Title: Bazar Drops the Anchor
Date Published: March 8, 2021
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
Excerpt: “In this case we started with a DocuSign themed Excel maldoc. The excel file failed to bring down the payload but to follow the infection chain we executed the follow on loader. Once Bazar was established the malware was quickly injected into the Werfault process to avoid detection. As seen in many intrusions the malware then performed some initial discovery with built-in Microsoft utilities such as Nltest. About an hour after initial execution, a Cobalt Strike beacon was loaded, followed shortly by Anchor. Shortly after Cobalt Strike and Anchor were running, the attackers dumped credentials and began moving laterally, starting with a domain controller.”
Title: Microsoft Updated MSERT to Detect Web Shells Used in Attacks Against Microsoft Exchange Installs
Date Published: March 8, 2021
https://securityaffairs.co/wordpress/115388/hacking/microsoft-msert-microsoft-exchange-attacks.html
Excerpt: “The attack chain starts with an untrusted connection to Exchange server port 443. Administrators could use MSERT to make a full scan of the install or they can perform a ‘Customized scan’ of the following paths where malicious files from the threat actor have been observed. “These remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities. Microsoft Defender will continue to monitor and provide the latest security updates”.”
Title: Microsoft Exchange Zero-Day Attacks: 30,000 Servers Hit Already, Says Report
Date Published: March 8, 2021
Excerpt: “CISA over the weekend warned that it was “aware of widespread domestic and international exploitation” of Microsoft Exchange Server vulnerabilities and urged the scanning of Exchange Server logs with Microsoft’s IOC detection tool to help determine compromise. Chris Krebs, the former director of CISA, reckons government agencies and small businesses will be more affected by these attacks than large enterprises. He believes the Exchange bugs will disproportionately affect small businesses and organizations in the education sector as well as state and local governments. “Incident response teams are BURNED OUT & this is at a really bad time,” he wrote.”
Title: REvil Ransomware Group Threatens to Launch DDoS Attacks, Call Journalists and Business Partners
https://heimdalsecurity.com/blog/revil-threatens-to-launch-ddos-attacks/
Date Published: March 8, 2021
Excerpt: “Just last week, a security researcher known as 3xp0rt discovered that REvil Ransomware launched a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. This new tactic used by REvil was announced a month ago and includes a free service where the threat actors, or affiliated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is probably assuming that warning businesses that their data may have been exposed in an attack on their partners, will create further pressure for the victim to pay.”
Title: Solarwinds Just Keeps Getting Worse: New Strain of Malware Found Infecting Victims
Date Published: March 8, 2021
https://www.theregister.com/2021/03/08/in_brief_security/
Excerpt: “No doubt there is more malware to come. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, warned this week it could take 18 months to clean up this mess, and that’s looking increasingly likely. No doubt there is more malware to come. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, warned this week it could take 18 months to clean up this mess, and that’s looking increasingly likely.”
Title: Iranian Hackers Using Remote Utilities Software to Spy On Its Targets
https://thehackernews.com/2021/03/iranian-hackers-using-remote-utilities.html
Date Published: March 8, 2021
Excerpt: “Earth Vetala is said to have leveraged spear-phishing emails containing embedded links to a popular file-sharing service called Onehub to distribute malware that ranged from password dumping utilities to custom backdoors, before initiating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts. Noting that the tactics and techniques between the two campaigns that distribute RemoteUtilities and ScreenConnect are broadly similar, Trend Micro said the targets of the new wave of attacks are mainly organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE.”
Title: Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
Date Published: March 8, 2021
https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html
Excerpt: “To achieve this, the researchers reverse-engineered the ring interconnect’s protocols to uncover the conditions for two or more processes to cause a ring contention, in turn using them to build a covert channel with a capacity of 4.18 Mbps, which the researchers say is the largest to date for cross-core channels not relying on shared memory, unlike Flush+Flush or Flush+Reload.”
Title: D-Link, Iot Devices Under Attack by Tor-Based Gafgyt Variant
Date Published: March 5, 2021
https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/
Excerpt: “Compared with other Gafgyt variants, the biggest change of Gafgyt_tor is that the C2 communication is based on Tor, which increases the difficulty of detection and blocking,” said researchers with NetLab 360 on Thursday. “The Tor-based C2 communication mechanism has been seen in other families we have analyzed before… but this is the first time we encountered it in the Gafgyt family”.”
Title: ‘Educational’ Ransomware Program May Instead Become a How-to Guide for Attackers
Date Published: March 5, 2021
Excerpt: “Such assessments are important as the threat intelligence and cyber research community track the evolution and popularity of various malware programs in order to stay on top of the latest trends. But this news also leads to some interesting questions: What are the motivations for posting a POC ransomware program online? And when a new POC malware emerges, what are the factors that ultimately lead it to become successful or disappear?”
Title: Microsoft Office 365 Gets Protection Against Malicious XLM Macros
Date Published: March 7, 2021
Excerpt: “It allows Windows 10 services and apps to communicate with security products and request runtime scans of potentially dangerous data. This helps expose malicious intent even when hidden using heavy obfuscation and to detect and block malware abusing Office VBA macros and PowerShell, JScript, VBScript, MSHTA/Jscript9, WMI, or .NET code, regularly used to deploy malware payloads via Office document macros. Microsoft first extended support for its Antimalware Scan Interface (AMSI) to Office 365 client applications in 2018 to defend customers against attacks using VBA macros.”