General Worldwide activity:

1st: Cryptojacking: Understanding and defending against cloud compute resource abuse

Overview: In cloud environments, cryptojacking — a type of cyberattack that uses computing power to mine cryptocurrency — takes the form of cloud compute resource abuse, which involves a threat actor compromising legitimate tenants. Cloud compute resource abuse could result in financial loss to targeted organizations due to the compute fees that can be incurred from the abuse. In attacks observed by Microsoft, targeted organizations incurred more than $300,000 in compute fees due to cryptojacking attacks. While there are fundamental differences in how cloud providers handle authentication, permissions, and resource creation, a cloud cryptojacking attack could unfold in any environment where a threat actor can compromise an identity and create compute, and the attack lifecycle is largely the same. Microsoft security experts have surfaced tell-tale deployment patterns to help defenders determine, identify, and mitigate cloud cryptojacking attacks.

Breakdown: Excellent new technical breakdown on cryptojacking by Microsoft’s threat intelligence research team. Cloud environments can easily create new resources, and in many cases new machines are not as carefully tracked as they might be in a more traditional data center environment. This can lead to compromised resources performing actions like mining cryptocurrency and racking up massive extra costs to an organization’s cloud compute bills. Info Security, System admins, DevSecOps and other IT staff need to have alerts and configurations in place to maintain awareness of their entire cloud environment and be aware how attacks like this can happen. Microsoft’s TI team provides an easy to follow but still quite technical walk-through on cryptojacking, the impacts to the environment and their recommendations for detection, remediation, and mitigation.

2nd: Amadey Threat Analysis and Detections

Overview: The Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware, like the previous Splunk Threat Research blog related to RedLine loader, the multi-stage attack distribution article from McAfee in May 2023 and the campaign where it uses N-day vulnerabilities to deliver Amadey malware noted in March 2023 by DarkTrace. The emergence and increasing prevalence of Malware as a Service (MaaS) has become a notable trend within the current cyber threat landscape. MaaS has gained popularity as a common tool in the arsenal of threat actors, enabling them to conduct and facilitate widespread cyberattack campaigns. Malware as a Service refers to a model where cybercriminals offer malware-related services or resources for rent or purchase to other malicious actors. This approach provides several advantages to both skilled and novice attackers.

Breakdown: It is always a great idea to stay up to date on new malware research and we cover attacks here on a regular basis that have been published by research organizations. This is also a very technical deep dive on the Amadey malware and can serve as a great way to see how all these techniques work as well as how researchers dig into new malware. Great way to learn how anti-sandboxing, defense evasion and C2 communications work with modern malware. They have also provided IOCs and Detections at the end for anyone interested in threat hunting.

3rd: 10 Free Purple Team Security Tools to Check Out

Overview: It’s that time of year again. As we head into security summer camp season, security red teams, blue teams, and everyone in between waits with bated breath for all the new tools to drop. Between Black Hat USA briefings and Arsenal demos, there will once again be a robust slate of frameworks, platforms, open-source tooling, and new technical methods shared among all of the juicy security research. We’ve scoured the talks to offer this sneak peek into some of the most promising tools that will be featured at the show.

Breakdown: On the opposite side of things, it is almost time for “hacker summer camp” at all the conferences in Las Vegas in August, and that means new defender tools will be covered and discussed at length. Dark Reading tries to cover as much coming out of Vegas as possible during this time and here we have a cool list of 10 new purple team tools available for defenders to use and learn. Everyone should be able to find something new and fun to play with out of this list, and maybe something brand new to put to real use in their organization.

4th: China allegedly turns to transnational criminals to spread disinformation in Australia

Overview: Australian researchers have found evidence that China is using fake social media accounts linked to transnational criminal groups to spread online propaganda and disinformation. According to a report that the Australian Strategic Policy Institute (ASPI) released this week, certain fake accounts used by China for its influence operations are linked to a network of Twitter accounts that promote Warner International Casino, an online gambling platform operating in Southeast Asia. Warner International Casino seems to be connected to a casino owned by the Warner Company in a city in northern Myanmar, near the border with China. Reports have said Chinese police were investigating crimes related to the online platform.

Breakdown: We have seen a rash of disinformation campaigns showing up in the last year especially, or at least getting exposed recently and reported on in depth. Here we have China using their resources to create disinformation campaigns and acquiring accounts from criminal groups for covert operations online with some level of plausible deniability to tie back to their national interests. The target in this case is Australia but these same exact techniques are used worldwide to sow confusion amongst the other superpowers as well.

5th: Social engineering campaign targeting tech employees spreading through npm malware

Overview: The digital world is becoming increasingly perilous as nefarious actors, especially state-sponsored groups, grow bolder in their cyber-espionage and cyber-theft operations. A recent alert from GitHub has sounded the alarm bells about a sophisticated social engineering scheme, which has been tied to the Lazarus Group. This North Korean state-backed hacking syndicate, with known aliases like Jade Sleet and TraderTraitor, has been on the radar of several intelligence agencies, notably after the US government’s exposé on their tactics in 2022. Their modus operandi involves compromising or fabricating GitHub accounts, luring professionals from sectors such as cryptocurrency, online gambling, and cybersecurity into seemingly benign collaborations. The end goal is malevolent: using malware-infected NPM packages to infiltrate their targets’ devices. The group’s tactics are quite intricate. For instance, initial contact often moves to other platforms like WhatsApp, where the rapport is built before the unsuspecting victims are led to clone malware-laden GitHub repositories. Our investigation reveals that these NPM packages connect to remote servers, fetching additional malware to unleash on the infected devices.

Breakdown: Similar to the story above with China and disinformation campaigns, the general populace seems to be the normal primary target for operations and not more aware and technically adept individuals like most of the security community. Here we see Lazarus Group, backed up by North Korea as a primary nation state actor, targeting NPM packages, which is a more direct attack on IT and InfoSec staff at most organizations. The research here includes a well-researched technical breakdown of this process and the way they use the attack chain to get infections into organizations.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 07/24 to 07/28/2023