Threat Intelligence - RH-ISAC Blog

Context On September 6, 2022, researchers at AT&T Alien Labs reported technical details of a new malware, “Shikitega,” that targets endpoints and internet of things (IoT) devices running Linux operating systems. Once delivered, Shikitega allows actors full remote access to the infected system and installs a cryptominer with persistence. Key takeaways from the report include:…

The threat actors behind the BianLian Ransomware are rapidly expanding infrastructure, and it has been observed targeting manufacturing organizations. Context On September 1, 2022, researchers at the cybersecurity firm Redacted published a technical analysis of the BianLian ransomware. In the past month, BianLian has been observed being deployed against numerous sectors, including manufacturing, healthcare, and…

The new HYPERSCRAPE data extraction tool developed by the Iranian Charming Kitten threat group eases the process of stealing email data from targeted accounts. Context On August 23, 2022, Google Threat Analysis Group (TAG) researchers published a technical analysis of a unique data extraction tool they named “HYPERSCRAPE” used by the Iranian state-backed Charming Kitten…

Flashpoint’s 2022 Mid-Year Data Breach report shows an overall 15% decline in reported breaches from the same period last year and suggests that the retail, hospitality, and travel sectors are not among the industries reporting the most breaches by volume. Context On August 18, 2022, Flashpoint released its State of Data Breach Intelligence 2022 Midyear…

The SEABORGIUM phishing operation targets organizations with a connection to Russian interests leveraging three different open-source phishing kits, the most prevalent of which has been observed in recently reported phishing attacks. Context On August 15, 2022, Microsoft Threat Intelligence Center (MSTIC) researchers disclosed details of a phishing and cyberespionage operation that they disrupted in partnership…

Context On August 4, 2022, Cisco Talos Intelligence researchers reported new technical details of a tool called “Dark Utilities” that provides a full suite of command-and-control (C2) capabilities for threat actors. The tool, which was released in early 2022, is advertised by creators as enabling remote access, command execution, distributed denial-of-service (DDoS) attacks, and cryptomining…

Context On August 3, 2022, ZScaler researchers reported the technical details of an adversary in the middle (AiTM) campaign active since at least June 2022. The RH-ISAC team believes, based on timing and nearly identical tactics, techniques, and procedures (TTPs), that this campaign is likely connected to highly similar activity previously reported by Microsoft. Key…

Context On June 7, 2022, researchers at Zimperium reported technical details of an adware campaign targeting Russian gaming, social media, and ecommerce site users. The campaign uses more than 350 variations of malicious browser extensions using the Google Translate extension ID to trick victims into downloading the malicious files. Researchers named the extension group “ABCsoup.”…

Context On June 28, 2022, ReversingLABS researchers reported a phishing campaign using malicious Microsoft Office files to distribute the new 2.0 version of the AstraLocker ransomware. Researchers assess that the threat actors behind the campaign likely obtained the AstraLocker 2.0 code from the Babuk leak in September of 2021, based on shared code and campaign…

Context On June 28, 2022, Palo Alto Unit 42 researchers reported technical details and a proof of concept (PoC) exploit code for CVE-2022-30137, which they have designated FabricScape. CVE-2022-30137 is rated at 6.7 or medium severity, and affects Microsoft Service Fabric. Service Fabric is commonly used with Azure and hosts over one million applications daily. Microsoft released a patch…