Original release date: February 28, 2022
Broadcom Software—an industry member of CISA’s Joint Cyber Defense Collaborative (JCDC)—uncovers an advanced persistent threat (APT) campaign against select governments and other critical infrastructure targets in a publication titled Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks. The Symantec Threat Hunter team, part of Broadcom Software, worked with CISA to engage with multiple governments targeted with Daxin malware and assisted in detection and remediation.
Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.
CISA urges organizations to review Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks for more information and for a list of indicators of compromise that may aid in the detection of this activity.
A cyberwar could spill over to the business world at any moment, so it’s time to lock things down tight. A lesson in device and network hardening.
Original release date: February 24, 2022
CISA, the Federal Bureau of Investigation (FBI), U.S. Cyber Command Cyber National Mission Force (CNMF), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the National Security Agency (NSA) have issued a joint Cybersecurity Advisory (CSA) detailing malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.
MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.
CISA encourages users and administrators to review the joint CSA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. For additional information on Iranian cyber threats, see CISA’s Iran Cyber Threat Overview and Advisories webpage.
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology, energy, healthcare, education, finance and defense industries. In conducting further analysis of this campaign, we identified another sophisticated tool being used to maintain persistence, which we call SockDetour.
A custom backdoor, SockDetour is designed to serve as a backup backdoor in case the primary one is removed. It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers. One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors. More,,,
Cybercriminals have been sending USB flash drives laced with ransomware to US businesses. Find out how this attack works and what to do about it.
If you receive a USB flash drive in the mail that you were not expecting, resist the urge to plug it into your computer. Cybercriminals have been sending USB drives laced with ransomware to US businesses, according to a security alert issued by the US Federal Bureau of Investigation (FBI) on January 6, 2022. The attackers have been using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the malicious drive.
FIN7 Behind the BadUSB Attacks
A cybergang named FIN7 carried out the attacks. It modified off-the-shelf USB drives so that they became what is known as BadUSBs. “BadUSBs are virtual keyboards that can be programmed in advance to type out characters on a computer without physically doing so,” according to security experts.
BadUSBs automatically start running when they are plugged into a computer. They are able to execute preloaded commands extremely fast, including any that require pressing two or more keys simultaneously. This means they can access the Elevated Command Prompt on Windows devices to execute commands with administrative privileges. The BadUSBs just need to type “Win+R” to open the Run dialog box, enter “cmd”, and then type Ctrl+Shift+Enter.
To entice employees to plug the malicious USB drives into their computers, the cybergang turned to phishing tactics. In some of the attacks, it impersonated Amazon and sent a decorative gift box. The box contained a letter thanking the recipient for being a loyal customer, a counterfeit gift card, and a BadUSB that supposedly listed the goods for which the gift card could be used.
In other attacks, FIN7 impersonated the US Department of Health & Human Services (HHS) and sent companies a letter and a BadUSB that supposedly listed new COVID-19 regulations. The letter was made to look like an official document from HHS. The recipients were instructed to read the new regulations on the malicious USB drive and then go to a specified website, where they would need to confirm that they have read and applied them. More…
The post Cybergang Mailing Malicious USB Flash Drives to Companies appeared first on CHIPS.
It’s possible to be too clever by half with your advertising and offers. If you’re not careful, and you overdo it, you can wreck your own website at the most inopportune time. Surojit Chatterjee, Coinbase’s chief product officer, said Coinbase had more than 20 million hits on its landing page in a minute. The company’s app also got unprecedented traffic. Chatterjee added, “We’re ready for you.” No, they weren’t. Both the site and app crashed for about an hour. This is not a good look for any business. More…
Corporate users are more aware of phishing attacks in their mailboxes. Yet they are not used to being targeted via other systems like Microsoft Teams. Learn how to protect yourself.
Since this is one of my recommended plug-ins for WordPress, it is important that your update it now. Then read the full article on Sophos, A straight-talking bug report written in plain English by an actual expert – there’s a teachable moment in this cybersecurity story!
Kali Linux has been a fan-favorite for penetration testing for a long time, and with a refresh and new tools, the latest iteration is better than ever.
Calling all website coders: Y2K was then. V1H is now!
IBM’s 2022 X-Force Threat Intelligence Index also revealed that ransomware was again the top attack type last year and that manufacturing supply chains were most vulnerable to exploitation.