Threat Intelligence - RH-ISAC Blog

On October 6, 2022, CISA released a joint advisory advising telecommunications, defense, and critical infrastructure organizations to patch and mitigate the most prevalent Common Vulnerabilities and Exposures (CVEs) leveraged by suspected Chinese state-sponsored cyber threat actors since 2020. Context According to the report, “PRC state-sponsored cyber actors continue to target government and critical infrastructure networks…

Context On October 4, 2022, DCSO CyTec security researchers reported the technical details of a new backdoor malware targeting Microsoft SQL servers they dubbed “Maggie.” According to researchers, the Maggie backdoor can bruteforce logins to other MSSQL servers and add a new hardcoded backdoor user after bruteforcing administrator logins. Researchers did not investigate if and…

Context On September 29, 2022, security researchers at GTSC reported the technical details of two zero-day vulnerabilities they had observed being exploited by threat actors since August 2022. Microsoft confirmed the vulnerabilities and provided details of both: CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the…

Vienna, VA (September 29, 2022) – The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today released the first-ever public version of the Retail & Hospitality Intelligence Trends Summary, which analyzes trends in the cyberthreat landscape for the retail, hospitality, and travel sectors. The report sheds light on the top threats and malware families reported…

A recent campaign drops Cobalt Strike Beacons, the RedLine Infostealer, and the Amadey Botnet with malicious scripts using two distinct methods. Context On September 28, 2022, Talos security researchers reported a campaign delivering Cobalt Strike beacons, the RedLine Infostealer, and Amadey botnet executables active since at least August 2022. Cobalt Strike is by far the…

A new dropper named “NullMixer” is spreading multiple malware families, including some seen regularly by the RH-ISAC community. Context On September 26, 2022, researchers at SecureList reported a new dropper they named “NullMixer” which spreads multiple malware families via malicious websites impersonating legitimate software downloads. According to SecureList, in addition to multiple malware families, NullMixer…

On September 21, 2022, the LockBit 3.0 ransomware builder named “Black” was leaked online by a developer working for the LockBit threat group. On September 22, 2022, security researchers Yang HuiSeong and Jeong Hyunsik released a technical analysis of the code. The leaked code is currently available on GitHub. Threat Actor Details LockBit is a…

Context On September 6, 2022, researchers at AT&T Alien Labs reported technical details of a new malware, “Shikitega,” that targets endpoints and internet of things (IoT) devices running Linux operating systems. Once delivered, Shikitega allows actors full remote access to the infected system and installs a cryptominer with persistence. Key takeaways from the report include:…

The threat actors behind the BianLian Ransomware are rapidly expanding infrastructure, and it has been observed targeting manufacturing organizations. Context On September 1, 2022, researchers at the cybersecurity firm Redacted published a technical analysis of the BianLian ransomware. In the past month, BianLian has been observed being deployed against numerous sectors, including manufacturing, healthcare, and…

The new HYPERSCRAPE data extraction tool developed by the Iranian Charming Kitten threat group eases the process of stealing email data from targeted accounts. Context On August 23, 2022, Google Threat Analysis Group (TAG) researchers published a technical analysis of a unique data extraction tool they named “HYPERSCRAPE” used by the Iranian state-backed Charming Kitten…