SOC Blogs
Tutorials
Security Bulletins
About Me
Contact Me!
Security Bulletins
Security Bulletins/
🌉
Security Bulletin: May 2024
Search
🌉

Security Bulletin: May 2024

 
Threat Actor
Muddling Meerkat
TTP
  • DNS DDoS
MOD
Pre-position for attacking critical infrastructure
Description
Muddling Meerkat a threat actor conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers.
 
Post Credit: Infoblox
 
Article:
 
Infoblox Discovers Multiyear Sophisticated Chinese DNS Operation | Infoblox
Learn how unusual mail server record responses from China’s Great Firewall accidentally revealed a years-long operation using Domain Name System (DNS) queries to penetrate global networks.
Infoblox Discovers Multiyear Sophisticated Chinese DNS Operation | Infoblox
https://blogs.infoblox.com/threat-intelligence/a-cunning-operator-muddling-meerkat-and-chinas-great-firewall/
Infoblox Discovers Multiyear Sophisticated Chinese DNS Operation | Infoblox
 
Full Report:
 
https://insights.infoblox.com/resources-report/infoblox-report-muddling-meerkat-the-great-firewall-manipulator
 
Threat Actor
Ebury Group
TTP
  • Credential Stuffing Attacks against Domain Hosting, VM Hosting Servers
  • Supply Chain Attack
MOD
Theft (Credential, Cryptocurrency, Credit Card)
Description
Recent Ebury attacks show a preference by the operators to breach hosting providers and perform supply chain attacks to clients renting virtual servers on the compromised provider.
The initial compromise is performed via credential stuffing attacks, using stolen credentials to log into the servers.
Once a server is compromised, the malware exfiltrates a list of inbound/outband SSH connections from wtmp and the known_hosts file and steals SSH authentication keys, which are then used to try to log into other systems.
 
Post Credit: ESET
Article:
 
Ebury botnet malware infected 400,000 Linux servers since 2009
A malware botnet known as 'Ebury' has infected almost 400,000 Linux servers since 2009, with roughly 100,000 still compromised as of late 2023.
Ebury botnet malware infected 400,000 Linux servers since 2009
https://www.bleepingcomputer.com/news/security/ebury-botnet-malware-infected-400-000-linux-servers-since-2009/
Ebury botnet malware infected 400,000 Linux servers since 2009
 
Full Report:
 
https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf
 
 
Tool/Program
A domain generation algorithm (DGA) is a program that generates large numbers of new domain names. Cybercriminals and botnet operators use domain generation algorithms to frequently change the domains they use to launch malware attacks. This technique enables hackers to avoid malware-detection solutions that block specific domain names and static IP addresses.
 
Post Credit: Akamai
 
Article
 
What Are Domain Generation Algorithms? | Akamai
Domain generation algorithms produce random-looking domain names that are used by cybercriminals to prevent their servers from being denylisted or taken down.
What Are Domain Generation Algorithms? | Akamai
https://www.akamai.com/glossary/what-are-dgas
What Are Domain Generation Algorithms? | Akamai
 
Threat Actor
Multiple
TTP
  • Subscription Email Fatigue
  • Social Engineering
  • Screen/Remote Connect Tools
  • Usage Black Bast Tool
MOD
Theft
Description
Black Basta is a ransomware-as-a-service (RaaS) program. The attacks started with Black Basta threat actors signing up the victim’s email address to multiple email subscription services to flood their inbox, and then impersonating IT support in phone calls allegedly meant to help the targeted individual resolve the issue. Threat actors were seen installing tools such as ScreenConnect and NetSupport Manager, which were followed by the deployment of Qakbot, Cobalt Strike, and Black Basta ransomware.
Article
 
Microsoft Quick Assist Tool Abused for Ransomware Delivery
The Black Basta group abuses remote connection tool Quick Assist in vishing attacks leading to ransomware deployment.
Microsoft Quick Assist Tool Abused for Ransomware Delivery
https://www.securityweek.com/microsoft-quick-assist-tool-abused-for-ransomware-delivery/
Microsoft Quick Assist Tool Abused for Ransomware Delivery
 
Post Credit: Security Week
 
Threat Actor
Unknown
TTP
  • Leverage Google Drive and Dropbox to stage malware
  • Phishing Email Payload Delivery
  • Windows Left to Right override characters ( LTRO) to obfuscate “.exe” extension
Description
A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads.
The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads.
 
Post Credit: Securonix, TheHackerNews
Article
 
Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users
CLOUD#REVERSER campaign is using Google Drive and Dropbox to stage malicious payloads.
Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users
https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html
Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users
 
Full Report
 
https://www.securonix.com/blog/analysis-and-detection-of-cloudreverser-an-attack-involving-threat-actors-compromising-systems-using-a-sophisticated-cloud-based-malware/