Department of Defense Cyber Crime Center (DC3) banner graphic

Cyber Threat Roundup - 11 August 2023

Department of Defense Cyber Crime Center (DC3) sent this bulletin at 08/14/2023 09:12 AM EDT

Having trouble viewing this email? View it as a Web page. |

11 Aug 23

Cyber Threat Roundup

A collection of recent open-source items of interest to the Defense Industrial Base

1. Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

Attackers continue to progress their attacks in Microsoft environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts to enable persistent access to a Microsoft tenant. Cross-Tenant Synchronization (CTS) is another native functionality that allows threat actors to gain persistent access to a Microsoft cloud. CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS is a powerful and useful feature for organizations but also presents a risk for potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly.

https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html.

2. New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information. Statc Stealer can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram. The malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome.

https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.html

3. New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks

Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to deploy a commodity malware called XWorm in victim environments. Freeze[.]rs, released on May 4, 2023, is a open-source red teaming tool from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner. Freeze[.]rs uses multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

https://thehackernews.com/2023/08/new-attack-alert-freezers-injector.html

4. CISA: New Whirlpool Backdoor Used in Barracuda ESG Hacks

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has discovered that the backdoor malware named 'Whirlpool' used in attacks on compromised Barracuda Email Security Gateway (ESG) devices. The discovery of Whirlpool makes this the third distinct backdoor used in the attacks targeting Barracuda ESG The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell.

https://www.bleepingcomputer.com/news/security/cisa-new-whirlpool-backdoor-used-in-barracuda-esg-hacks/

5. MoustachedBouncer Hackers Use AiTM Attacks to Spy on Diplomats

A cyberespionage group named 'MoustachedBouncer' has been observed using adversary-in-the-middle (AitM) attacks against internet service providers (ISPs) to hack foreign embassies in Belarus. The ISPs confirmed to be used by MoustachedBouncer are Beltelecom (wholly state-owned) and Unitary Enterprise AI (largest private). According to an ESET report, threat actors achieve this by manipulating the traffic either by breaching the ISP infrastructure or collaborating with entities that have access to the network service providers in Belarus.

https://www.bleepingcomputer.com/news/security/moustachedbouncer-hackers-use-aitm-attacks-to-spy-on-diplomats/

6. Gafgyt Malware Exploits Five-Year-Old Flaw in EoL Zyxel Router

Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks. The malware targets CVE-2017-18368, a critical severity (CVSS v3: 9.8) unauthenticated command injection vulnerability in the device's Remote System Log forwarding function, which was patched by Zyxel in 2017. Zyxel previously highlighted the threat from the then-new Gafgyt variant in 2019, urging users still using an outdated firmware version to upgrade to the latest release to protect their devices from takeover.

https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five-years-old-flaw-in-eol-zyxel-router/

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit subscriberhelp.govdelivery.com.

This service is provided to you at no charge by Department of Defense Cyber Crime Center (DC3).