This Week in Security News - Dec. 18, 2020
Pawn Storm Employs Lack of Sophistication as a Strategy and SolarWinds Says Affected Enterprises Must Use Hot Patches and Isolate Compromised Gear
Save to Folio
Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn how notorious APT actor Pawn Storm used non-sophisticated attack methods to ensure their attacks flew under the radar. Also, read about SolarWinds’ recommendation for customers affected by the Trojan embedded in its Orion network-monitoring platform.
Read on:
Credential Stealer Targets US, Canadian Bank Customers
In mid-December, Trend Micro discovered a campaign that distributed a credential stealer, with the main code components of this campaign written in AutoHotkey (AHK). By tracking the campaign components, Trend Micro found that its activity has been occurring since early 2020. The malware infection consists of multiple stages that start with a malicious Excel file. The full attack chain is depicted in this blog.
FBI Warns of DoppelPaymer Ransomware Targeting Critical Infrastructure
The Federal Bureau of Investigation has released a Private Industry Notification to warn of DoppelPaymer ransomware attacks on critical infrastructure. DoppelPaymer emerged as a forked version of BitPaymer (also known as FriedEx), both believed to be the work of TA505, the threat actor best known for the infamous Dridex Trojan and Locky ransomware families.
Pawn Storm’s Lack of Sophistication as a Strategy
A defender who finds a simple remote access trojan (RAT) in the network won’t immediately think it was from an advanced persistent threat (APT) actor. Likewise, brute force attacks on internet services like email, Microsoft Autodiscover, SMB, LDAP, and SQL are so common that they seem like background noise that can be ignored. But in 2020, the notorious APT actor Pawn Storm used exactly these non-sophisticated attack methods to such an extent that their attacks may get lost in the noise.
Overview of Recent Sunburst Targeted Attacks
Various sources have recently disclosed a sophisticated attack that hit several organizations via the supply chain. This was carried out by a compromised version of a network monitoring application called SolarWinds Orion. The attackers used the access provided by this application to plant a backdoor known as Sunburst onto affected machines. This backdoor provided the attacker with complete access to the targeted organization’s network.
SolarWinds Trojan: Affected Enterprises Must Use Hot Patches, Isolate Compromised Gear
SolarWinds is recommending that customers hit by the Trojan embedded in a version of its Orion network-monitoring platform update to a new release of the software. The supply-chain attack involves a potential state-sponsored, sophisticated actor that gained access to a wide variety of government, public and private networks across North America, Europe, Asia and the Middle East.
Managing Risk While Your ITSM Is Down
Being advised to unplug a product is highly unusual and indicates that running the product brings high risk. After you unplug, there is a smaller, yet not insignificant, risk associated with not having an IT Systems Management (ITSM). The advice from SolarWinds this week includes unplugging, taking security actions to examine for compromise, rebuilding the hosts, then bringing the known-good ITSM online. In this blog, Trend Micro shares advice for managing risk if an ITSM is down.
Backdoors Are Hard to Spot, But Not Who Is Using Them
Vulnerabilities in products are hard to find. Exploits are easier to find once we know the vulnerabilities. However, an intentional backdoor is maybe the most difficult malware to identify, whether it is installed by a vendor or infiltrator. Unlike a vulnerability, the backdoor comes with whatever security and obfuscation the designers wish, making it nearly undetectable to 3rd party threat researchers.
Trend Micro’s Cloud One Now Protects Apps with Runtime Security, Preemptive Protection
Trend Micro is expanding its cloud-native security offerings with pre-emptive protection for a wide range of modern apps – cloud, hybrid, serverless and APIs. In this article, Integration Developer News explores the Cloud One – Application Security product with vice president of product marketing Wendy Moore.
Trend Micro: Only 55 Percent Use Third-Party Cloud Security Tools
According to a recent survey conducted by Sapio Research and sponsored by Trend Micro, only 55 percent of companies are using third-party tools to secure their cloud environments. The survey interviewed over 2,500 IT decision-makers in 28 countries across the globe (with a focus on those in larger enterprises) on how they are securing their cloud environments and workloads.
Three Million Users Installed 28 Malicious Chrome or Edge Extensions
More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, security firm Avast reports. Extensions could redirect users to ads, phishing sites, collect user data, or download malware on infected systems.
Who is the Threat Actor Behind Operation Earth Kitsune?
Recently, Trend Micro uncovered the Operation Earth Kitsune campaign and published a detailed analysis of its tactics, techniques, and procedures (TTPs). While analyzing the technical details of this malware, which includes two new espionage backdoors, Trend Micro also noticed striking similarities to other malware attributed to the threat actor group APT37, also known as Reaper or Group 123.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations. One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products.
The Secret to Cloud Security Is...
Organizations are investing in cloud infrastructure and applications at an unprecedented rate, to not only survive but thrive during the pandemic. That said, expanding digitally also broadens the corporate attack surface. So, what’s the secret to cloud security? In this blog, Trend Micro experts share advice to help you build a winning strategy.
Egregor Ransomware Launches String of High-Profile Attacks to End 2020
In late 2020, the operators behind Maze ransomware announced that they were shutting down operations. However, a short period after Maze’s retirement, the ransomware known as Egregor stepped in to fill the void, allegedly becoming the ransomware of choice for previous Maze affiliates. Like Maze, Egregor makes use of a “double extortion” technique.
Using MITRE ATT&CK to Identify an APT Attack
Trend Micro recently analyzed the tools, relationships, and behaviors used in a long-standing intrusion of a company after its security team observed malicious command-and-control (C&C) traffic and reached out to Trend Micro to investigate and analyze the traffic.
Are you following the evolving details on the SolarWinds attack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.