Welcome to the Daily Threat Briefing for July 17, 2024. Today's briefing explores three stories: FIN7 demonstrates EDR bypasses and automation skills in their latest campaign, insights into TAG-100s global espionage campaigns, and a new backdoor dubbed BugSleep has been added to the MuddyWater arsenal.
Executive Summary
1️⃣ FIN7 evolves with automation and EDR bypass
🔑 Actionable Takeaway: Regularly update and audit security solutions to detect and mitigate the impacts of advanced malicious tools like AvNeutralizer. Emphasize the importance of vigilant monitoring and rapid response protocols.
2️⃣ TAG-100 Espionage: Exploiting Open-Source Tools Globally
🔑 Actionable Takeaway: Enhance cyber defence by securing internet-facing devices and conducting regular security audits to prevent exploitation.
3️⃣ MuddyWater's BugSleep: New Backdoor in Play
🔑 Actionable Takeaway: Strengthen email security and be cautious of phishing attempts to avoid the initial compromise that leads to backdoor installations. Educate employees about the latest phishing tactics and symptoms of possible follow-on attacks to ensure everybody can self-report cyber incidents.
FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
On July 17, 2024, SentinelLabs released a technical report detailing the cybercrime gang FIN7's new advancements and operational tactics.
- The adoption of pseudonyms by FIN7 obscures their identity and sustains underground market operations.
- The use of automated SQL injection attacks targeting public-facing applications, with the development and deployment of a specialized tool, AvNeutralizer, for tampering with security solutions.
- The expansion of FIN7's toolset includes a new version of AvNeutralizer, leveraging the Windows built-in driver ProcLaunchMon.sys for enhanced tampering capabilities.
- Historical insights into FIN7, from their early use of POS malware in 2012 to their shift towards ransomware and the creation of fraudulent infosec firms for executing attacks.
- Shared tools and tactics, especially in ransomware attacks and EDR evasion, demonstrate connections between FIN7 and other ransomware groups.
Insights and Analysis
FIN7's recent strategy to use multiple pseudonyms reflects a sophisticated approach to evade detection and attribution.
- The shift towards automated attacks, like SQL injections, highlights a trend towards more scalable and less resource-intensive cybercrime techniques, indicating a potential rise in the frequency and breadth of attacks.
- Introducing new tampering methods in security tools, such as the AvNeutralizer, which leverages a Windows driver, underscores the importance of robust, multi-layered security measures that adapt to evolving threat tactics.
- The continued use and evolution of tools like AvNeutralizer, which now targets specific security solutions, illustrates the persistence of threat actors in enhancing their capabilities to circumvent security measures.
- This report is technical, with Indicators of Compromise (IoCs)
TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
On July 16, 2024, Insikt Group released a technical report on TAG-100's suspected global cyber-espionage campaign.
- TAG-100 targeted global government and private sector organizations, exploiting internet-facing devices and employing open-source tools for this campaign, notably the Go backdoor Pantegana.
- The group compromised two Asia-Pacific intergovernmental organizations and various diplomatic entities.
- Open-source tools are rising in cyber espionage, lessening the need for customized capabilities and opening the field for less advanced threat actors.
- TAG-100 has infiltrated organizations in at least ten African and Asian countries, North America, South America, and Oceania.
- Internet-facing products targeted by TAG-100 included Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
- Proof of concept exploit for Palo Alto Networks GlobalProtect firewall vulnerability CVE-2024-3400 was also identified as being utilized by TAG-100.
Insights and Analysis
Exploitation of internet-facing devices by TAG-100 is a significant concern due to their limited visibility and logging capabilities.
- The human element of cybersecurity is crucial in this scenario, given the extensive global reach of TAG-100's campaign, which affected numerous countries and sectors.
- Using open-source tools exposes the risk inherent in adopting these technologies without secure code practices; it enables threat actors, even less capable ones, to conduct cyber attacks.
- This case demonstrates how successful exploits can result from operational downtime, reputational damage, and regulatory fines.
- This report is technical, with Indicators of Compromise (IoCs)
New BugSleep backdoor deployed in recent MuddyWater Campaigns
On July 15, 2024, Checkpoint released a technical report detailing the recent activities of MuddyWater, an Iranian threat group linked to the Ministry of Intelligence and Security (MOIS). This report focuses on deploying a new backdoor, BugSleep, mainly targeting organizations in Israel amidst their increased operations in several countries.
- MuddyWater, active since at least 2017, has been engaging in widespread phishing campaigns in the Middle East, notably increasing their efforts since the Israel-Hamas conflict in October 2023.
- The group predominantly uses compromised organizational email accounts for phishing, leading to the installation of legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect.
- A shift in their operations includes the deployment of the new BugSleep backdoor, designed to execute commands and transfer files between compromised machines and the command-and-control (C&C) server.
- This backdoor is under active development, with the threat actors focusing on continuous enhancements and bug fixes.
Insights and Analysis
The introduction of the BugSleep backdoor signifies MuddyWater's evolving technical sophistication and adaptive strategies in response to cybersecurity defences.
- The focus on Israel and adjustments in phishing strategies reflect a strategic interest in regions experiencing political tensions, using localized and timely themed lures like webinars and municipal apps.
- The misuse of Egnyte, a legitimate file-sharing service, in these campaigns highlights a growing trend of threat actors leveraging trusted platforms to bypass security measures and gain user trust.
- The development and deployment of BugSleep suggest an increasing reliance on custom tools that can be tailored to specific targets, enhancing the efficacy and stealth of their operations.
- This report is technical, with Indicators of Compromise (IoCs)
Welcome to Daily Threat Insights and Analysis, where I present three key stories that captured my attention as a threat intelligence professional. Please note that these reports are not affiliated with any organization, and my insights should be considered opinions or a starting point for navigating the vast sea of public reporting. Before taking action, conduct a thorough impact analysis specific to your business needs. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.
References:
