when they are plugged into a computer. They are able to execute preloaded commands extremely fast, including any that require pressing two or more keys simultaneously. This means they can access the Elevated Command Prompt on Windows devices to execute commands with administrative privileges. The BadUSBs just need to type “Win+R” to open the Run dialog box, enter “cmd”, and then type Ctrl+Shift+Enter.

To entice employees to plug the malicious USB drives into their computers, the cybergang turned to phishing tactics. In some of the attacks, it impersonated Amazon and sent a decorative gift box. The box contained a letter thanking the recipient for being a loyal customer, a counterfeit gift card, and a BadUSB that supposedly listed the goods for which the gift card could be used.

In other attacks, FIN7 impersonated the US Department of Health & Human Services (HHS) and sent companies a letter and a BadUSB that supposedly listed new COVID-19 regulations. The letter was made to look like an official document from HHS. The recipients were instructed to read the new regulations on the malicious USB drive and then go to a specified website, where they would need to confirm that they have read and applied them.  More…

The post Cybergang Mailing Malicious USB Flash Drives to Companies appeared first on CHIPS.


Don’t be Coinbase. Don’t crash your site.

It’s possible to be too clever by half with your advertising and offers. If you’re not careful, and you overdo it, you can wreck your own website at the most inopportune time.  Surojit Chatterjee, Coinbase’s chief product officer, said Coinbase had more than 20 million hits on its landing page in a minute. The company’s app also got unprecedented traffic. Chatterjee added, “We’re ready for you.”  No, they weren’t. Both the site and app crashed for about an hour. This is not a good look for any business.  More…


Cyberattack threat: Corporate users infected via Microsoft Teams

Corporate users are more aware of phishing attacks in their mailboxes. Yet they are not used to being targeted via other systems like Microsoft Teams. Learn how to protect yourself.


WordPress backup plugin maker Updraft says “You should update”…

Since this is one of my recommended plug-ins for WordPress, it is important that your update it now.  Then read the full article on Sophos,  A straight-talking bug report written in plain English by an actual expert – there’s a teachable moment in this cybersecurity story!


Kali Linux 2022.1 is your one-stop-shop for penetration testing

Kali Linux has been a fan-favorite for penetration testing for a long time, and with a refresh and new tools, the latest iteration is better than ever.


Did we learn nothing from Y2K? Why are some coders still stuck on two digit numbers?

Calling all website coders: Y2K was then. V1H is now!


Microsoft, Apple and Google top the list of the most spoofed brands in 2021

IBM’s 2022 X-Force Threat Intelligence Index also revealed that ransomware was again the top attack type last year and that manufacturing supply chains were most vulnerable to exploitation.


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.