X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – January 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Russian Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors 

Research has been conducted into ALLANITE, a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom.  

ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems.  

Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects 

A high-severity security flaw has been found withing the open source jsonwebtoken (JWT) library that could lead to remote code execution on a target server. 

Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. The flaw was first reported on July 13, 2022. 

Increased use of XLL add-ins as an infection vector 

Research conducted by Cisco Talos has found that threat actors have increased their use of Excel add-in files, as Macros are phased out of support in downloaded office documents.  

Add ins are placed in trusted locations, although a popup is displayed before the add in is loaded, users are known for ignoring the warning. 

QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature 

A recent QakBot phishing campaign has been discovered to have the ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and successful installation of malicious software on victim device. 

New Boldmove Linux malware used to backdoor Fortinet devices 

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider located in Africa.  

The vulnerability tracked as CVE-2022-42475 allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution.  

The attacks entailed the use of a sophisticated backdoor dubbed BOLDMOVE, a Linux variant which is specifically designed to run on Fortinet’s FortiGate firewalls.  

BOLDMOVE is capable of receiving commands from a command-and-control (C2) server that in turn allows attackers to perform file operations, spawn a remote shell, and relay traffic via the infected host. The Linux version of the malware also has the ability to disable and manipulate logging features in an attempt to avoid detection. 

New Mimic Ransomware 

Security researchers have discovered a new ransomware strain named Mimic that searches for target files for encryption using the Windows ‘Everything’ file search tool’s APIs.  

There are some similarities in the code of Mimic and Conti ransomware which was discovered in March 2022.   

‘Everything’ aids ‘Mimic’ in finding files that are appropriate for encryption while avoiding system files that, if locked, would prevent the system from booting. Files encrypted by Mimic get the “.QUIETPLACE” extension.

Additionally, a ransom letter is dropped outlining the demands of the attacker and how the data can be restored by paying a ransom in Bitcoin.  

Python RAT malware targets Windows 

A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems.  

Named PY#RATION by researchers, the new RAT uses the WebSocket protocol to communicate with the command and control (C2) server and to exfiltrate data from the victim host. 

Titan Stealer: A new Golang-based information malware 

The new Goland based malware was first documented by Will Thomas and is being advertised by threat actors through a Telegram channel.  

The stealer is capable of taking but not limited to credential data from browsers, FTP client details, system information, and screenshots. Titan is being used as a builder, to create customised payloads designed to attack a specific victim’s machine. 

The malware is mostly propagated through lookalike websites of popular software. Upon execution of the malware, the payload is injected into the legitimate windows process AppLaunch.exe. Any data retrieved is subsequently transmitted to a remote server. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Previous Article

DigitalXRAID Retains Prestigious ISO 20000 IT Service Management Certification

Next Article

What energy blackouts mean for cybersecurity

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]