Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Barnes & Noble, Norway Parliament, and MuddyWater – KNOW More

Norway accuses Russian hackers and Barnes & Noble suffers data breach

Post by Rajarshi Mitra In Security on Oct 19, 2020

Let’s analyze the state of last week’s global threat landscape. The categories to be studied and analyzed are:

#1 Dridex – KNOW Your Malware

KNOW picked up Dridex, and we think a comprehensive overview will help you prepare if you are in the line of attack.

dridex

Why is Dridex Trending?

As per the report from KNOW, Dridex successfully carried out an attack on a reputed company. The company is a maker of smart devices and watches, and the overall recovery cost to the company is estimated to be around $10 million dollars. Surfaced in 2014, Dridex has shapeshifted according to the emerging cybersecurity trends, and have been successful in identifying vulnerabilities.

This Russia based organization has been using phishing emails to attack the users.

References Counted by KNOW

dridex

  • Total references: 31,872
  • References in the last 60 days: 2762
  • References in the last 7 days: 523

Context Taken From KNOW

  • Risk rules triggered: 7 out of 48
  • Related intrusion methods: Phishing, Malspam, Spam, Webinject, Credential Stealing, Data Exfiltration, Malware, and 21 more.
  • IPs detected: 1034
  • Related hashes: 11,226
  • Vulnerabilities: CVE-2018-8174, CVE-2012-0158, CVE-2017-0199, CVE-2017-11882, CVE-2017-11826
  • Threat actors: Evil Corp, TA505, APT34 Oilrig, APT33 Charming Kitten, GOLD EVERGREEN

#2 Muddywater – Do You KNOW This Threat Actor?

Today, we are going to be focusing on a threat actor named “Muddywater.” As per KNOW’s threat intel dashboard, Muddywater was one of the most trending threat actors in the last 60 days.

muddywater

 

Why is Muddywater trending?

Microsoft sent out a warning that Muddywater is currently exploiting the CVE-2020-1472 vulnerability, aka the Zerologon vulnerability. This particular vulnerability is located in the core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Reactions from Twitter

@KorSecured

Iranian threat actor Mercury/MuddyWater targeting the zerologin vulnerability on windows domain controllers.

@EduardKovacs

The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns

References from KNOW

  • Total references counted: 1,371
  • References in the last 60 days: 10
  • References in the last 7 days: 0

Context from KNOW

muddywater

  • Risk rules triggered: 6 out of 48
  • Industries affected: Telecommunications, Energy & Natural Resources, Aerospace, and Defense Education.
  • Most recent reference: Hybrid Analysis result for ‘plink.exe’
  • Intrusion methods: Phishing, Obfuscation, Phishing Campaign, Pass the Hash, Infection chain, Spear Phishing, and Social Engineering.
  • Malware used: POWERSTATS and Koadic.
  • Related hashes: 69
  • Campaign: Blackwater

#3 Norway Data Breach

The Norwegian parliament announced that Russian state-sponsored hackers were behind the August data breach. During the breach, hackers stole data from various officials’ email accounts. Norway Foreign Affairs Minister Ine Eriksen Søreide said:

“This is a very serious incident, affecting our most important democratic institution. Based on the information the government has, it is our view that Russia is responsible for these activities.”

The Russian embassy in Oslo has hit back at these accusations by calling them “unacceptable” and “destructive for bilateral relations.”

Reactions on Twitter

@LuluLemew 

Norway’s parliament target of a “vast” cyberattack that allowed attackers to access & download emails & data of “a small number of MPs and employees” on 8/24

Based on “information in the possession of the government, we believe that Russia is behind this”

#4 Barnes & Noble Data Breach

As per a Bleeping Computer report, Barnes & Noble customers have been complaining about service outages on social media. Users have complained that the company’s Nook libraries were inaccessible, and their previous purchases have vanished from the interface. The company sent emails to their customers, acknowledging the interruption and assuring them that a restoration process is underway.

What’s happening behind the scenes?


Bleeding Computer reported that Barnes & Noble’s VPN servers have been previously vulnerable to CVE-2019-11510. This was something detected by KNOW as well, which you can see in the story card here:

 


What is CVE-2019-11510?


By exploiting this vulnerability in Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated, remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.


Context from KNOW

 

  • Vendors: Pulsesecure 
  • Products affected: Pulse Connect Secure 
  • Historically linked to threat actors: APT29 The Dukes 
  • Historically linked to intrusion method: Arbitrary file read and arbitrary file disclosure.

What is KNOW?

Netenrich’s Knowledge Now (KNOW), is a free AI-based threat intelligence news aggregator that provides a broader and deeper context of emerging threats and attacks – in one place. KNOW correlates global news around a specific threat by adding diverse perspectives from different publishers. If you want to KNOW more, then read this.

Netenrich’s powerful combination of threat and attack surface intelligence provides a unique new offering called “resolution intelligence.” Use this combo to optimize SecOps and IT to reduce alert fatigue and act on the most critical notifications first.

Do you want to know how this combo works? Then check this out. Meanwhile, who don’t you do your SOC team a solid and sign up for KNOW? It’s completely free, and it will be invaluable for your security team’s threat intel research.

CONNECT WITH US

About Author

Rajarshi is a creative and accomplished writer who made his mark in the blockchain space before stepping into cybersecurity. When he is not working, he is busy chilling with his wife and cat, catching up on the latest Netflix docu-series.....or watching Harry Potter for the 5781241516th time.