Unit 42 Threat Intel Bulletin - September
Cybersecurity Trends
2022 Unit 42 Incident Response Report
The top targeted industries in 2022: finance, professional and legal services, manufacturing, healthcare, high tech, and wholesale and retail.
Register for the webinar – 4 Incident Response Insights Your Board Must Know
Unit 42 Threat Intel Blogs
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (Malware, Ransomware)
Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware (Malware)
Among the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim. Projector Libra has been reported as an initial access broker with ties to Conti ransomware.
IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation (Cloud)
In the recent Cloud Threat Report, Unit 42 researchers analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations and found that 99% of cloud users, roles and service accounts are overly permissive. Cloud users commonly grant more permissions to identities than they actually need. These excessive permissions unnecessarily open up a much larger attack surface and increase the risk of privilege escalation. If a security incident occurs, adversaries may exploit the excessive permissions to escalate to more privileged roles, such as Administrator.
Recommended by LinkedIn
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption (Tutorial)
Cobalt Strike is a commercial threat emulation software that mimics a quiet, long-term embedded actor in a network. This actor, known as Beacon, communicates with an external team server to emulate command-and-control (C2) traffic. Due to its versatility, Cobalt Strike is commonly used as a legitimate tool by red teams – but is also widely used by threat actors for real-world attacks. Different elements of Cobalt Strike contribute to its versatility, including the processes that encrypt and decrypt metadata sent to the C2 server.
Digium Phones Under Attack: Insight Into the Web Shell Implant (Malware)
Installing a web shell on a web server is a common approach malware authors take to launch exploits or run commands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP PBX system, by installing a web shell on its web server. Recently, Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP). In terms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability CVE-2021-45461 in the Rest Phone Apps (restapps) module.
Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Malware)
Organizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent. The latest campaigns conducted by an advanced persistent threat (APT) that we track as Cloaked Ursa (also known as APT29, Nobelium or Cozy Bear) demonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.
Threat Roll-up
More Information
Under Attack?
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.
If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.