Identify and Access Management (IAM) Lacking

April 19, 2022

Identify and Access Management (IAM) Lacking

Industry: N/A | Level: Strategic | Source: Palo Alto Unit42

Ensuring proper identity and access management (IAM) configurations is crucial for cloud security. However, analysis from Palo Alto Unit42 has identified IAM policy controls to be lacking to maintain security. Primary reasons for weaknesses in IAM include passwords reuse and complexity. Unit42 has identified 44% of organizations allow password reuse and 53% don’t enforce complex passwords. In addition, permissions and policies are identified as overly permissive. Cloud service provider (CSP) policies are often used without user reconfiguration providing more permissions than needed; CSP policies provide 2.5 more permissions in comparison to customer-managed policies. Weak credential management and overly permissive policies enable easier access to attackers. Top threat groups targeting the cloud are TeamTNT, WatchDog, Kinsing, Rocke, 8220, APT29, APT29 and APT41.

Gamaredon/ACTINIUM & Ukraine

February 08, 2022

In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine.

Agent Tesla & Dridex

February 01, 2022

Agent Tesla & Dridex

Industry: N/A | Level: Operational | Source: PaloAlto – Unit42

Research from Palo Alto Unit42 identified a rise in the distribution of Agent Tesla and Dridex malware from July 27th to December 1st, 2021. Although the activity is not likely to be associated with the same threat actor, the infection chain follows a similar path between the malware. The malware is delivered through phishing mails containing malicious files with Dridex being dropped from Excel 4.0 macros, with XLL droppers used for both Dridex and Agent Tesla. For Agent Tesla, the malware is dropped through the XLL document in which a dropper will download the Agent Tesla payload or the Agent Tesla payload is downloaded through Discord. In terms of Dridex both the Excel macro or XLL file is applicable in retrieving the Dridex Loader from Discord.

  • Anvilogic Scenarios:
    • Malicious Document Delivering Malware
    • HTA Payload Drop
    • Dridex Behaviors
    • Agent Tesla

WhisperGate

January 25, 2022

From developing stories involving attacks against the Ukrainian, Palo Alto Unit42 provided insight into a new malware family named, WhisperGate who started to be observed on January 13th, 2022.

Video Player Spreads Skimmers

January 05, 2022

Video Player Spreads Skimmers

Industry: Real Estate | Level: Strategic | Source: PaloAltoUnit42 & TheRecord

Research from PaloAlto Unti42 identified over 100 real estate sites compromised to distribute skimmers collecting user information. The affected real estate sites all belonged to one parent company – Sotheby’s with their Brightcove account having been compromised. The compromised sites all imported the same malicious video from the cloud video platform, which in essence brought about a supply chain network attack. The issue associated with the Sotheby and Brightcove has been resolved prior to Unit42 sharing their analysis and findings.

TiltedTemple Campaign, APT27

December 01, 2021

TiltedTemple Campaign, APT27

Industry: Critical infrastructure | Level: Operational | Sources: Unit42(Latest) & Unit42(Nov2021)

Activity has been reported from Threat Group 3390/APT27 on November 7th, 2021. PaloAlto Unit42 identified four more compromised  organizations since September 16th, 2021. Initially, these involved exploiting Zoho’s ManageEngine ADSelfService Plus, registered as CVE-2021-40539. A shift in tactics was observed between October 25th and November 8th, with the intention of exploiting Zoho’s ManageEngine ServiceDesk Plus, CVE-2021-44077. This vulnerability involved an unauthenticated remote code execution, which currently no PoC code exists, leading to the assumption the threat actor group developed their own exploit for. As described by Unit42 “The exploit requires a malicious actor to issue two requests to the REST API. The first is to upload an executable specifically named msiexec.exe and the second request launches the msiexec.exe payload. Both of these requests are required for successful exploitation, and both are initiated remotely via the REST API without requiring authentication to the ServiceDesk server.” Through the combination of activities, PaloAlto is tracking the campaign as “TiltedTemple.”

  • Anvilogic Scenario: TiltedTemple Campaign
  • Anvilogic Use Case: MSIExec Install MSI File
  • Anvilogic Scenario: TiltedTemple Campaign
  • Anvilogic Use Case: MSIExec Install MSI File