Unit 42 Threat Intel Bulletin - September

Unit 42 Threat Intel Bulletin - September

Cybersecurity Trends

2022 Unit 42 Incident Response Report 

The top targeted industries in 2022: finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail. 

2022 Unit 42 Incident Response Report: Top Affected Industries

Read the report

Read the blog

Register for the webinar – 4 Incident Response Insights Your Board Must Know

No alt text provided for this image
Get the Unit 42 Threat Intel Bulletin delivered to your inbox.

Unit 42 Threat Intel Blogs

No alt text provided for this image

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (Malware, Ransomware

Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.

Learn the latest developments 

No alt text provided for this image

Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware (Malware

Among the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim. Projector Libra has been reported as an initial access broker with ties to Conti ransomware.

Discover details about this criminal group

No alt text provided for this image

IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation (Cloud)

In the recent Cloud Threat Report, Unit 42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations and found that 99% of cloud users, roles and service accounts are overly permissive. Cloud users commonly grant more permissions to identities than they actually need. These excessive permissions unnecessarily open up a much larger attack surface and increase the risk of privilege escalation. If a security incident occurs, adversaries may exploit the excessive permissions to escalate to more privileged roles, such as Administrator.

Dive into this tool

No alt text provided for this image

Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption (Tutorial

Cobalt Strike is a commercial threat emulation software that mimics a quiet, long-term embedded actor in a network. This actor, known as Beacon, communicates with an external team server to emulate command-and-control (C2) traffic. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams – but is also widely used by threat actors for real-world attacks. Different elements of Cobalt Strike contribute to its versatility, including the processes that encrypt and decrypt metadata sent to the C2 server.

Find out more about Cobalt Strike

No alt text provided for this image

Digium Phones Under Attack: Insight Into the Web Shell Implant (Malware

Installing a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server. Recently, Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP). In terms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability CVE-2021-45461 in the Rest Phone Apps (restapps) module.

Read about this phone attack

No alt text provided for this image

Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Malware

Organizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent. The latest campaigns conducted by an advanced persistent threat (APT) that we track as Cloaked Ursa (also known as APT29, Nobelium or Cozy Bear) demonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.

Check out what’s happening to online storage services

No alt text provided for this image

Threat Roll-up

  • (APT) Facebook finds new Android malware used by APT hackers. (Source: Meta)
  • (Government) This joint Cybersecurity Advisory (CSA) was co-authored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) and provides details on the top malware strains observed in 2021. (Source: CISA
  • (Breach) Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw. (Source: Bleeping Computer)
  • (Threat Actor Group) Atlas Intelligence Group (A.I.G.), a for-hire cybercriminal group, is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns. (Source: CyberINT)
  • (Ransomware) A threat actor is promoting a new version of their free-to-use 'Redeemer' ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. (Source: Cyble)

No alt text provided for this image

More Information

No alt text provided for this image

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics