Associated activities observed with this attack are spear phishing and password spraying/brute force attempts. Some indicators to be aware of are new subdomains added to a compromised tenant, Teams message requests that the user must approve and new devices added to the organization on Microsoft Entra ID. So far, these observed attacks have targeted diplomatic entities.  

Recommendations: 

• User education and awareness about phishing, unsolicited MFA requests and social engineering are pivotal in reducing the likelihood of these types of attacks.  
• Evaluate the implementation of conditional access application control in Microsoft Defender for users connecting from unmanaged devices. 
• Strengthen phishing defenses by deploying email security software to be used along with antivirus protection tools, restrict mail relays to only allow specific domains and IPs to forward email and verify senders through reverse DNS lookup before accepting incoming messages. 

This topic was sourced from The Hacker News and Microsoft Security.

-Kaseya Threat Management Team 

The post Threat Actors Observed Leveraging Microsoft Teams appeared first on Kaseya.

Tools like WormGPT pose an increased risk to MSPs and SMBs due to their ability to reduce and remove errors common in phishing attacks, such as misspelled words and grammar issues. These language errors often found in phishing prompts written by non-native speakers are more easily identified by targeted end users, making them less likely to fall for the attack. AI-based hacking tools also decrease the skill or experience an attacker needs, further expanding the number of potential actors utilizing this technique. It is highly recommended that users engage in phishing-related training and that service providers maintain or implement email verification controls to increase the likelihood of preventing a successful email-based attack.

This topic was sourced from SlashNext, The Hacker News and underground forums.

-Kaseya Threat Management Team

The post WormGPT Chatbot Advertised to Aid Cybercriminals appeared first on Kaseya.

Barracuda became aware of suspicious network activity from on-prem Barracuda ESG appliances on May 18, 2023. An investigation supported by cybersecurity firm Mandiant discovered a vulnerability, CVE-2023-2868, in an attachment screening module, which Barracuda remotely patched.

Barracuda has identified affected appliances and released a list of Indicators of Compromise (IOC). As of June 6, Barracuda’s latest guidance is to have any known affected ESG appliances decommissioned and replaced with a new Barracuda appliance.

This vulnerability is suspected of being exploited as early as October 2022 and has been used to deploy malware containing backdoor capabilities. 

The entire disclosure and most up-to-date information is available here: https://www.barracuda.com/company/legal/esg-vulnerability 

– Kaseya Threat Management Team

The post Barracuda Email Security Gateway (ESG) Appliance Zero-Day Vulnerability appeared first on Kaseya.

The below represents notable reports from December 2022 to February 2023:

• In early to mid-February 2023, Cyble researchers reported on several malspam campaigns containing OneNote file attachments (T1566.001) that deliver QakBot (S0650) or BatLoader payloads onto the victim’s systems. The QakBot campaigns attempt to lure users into downloading and opening the OneNote attachment, then convincing them to double-click to view the file. When the user opens the attachment, it drops an embedded HTML application (.hta) file with hidden JavaScript (T1059.007) and VBscript (T1059.005) functions and executes mstha.exe (T1218.005) to download the QakBot payload from a remote server (T1071.001). Another case entailed the OneNote attachment dropping and executing an embedded BAT file (T1059), which launches a PowerShell script (T1059.001) to retrieve and download from a remote location a malicious DLL containing the QakBot malware. Similarly, Cyble observed BatLoader drop and execute an obfuscated batch file, then run PowerShell to retrieve and load malicious payloads, such as AsyncRAT, QuasarRAT (S0262), DCRAT, RedLine Stealer and StormKitty Stealer. Separately, multiple security vendors corroborated Cyble reporting and highlighted the increased threat to managed service providers (MSPs) from threat actors leveraging Microsoft OneNote file attachments.
• On January 31, 2023, Sophos researchers observed two concurrent malspam (T1566) campaigns dubbed “QakNote,” a reference to the use of Microsoft OneNote to deliver the QakBot payload. The first campaign attempted to lure victims into clicking on an embedded hyperlink (T1204.001) to download a malicious .one file attachment. The second campaign employed a known tactic called “email thread hijacking,” where the threat actor abuses an existing email thread to send a “reply-to-all” message and convince recipients to download the malicious OneNote file attachment (T1566.001). When unsuspecting Microsoft Windows users open the attachment, it prompts them to click on an “Open” button that contains an embedded HTA file. If clicked on, it retrieves the QakBot payload from a remote server onto the victim’s system and executes it.
• In December 2022, Proofpoint researchers observed six malspam campaigns using OneNote attachments to distribute the AsyncRAT. In January 2023, Proofpoint observed over 50 OneNote-related campaigns distributing seven additional malware families, such as Qakbot, AgentTesla (S0331), DoubleBack, NetWire RAT (S0198), Redline Stealer, QuasarRAT (S0262) and XWorm. Proofpoint noted the OneNote files contained embedded files, prompting users to click on a button that executes one of several malicious files, such as various executables, shortcut (LNK) files (T1547.009), HTA or Windows script file (WSF).
• In early December 2022, Trustwave researchers observed a malspam campaign where threat actors delivered information-stealing malware named FormBook using Microsoft OneNote file attachments. The campaign employed multiple themes, such as shipping notifications, invoices, remittances and mechanical sketches, to lure users into downloading the malicious OneNote attachment. The attachments contained Visual Basic Script (VBS) files hidden behind a “Double Click to View” button. When executed, the infected system retrieved two files from a remote server, one decoy OneNote file and the second a malicious batch file containing the Formbook malware.

The Kaseya Threat Management team recommends users exercise caution when receiving emails from unsolicited, untrusted or unexpected senders, regardless of the familiarity of the sender. We remind users to refrain from clicking on embedded hyperlinks or file attachments from unknown senders to prevent inadvertently infecting your system and network. Lastly, email administrators should consider blocking all .one file extensions since they are an uncommonly used file attachment and the infection risk remains high.

Further information on the abovementioned reports can be found at CRN, Cyble, Cyble, Cyble, Sophos, BleepingComputer, Proofpoint and Trustwave.

– Kaseya Threat Management Team

The post Spike in Threat Actors Distributing Malware Using Microsoft OneNote appeared first on Kaseya.

Per the Talos report:

• MortalKombat is a novel ransomware, first observed by threat researchers in January 2023, with little known about its developers and operating model.
• Laplas Clipper malware is a relatively new clipboard stealer first observed by threat researchers in November of 2022. The stealer belongs to the Clipper malware family, a group of malicious programs that specifically target cryptocurrency users. When a cryptocurrency wallet address is identified, the clipper sends the wallet address back to the clipper bot. In response, the clipper receives an attacker-controlled wallet address similar to the victim’s and overwrites the original cryptocurrency wallet address in the clipboard.
• Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.
• The initial infection vector is a phishing email in which the attackers impersonate CoinPayments, a legitimate global cryptocurrency payment gateway. Additionally, the emails have a spoofed sender email, “noreply[at]CoinPayments[.]net”, and the email subject “[CoinPayments[.]net] Payment Timed Out.”
• A malicious ZIP file is attached with a filename resembling a transaction ID mentioned in the email body, enticing the recipient to unzip the malicious attachment and view the contents, which is a malicious BAT loader.
• When a victim opens the loader script, it downloads another malicious ZIP file from an attacker-controlled hosting server to the victim’s machine, inflates it automatically, and executes the payload, which is either the GO variant of Laplas Clipper malware or MortalKombat ransomware. The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.

Read more here: https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/

-Kaseya Threat Management Team

The post Talos Reports on Campaign From Unidentified Threat Actor appeared first on Kaseya.

The authors of the report stated, “The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022. The attacks were HTTP/2-based and targeted websites protected by Cloudflare. They originated from over 30,000 IP addresses.“

MSPs should be aware that the prevalence of Ransom DDoS attacks, which do not require system intrusion, is increasing. Cloudflare noted, “In our latest DDoS threat report, we saw that Ransom DDoS attacks steadily increased throughout the year.”

Read more here: https://blog.cloudflare.com/cloudflare-mitigates-record-breaking-71-million-request-per-second-ddos-attack/

-Kaseya Threat Management Team

The post Cloudflare Mitigates Record DDoS Attack appeared first on Kaseya.

Read more here: https://arstechnica.com/information-technology/2023/02/thousands-of-qnap-devices-remain-unpatched-against-9-8-severity-vulnerability/

-Kaseya Vulnerability Management Team

The post QNAP Security Update for CVE-2022-27596 appeared first on Kaseya.

We must wait and see if the RaaS operators will attempt to restore operations, or if they will go underground while they rebuild and rebrand. It is probable that Hives affiliates will be seeking alternate RaaS operations in the short term. It is reasonable to expect that LockBit, BlackBasta, Blackcat/ALPHV and other top-tier RaaS operations will benefit from this action in terms of increased access to capable affiliates and their queue of pending victims.

Read more here: https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant

-Kaseya Threat Management Team

The post FBI Seizes Control of Hive Ransomware Infrastructure appeared first on Kaseya.

Read more here: https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

-Kaseya Threat Management Team

The post Threat Actors Adopt Sliver C2 appeared first on Kaseya.

CISA warned of active exploitation of the flaw in December 2022 and encouraged application of the security update. Mandiant’s research concluded that exploitation could have been occurring as early as October of 2022. This Fortinet PSIRT is a PATCH NOW situation.

Read more here: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

-Kaseya Vulnerability Management Team

The post Forti-OS Security Update for CVE-2022-42475 appeared first on Kaseya.