SISA Weekly Threat Watch – October 24th, 2022

This past week saw a number of suspicious activities that may have been carried out by an already existing but unidentified actor, or by a new threat group. Malicious actors exploited multiple vulnerabilities to carry out malicious attacks or experiment with new and improved tactics. Some of the critical threat actors were seen using Remote Access Trojans (RAT), DLL files, malicious Word & Excel files and JavaScript files, to infect or breach the network environment.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New Alchimist attack framework targets Windows, macOS, Linux

Alchimist is a new attack and C2 framework that can target macOS, Windows, and Linux, according to Cisco Talos researchers. They have also discovered a brand-new malware called Insekt—an Alchimist’s beacon implant—that features remote administration capabilities. Alchimist is an easy framework that allows its users to build and customize payloads that are effective in remote screenshot capture, remote shellcode execution, and arbitrary command execution.

The RAT implant Insekt supports typical RAT capabilities such as getting operating system information, executing arbitrary commands through the command shell, taking screenshots, port and IP scanning, and shellcode execution. The Alchimist framework is yet another framework that allows less skilled threat actors to execute their own attacks. To detect and prevent malicious traffic from being sent between the implant and the remote C2 server, it is strongly advised to set up and keep up effective endpoint security controls, such as an EDR, on all the systems in a specific environment.

2. Operators behind IcedID trojan diversify their delivery tactics

The IcedID trojan’s researchers are experimenting with a variety of tactics to determine which ones are most effective against various targets. To launch malicious files at the beginning of the infection chain, most delivery techniques used password-protected ZIP files. A few of these ZIP packages contained an ISO that finally launched the DLL file and completed the infection process. In some cases, malicious Word or Excel files were sent to users, asking them to enable macros so that the embedded script would execute and install IcedID.

The operators were observed experimenting with IP addresses and domain reuse for their C2 servers in addition to employing a variety of files. The C2 server’s IP addresses’ reduced range was another noticeable modification that contributed to the attackers’ ability to avoid detection. For each campaign, they previously used different IP addresses. To reduce the risk of infection, it is essential to carefully examine incoming emails since all delivery methods are started by phishing emails.

3. Critical-severity flaw in Apache Commons Text library fixed

A severe vulnerability in some versions of the Apache Commons Text library that could have allowed remote code execution has been fixed by the Apache Software Foundation (ASF). The cause of CVE-2022-42889 was a poorly implemented feature of variable interpolation in Commons Text, more particularly, some default lookup strings may have been vulnerable to accepting untrusted input from outside attackers, such as DNS requests, URLs, or inline scripts.

Users are advised to update to Apache Commons Text 1.10.0 as it disables the problematic interpolators by default. It is also important to search for and filter out potentially risky character sequences from the input first or take care not to pass that data into string interpolation functions, whenever the untrusted data is accepted or processed, especially in Java code where string interpolation is extensively supported and provided as a “feature” in many third-party libraries.

4. Magniber Ransomware now infects Windows users via JavaScript files

Windows home users have recently been the target of a fraudulent operation distributing Magniber ransomware. Threat actors developed websites in September that advertised fake Windows 10 security and antivirus updates. The downloaded malicious files (ZIP archives) contained JavaScript that initiated an intricate infection with the file-encrypting malware.

The Magniber group also used evasion methods to avoid being detected by anti-virus software, including bypassing Windows’ User Account Control feature, executing the ransomware in-memory, and using syscalls rather than the standard Windows API libraries. To decrease the likelihood of being detected, a DotNET file is run in system memory using DotNetToJScript technique. Home users are advised to continue making frequent backups of crucial files and to store sensitive information, whenever possible, on separated storage devices. Additionally, it is important to make sure that no backups are infected during the process.

5. Microsoft data breach exposes customers contact info, emails

Microsoft recently announced that an unknown amount of customer data, including contact information and email content, was recently exposed to potential internet access because of a server configuration issue. There was a possibility that specific “business transaction data” would have been accessed without authorization because of the configuration issue. The first portion of the collection is the consequence of an incorrect Azure Blob Storage configuration.

The issue was not the consequence of a security vulnerability, but an unintentional configuration error on an endpoint that was not being used by the entire Microsoft ecosystem. Names, email addresses, email content, company names, phone numbers, and maybe attached files pertaining to business between a customer and Microsoft or an approved Microsoft partner were among the potentially affected data. To prevent data loss, it is recommended to monitor your attack surface for any external assets that are visible to the public, implement the “Zero Trust” methodology, and assign encryption keys for critical resources.