SISA Weekly Threat Watch – December 12th, 2022

SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.

Organizations can also opt-in for our free daily threat advisories by subscribing here.

SISA Weekly Threat Watch - 12 December 2022

Researchers have noticed an increase in the frequency of attackers sending unsolicited emails and texts to users in order to enter their inboxes and steal credentials for malicious purposes. Depending on their needs and interests, the attackers can therefore attempt to financially and reputationally harm organizations by leveraging their skills and knowledge of known exploits and vulnerabilities.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical remote code execution (RCE) vulnerability found in Quarkus Java framework

Security researchers have found a remote code execution flaw in the well-known Java framework Quarkus, designed for Java virtual machines. The Dev UI Config Editor has the vulnerability, which a malicious actor can use without any special permission. The vulnerability, identified as CVE-2022-4116, has been issued a critical severity rating of 9.8 due to its lack of human engagement and low attack complexity.

The problem only affects developers using Quarkus who are duped into visiting a specially created website that contains malicious JavaScript code intended to download or execute arbitrary payloads. The Dev UI lacks critical security protocols like authentication and cross-origin resource sharing (CORS) because it is only accessible from the developer’s local system, which makes it possible for a malicious website to read data from legitimate websites. Users are recommended to upgrade to version 2.14.2. Final and 2.13.5. to prevent any system compromise.

2. APT37 abuses Google Drive using dynamic Dolphin Malware

APT37 has been using a previously unknown backdoor known as Dolphin for more than a year in highly targeted operations to collect files and deliver them to Google Drive storage. Built in C++, Dolphin is equipped with a wide range of spying tools, including the ability to track mobile devices and cloud services and exfiltrate sensitive files. The attackers make use of a variety of tools, such as an Internet Explorer exploit and shellcode that leads to the BLUELIGHT backdoor, which drops the secondary payload Dolphin on certain targets.

After exploitation, BLUELIGHT conducts basic reconnaissance and assessment of the compromised machine, while Dolphin looks through the drives of compromised systems for intriguing files before exfiltrating them to Google Drive. The backdoor also transmits to the C2 its current configuration, version number, and time. The malware is equipped with a wide range of skills, including the ability to search local and removable discs for various kinds of data that are archived and sent to Google Drive.

3. New Trojan CryWiper pretends to be a ransomware

CryWiper is a C++-written, 64-bit Windows executable with the filename “browserupdate.exe” that has been set up to abuse several WinAPI function calls. Upon execution, it creates tasks that are set to run on the compromised machine every five minutes. After that, it uses the victim’s machine’s name to get in touch with a command-and-control server (C2). To release locked data for destruction, CryWiper will halt crucial operations connected to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services.

The malware then destroys shadow copies on the infected PC to make it difficult to recover the deleted files. To block RDP connections, CryWiper additionally alters the Windows Registry, which is likely to obstruct remote IT specialists’ ability to respond to incidents and provide intervention. It is recommended to conduct RedTeam projects and routine penetration testing to locate and secure infrastructure vulnerabilities for the firm, thereby reducing the attack surface for hackers. Restricting remote desktop sessions from public networks can also help protect against this type of cyberattack.

4. Newly discovered Lilac Wolverine associated with gift card scams

A recently discovered gang known as Lilac Wolverine has been connected to BEC gift card scams that lead to the compromise of private email accounts. The unsolicited emails seem to be a favor request, requesting target to buy gift cards from Amazon for a friend’s birthday. Lilac Wolverine generally asks for readily accessible gift cards from companies such as Apple and Google Play for amounts from $100 and $500 per.

The organization uses general attack strategies that are like Vendor Email Compromise (VEC) attacks, with the exception that the group targets individual email accounts rather than corporations. AOL, Yahoo, BellSouth, Verizon, and Roger’s webmail services host targeted email accounts. It is advised to use email-based security to identify phishing emails because the initial infection may occur through spam email. It is also recommended to enforce multi-factor authentication (MFA), use strong passwords, and deploy a Data Loss Prevention (DLP) solution to prevent data exfiltration by malware.

5. Fake crypto app to breach networks, steal cryptocurrency

A recent attack using fake cryptocurrency apps with the fake brand name “BloxHolder” is spreading the AppleJeus malware for initial network access and the theft of cryptocurrency assets. Bloxholder[.]com was registered by the Lazarus Group, who later set it up to host a website on automated cryptocurrency trading. The “BloxHolder application,” a file that was recently found, is another instance of AppleJeus being installed along with an open-source cryptocurrency trading application QTBitcoinTrader.

A genuine DLL is loaded from the “System32” directory by the legitimate application, and that DLL then triggers the loading of a malicious DLL from the application’s directory. The MAC address, computer name, and OS version get collected by the malware and are sent to the C2 via a POST request. To protect systems from being compromised, it is recommended to check for anomalies as new scheduled tasks are created and block macro execution in Microsoft Office whenever feasible.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider