Let’s analyze the state of last week’s global threat landscape. The categories to be studied and analyzed are:
- Malware of the week.
- Threat actor of the week.
- Cloud security threats of the week.
- Barnes & Noble data breach
#1 Dridex – KNOW Your Malware
KNOW picked up Dridex, and we think a comprehensive overview will help you prepare if you are in the line of attack.
Why is Dridex Trending?
As per the report from KNOW, Dridex successfully carried out an attack on a reputed company. The company is a maker of smart devices and watches, and the overall recovery cost to the company is estimated to be around $10 million dollars. Surfaced in 2014, Dridex has shapeshifted according to the emerging cybersecurity trends, and have been successful in identifying vulnerabilities.
This Russia based organization has been using phishing emails to attack the users.
References Counted by KNOW
- Total references: 31,872
- References in the last 60 days: 2762
- References in the last 7 days: 523
Context Taken From KNOW
- Risk rules triggered: 7 out of 48
- Related intrusion methods: Phishing, Malspam, Spam, Webinject, Credential Stealing, Data Exfiltration, Malware, and 21 more.
- IPs detected: 1034
- Related hashes: 11,226
- Vulnerabilities: CVE-2018-8174, CVE-2012-0158, CVE-2017-0199, CVE-2017-11882, CVE-2017-11826
- Threat actors: Evil Corp, TA505, APT34 Oilrig, APT33 Charming Kitten, GOLD EVERGREEN
#2 Muddywater – Do You KNOW This Threat Actor?
Why is Muddywater trending?
Microsoft sent out a warning that Muddywater is currently exploiting the CVE-2020-1472 vulnerability, aka the Zerologon vulnerability. This particular vulnerability is located in the core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
Reactions from Twitter
Iranian threat actor Mercury/MuddyWater targeting the zerologin vulnerability on windows domain controllers.
The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns
References from KNOW
- Total references counted: 1,371
- References in the last 60 days: 10
- References in the last 7 days: 0
Context from KNOW
- Risk rules triggered: 6 out of 48
- Industries affected: Telecommunications, Energy & Natural Resources, Aerospace, and Defense Education.
- Most recent reference: Hybrid Analysis result for ‘plink.exe’
- Intrusion methods: Phishing, Obfuscation, Phishing Campaign, Pass the Hash, Infection chain, Spear Phishing, and Social Engineering.
- Malware used: POWERSTATS and Koadic.
- Related hashes: 69
- Campaign: Blackwater
#3 Norway Data Breach
The Norwegian parliament announced that Russian state-sponsored hackers were behind the August data breach. During the breach, hackers stole data from various officials’ email accounts. Norway Foreign Affairs Minister Ine Eriksen Søreide said:
“This is a very serious incident, affecting our most important democratic institution. Based on the information the government has, it is our view that Russia is responsible for these activities.”
The Russian embassy in Oslo has hit back at these accusations by calling them “unacceptable” and “destructive for bilateral relations.”
Reactions on Twitter
Norway’s parliament target of a “vast” cyberattack that allowed attackers to access & download emails & data of “a small number of MPs and employees” on 8/24
Based on “information in the possession of the government, we believe that Russia is behind this”
#4 Barnes & Noble Data Breach
As per a Bleeping Computer report, Barnes & Noble customers have been complaining about service outages on social media. Users have complained that the company’s Nook libraries were inaccessible, and their previous purchases have vanished from the interface. The company sent emails to their customers, acknowledging the interruption and assuring them that a restoration process is underway.
What’s happening behind the scenes?
Bleeding Computer reported that Barnes & Noble’s VPN servers have been previously vulnerable to CVE-2019-11510. This was something detected by KNOW as well, which you can see in the story card here:
What is CVE-2019-11510?
By exploiting this vulnerability in Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated, remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
Context from KNOW
- Vendors: Pulsesecure
- Products affected: Pulse Connect Secure
- Historically linked to threat actors: APT29 The Dukes
- Historically linked to intrusion method: Arbitrary file read and arbitrary file disclosure.
What is KNOW?
Netenrich’s Knowledge Now (KNOW), is a free AI-based threat intelligence news aggregator that provides a broader and deeper context of emerging threats and attacks – in one place. KNOW correlates global news around a specific threat by adding diverse perspectives from different publishers. If you want to KNOW more, then read this.
Netenrich’s powerful combination of threat and attack surface intelligence provides a unique new offering called “resolution intelligence.” Use this combo to optimize SecOps and IT to reduce alert fatigue and act on the most critical notifications first.
Do you want to know how this combo works? Then check this out. Meanwhile, who don’t you do your SOC team a solid and sign up for KNOW? It’s completely free, and it will be invaluable for your security team’s threat intel research.