Threat Intelligence - RH-ISAC Blog

On January 4, 2023, Ahn Lab Security Response Center (ASEC) researchers reported the technical details of a new Linux malware written using Shc delivering a cryptocurrency miner. ASEC researchers assess that the campaign is primarily targeting unspecified systems in South Korea. According to ASEC researchers, the malware authenticates through a dictionary attack on Linux SSH…

Context APT37 is a known, sophisticated North Korean state-backed actor that has historically leveraged Internet Explorer zero-days to target North Korean defectors, government officials, journalists, and activists in South Korea. Technical Details CVE-2022-41128 was patched by Microsoft on November 8, 2022. According to Microsoft, “this vulnerability requires that a user with an affected version of…

On December 6, 2022, Microsoft researchers reported technical details of a campaign targeting cryptocurrency organizations globally using what they describe as complex tactics. Community Impact Many retail, travel, and hospitality organizations maintain financial relationships with cryptocurrency firms for business reasons or accept cryptocurrency as payment and maintain relationships with organizing firms for financial reasons. As…

Context On November 20, 2020, the FIFA World Cup 2022 is scheduled to begin in Qatar. Multiple retail, hospitality, and travel organizations are involved in this event to varying degrees and on various fronts and may be affected, including: Organizations, especially hospitality organizations, with a presence in Qatar Organizations that handle sports betting Organizations that…

On November 9, 2022, Trend Micro researchers reported two campaigns they attribute to a new threat group Earth Longzhi, which they assess is a subgroup of APT41. Context Trend Micro researchers based the assessed connection between the groups on shared targets, shared Cobalt Strike metadata, code similarities, and shared tactics, techniques, and procedures (TTPs). Impact…

Vienna, VA (November 7, 2022) – The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today released its Holiday Season Cyber Threat Trends report, which examines the threat landscape facing the retail and hospitality sector during the holiday season, typically the busiest time of year for these industries. According to the report, QakBot, Emotet, Agent…

On November 3, 2022, Sentinel Labs researchers published a report linking the Black Basta Ransomware group to FIN7 (also known as Carbanak) based on shared tactics, techniques, and procedures (TTPs) between Black Basta tools and FIN7 tools. Key Takeaways Key findings for the report include: SentinelLabs researchers describe Black Basta operational TTPs in full detail,…

On November 1, 2022, OpenSSL developers released details of two vulnerabilities: CVE-2022-3786 and CVE-2022-3602. Context In an accompanying blog post, OpenSSL explained that they downgraded the severity of the vulnerabilities to high from the originally announced critical level due to technical barriers to exploitation. No in the wild exploits or proofs of concept (POCs) are…

Key Takeaways On October 25, 2022, Cisco Talos Incident Response (CTIR) researchers published their Quarterly Report: Incident Response Trends in Q3 2022. Key findings include: Ransomware was the top threat this quarter, a slight change from last quarter where commodity trojans surpassed ransomware by a narrow margin. Several high-profile ransomware groups appeared in CTIR engagements…

Context On October 22, 2022, Bleeping Computer reported the technical details of a new Windows zero-day vulnerability that “allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings.” Bleeping Computer assesses that the zero-day was leveraged by ransomware threat actors to deliver the Magniber ransomware in a recent campaign. Technical Details…