Cyberwar Bulletin: Iran and Albania

CSW's Threat Intelligence - August 29, 2022 - September 2, 2022

Posted on Sep 2, 2022 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

 

Trending Critical Threats

LockBit Explores Triple-Extortion Tactic

ScanBox Malware Targets Australian Government Agencies

BianLian Ransomware Adopts GoLang for Malware Technology

Unnamed Threat Actors Target Korean Companies

Threats to Watch Out For

CVE-2022-21849 - Microsoft Windows IKE Extension RCE Vulnerability

Exploits in WatchGuard Firewalls

Ragnar Locker Ransomware

Trending Critical Threats

 

LockBit Explores Triple-Extortion Tactic

 

LockBit ransomware employs encryption and data leaks to extort from victims. 

Their recent attack on security giant Entrust resulted in an alleged DDoS counter-attack by Entrust preventing them from leaking the stolen data. Now, the ransomware family has announced that they will use Denial of Service attacks in addition to leaking data and encryption to extort from its victims. 

 

LockBit has sophisticated attack techniques and uses double-encryption on target victims.

CVE-2018-13379 and CVE-2021-22986 are the two CVEs targeted by the ransomware family.

 

ScanBox Malware Targets Australian Government Agencies

The Chinese APT group TA423 (Red Ladon) has been targeting Australian Government agencies and other entities operating in the South China sea. The attacks began in April 2022 and lasted till June 2022. TA423 has been using carefully-worded phishing emails to direct the victims to a fake news-channel website which deploys malware known as ScanBox. This malware is able to retrieve and execute a number of plugins allowing it to log keystrokes, fingerprint the browser, gather a list of browser add-ons installed, and communicate with the infected machines. 

ScanBox has also been used by other Chinese threat actors—HUI Loader, PlugX, and ShadowPad—and is believed to be shared among them internally.

CVE-2012-0158, CVE-2017-0199, CVE-2017-11882, CVE-2017-8759, and CVE-2022-30190 are some of the vulnerabilities used for targeting victims.

 

BianLian Ransomware Adopts GoLang for Malware Technology

Recently, ransomware actors are increasingly adopting Go language to script malware samples used in cross-platform attacks. The latest ransomware family to use GoLang is BianLian. Go language has the following advantages over other programming languages which make it very popular among threat actors:

  • Makes reverse-engineering difficult

  • Cross-platform functionalities

  • Open-source

  • Allows an exponential increase in the attack surface

 

In BianLian ransomware’s attack methodology, after initial access to victim networks, a web-shell or an ngrok payload is dropped for further exploitation. BianLian is behind popular cyber attacks on several industry sectors such as Manufacturing, Education, Healthcare, etc. Its capabilities are said to be similar to that of Agenda ransomware.

CVE-2021-34473, CVE-2021-34473, and CVE-2021-31207 are the vulnerabilities most targeted by BianLian.

 

Unnamed Threat Actors Target Korean Companies

Multiple attack campaigns on Korean companies with exposed servers are underway by an unknown threat actor group. The attacks are carried out using FRP (Fast Reverse Proxy) tools which are used to gain initial access to a server accessible from outside. Once it is successful, the attackers go on to escalate privileges using JuicyPotato and SweetPotato malware. The attackers have targeted companies in multiple sectors with no bias except an exposed server. There is no data as to how much information has been stolen from these companies.

 

Here are the CVEs were exploited in these attacks: 

 

CVE

CVSS Score

CVE-2018-8440

7.8

CVE-2019-1405

7.8

CVE-2021-1675

8.8

CVE-2021-1732

7.8

CVE-2021-36934

7.8

CVE-2021-40449

7.8

CVE-2022-21882

7.8

CVE-2022-21999

7.8

CVE-2019-1322

7.8


 

Threats to Watch Out For

 

CVE-2022-21849 - Microsoft Windows IKE Extension RCE Vulnerability

A critical vulnerability is found in Windows OS which could potentially allow remote code execution. There are no known exploits for this CVE and Microsoft has released a patch available for it.

 

Exploits in WatchGuard Firewalls

CVE-2022-3178 and CVE-2022-31790 are two pre-authentication remote root 0-days on every WatchGuard Firebox/XTM appliance. Threat actors have been exploiting similar vulnerabilities this year and WatchGuard customers need to be on the lookout for such vulnerabilities.

 

Ragnar Locker Ransomware

Ragnar Locker ransomware is making news with multiple targets this year. It has been attacking the energy sector, the prime example being, the recent attack on natural gas transmission operator DESFA. In this attack, some of the IT systems were encrypted, disrupting operations. The supply services however, were not affected. Apart from this, Ragnar Locker attacked Air Portugal and allegedly stole customer information. 

 

Check out this section to track how these threats evolve!

 

We use our Threat Intelligence Platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito