🌉

Security Bulletin: May 2024

 
Threat Actor
Muddling Meerkat
TTP
  • DNS DDoS
MOD
Pre-position for attacking critical infrastructure
Description
Muddling Meerkat a threat actor conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers.
 
Post Credit: Infoblox
 
 
Threat Actor
Ebury Group
TTP
  • Credential Stuffing Attacks against Domain Hosting, VM Hosting Servers
  • Supply Chain Attack
MOD
Theft (Credential, Cryptocurrency, Credit Card)
Description
Recent Ebury attacks show a preference by the operators to breach hosting providers and perform supply chain attacks to clients renting virtual servers on the compromised provider.
The initial compromise is performed via credential stuffing attacks, using stolen credentials to log into the servers.
Once a server is compromised, the malware exfiltrates a list of inbound/outband SSH connections from wtmp and the known_hosts file and steals SSH authentication keys, which are then used to try to log into other systems.
 
Post Credit: ESET
 
Tool/Program
A domain generation algorithm (DGA) is a program that generates large numbers of new domain names. Cybercriminals and botnet operators use domain generation algorithms to frequently change the domains they use to launch malware attacks. This technique enables hackers to avoid malware-detection solutions that block specific domain names and static IP addresses.
 
Post Credit: Akamai
 
Threat Actor
Multiple
TTP
  • Subscription Email Fatigue
  • Social Engineering
  • Screen/Remote Connect Tools
  • Usage Black Bast Tool
MOD
Theft
Description
Black Basta is a ransomware-as-a-service (RaaS) program. The attacks started with Black Basta threat actors signing up the victim’s email address to multiple email subscription services to flood their inbox, and then impersonating IT support in phone calls allegedly meant to help the targeted individual resolve the issue. Threat actors were seen installing tools such as ScreenConnect and NetSupport Manager, which were followed by the deployment of Qakbot, Cobalt Strike, and Black Basta ransomware.
Post Credit: Security Week
 
Threat Actor
Unknown
TTP
  • Leverage Google Drive and Dropbox to stage malware
  • Phishing Email Payload Delivery
  • Windows Left to Right override characters ( LTRO) to obfuscate “.exe” extension
Description
A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads.
The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads.
 
Post Credit: Securonix, TheHackerNews
Â