fbpx

Cybersecurity Threat Report for May 15th, 2020

Cyber Threat Report for May 15th, 2020

U.S. Center for Internet Security Alert Level

GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity.

Center for Internet Security Level
Current US Center for Internet Security Alert Level

From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

A New Cybercrime Group

Briefing

They call themselves RATicate.  Lindsey O’Donnell of Threatpost reports that what is significant about the name is the acronym R-A-T. RAT is an acronym for Remote Access Trojan.  These cybercriminals are installing Remote Access Trojans by leveraging the Nullsoft Scriptable Install System (NSIS).  The Nullsoft Scriptable Install System is an open source tool used to create windows installers.  It is said that they are specifically targeting Industrial firms in Europe, the Middle East, and the Republic of Korea.

The are using email to deliver the payload using files with extensions that include .zip, .img, .udf, .rtf, and .xls.

It sounds as if the NSIS provides privileges to the Windows system that allows it to perform tasks including running commands from the CLI and loading DLL’s.

Lindsey O’Donnell goes on to say, this attack goes as far as installing what has been termed, junk DLL’s, in an effort to obfuscate and confuse researchers during the discovery and analysis process.  The payload is said to be encrypted and then decrypted as the first phase of the attack.

One or of five different payloads are being used.

Payload #1 is said to be what is called Lokibot which is an “infostealer” gleaning FTP credentials, stored email passwords, and passwords stored in the browser.

Payload #2 is said to be what is called BetaBot which has been described as a rootkit.  A rootkit is software designed to allow access to the internals of an operating system.

Payload #3 is said to be what is called FormBook which steals data when entered into forms in the browser.  This would otherwise be known as a keylogger.

Payload #4 is said to be what is called Agent Tesla which is essentially spyware capable of extracting credentials, data from the clipboard, screen captures, keylogging, and various application credentials.

Payload #5 is said to be what is called Netwire a Remote Access Trojan that steals credentials, keystrokes, and hardware information.

Nine companies have been targeted.

Researches discovered that the same Command and Control (C2) server is being used with different payloads.

The RDP Protocol

McAfee is reporting that the number of instances of open RDP ports on the Internet has increased by 1.5 million.  They go on to state that it is believed that the remote workforce created by the COVID19 Panedemic is to blame.

And a final word with a often stated statistic…

Final Word

Remember that more than 90% of data breaches are the result of a phishing email.  Keep you eyes on what the email says, who it is from, and what it is asking you to do.  Verify the URL’s before you click the link.  Look for a one off letter or a one of tld.

Hits: 87

Related Articles

Secure Data Wiping & Destruction

Data wiping is an important part of business operations and any information security program. For those that have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, and physical storage devices.

Cybersecurity Threat Report for May 14th, 2020

GUARDED: indicates a general risk of increased hacking, virus, or other malicious activity. There are 4 other levels. There’s Low, Elevated, High, and Severe.  From the Center for Internet Security, “The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.”

Responses

Your email address will not be published. Required fields are marked *

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.