This is a monthly threat intelligence newsletter with a lean towards phishing and healthcare I put together for the team at my company. Feel free to grab and share with your own internal team.

Threat Intelligence Newsletter: Resurgence of Russia's Fin7 

Overview: The notorious cybercrime group Fin7, previously thought to be dismantled, has re-emerged with increased activity. This resurgence is primarily facilitated by Stark Industries Solutions, a hosting provider linked to Russian cyberattacks. 

Key Developments: 

• Infrastructure: Fin7 now operates over 4,000 hosts, using tactics like typosquatting, booby-trapped ads, and phishing domains. 

• Targets: They mimic brands like American Express, Google, Microsoft 365, and more. 

• Techniques: Using domains that appear benign initially, Fin7 builds credibility before launching phishing attacks. 

Implications: Organizations must heighten vigilance against phishing, regularly update security protocols, and monitor for suspicious domain activities. 

For more details, visit Krebs on Security. 

 

 

New Internet Explorer Zero-Day Spoofing Attack (CVE-2024-38112) 

Overview: Check Point Research (CPR) has identified a new zero-day spoofing vulnerability in Internet Explorer, designated CVE-2024-38112. This vulnerability allows attackers to deceive users by displaying a fake website address in the browser's address bar, facilitating phishing and other malicious activities. 

Key Details: 

• Attack Vector: The attack leverages Internet Explorer's handling of URLs to present a legitimate-looking address while directing users to malicious sites. 

• Impact: Users can be tricked into divulging sensitive information or downloading malicious content, believing they are on a trusted website. 

Recommendations: 

• Mitigation: It is crucial to avoid using Internet Explorer and switch to more secure, up-to-date browsers. 

• Patching: Ensure all systems are updated with the latest security patches and consider deploying additional security measures such as web filtering and threat intelligence services. 

For further information, visit the Check Point Blog. 

 

 

Ransomware Attack Disrupts U.K. Health Service Laboratory 

Overview: A ransomware attack on Synnovis, a laboratory partner for several major London hospitals, has significantly disrupted health services. The Qilin ransomware group, utilizing a Ransomware-as-a-Service model, is behind the attack and also targets U.S. based organizations. After failing to receive a ransom payment, Qilin released over 400GB of private healthcare data online. 

Key Points: 

• Impact: Major disruption to hospital services. 

• Perpetrators: Qilin (also known as Agenda). 

• Initial Access: Through phishing and spear phishing emails. 

Recommendations: 

• Strengthen phishing defenses. 

• Conduct regular security awareness training. 

For more information, visit the KnowBe4 Blog. 

 

 

Microsoft Links Scattered Spider Hackers to Qilin Ransomware Attacks 

Microsoft has identified the Scattered Spider cybercrime group, also known as Octo Tempest, as responsible for recent Qilin ransomware attacks. This financially motivated group has been active since 2022, targeting over 130 high-profile organizations using tactics such as phishing, MFA bombing, and SIM swapping. The Qilin ransomware group, known for targeting VMware ESXi virtual machines, employs double-extortion attacks by threatening to release stolen data. 

Key Takeaways: 

• Increased Sophistication: Scattered Spider's diverse tactics highlight their adaptability. 

• Targeting Critical Infrastructure: Focus on high-profile organizations and virtual environments. 

• Mitigation Strategies: Enhanced security measures such as robust MFA policies and employee training on phishing can help defend against such attacks. 

For more details, read the full article from Bleeping Computer. 

 

Social Media Job Scams: Don't Be the Target! 

Hunting for your dream job online? Unfortunately, social media can be a breeding ground for scammers who target unsuspecting job seekers. But fear not! Here are some key takeaways to help you avoid falling victim to their schemes: 

• Be wary of unsolicited offers, especially those that come through social media. Legitimate recruiters typically only contact you if you've applied for a position or if they have a referral from someone you know. If you receive a message out of the blue about a fantastic opportunity, proceed with caution. 

• Watch out for unprofessional communication. Typos, grammatical errors, and requests for money upfront are all major red flags. Legitimate companies will communicate professionally and will never ask you to pay for a job interview or training. 

• Suspicious of remote jobs with high salaries? You should be! Scammers often lure people in with the promise of a high-paying work-from-home position. If something sounds too good to be true, it probably is. But that doesn't mean there aren't real remote work opportunities out there. Do your research to ensure the company is legitimate before getting your hopes up. 

• Don't be afraid to investigate! Before you apply for any job, take some time to research the company. Look for online reviews, check their website for legitimacy, and see if they have a social media presence with a good following. A little detective work can go a long way in weeding out imposters. 

• Keep your personal information private. This includes your Social Security number, bank account number, and credit card number. Never share this information with someone you don't know and trust, especially through social media or email. 

• Be cautious about clicking on links or attachments. Phishing emails and messages are a common tactic used by scammers. If you receive a message from an unknown sender about a job opportunity, don't click on any links or attachments. Instead, go directly to the company's website to see if the job is listed there. 

By following these tips, you can protect yourself from social media job scams and increase your chances of finding a legitimate and rewarding job opportunity. Remember, if it seems too good to be true, it probably is. So, be cautious, be smart, and happy hunting! For more details check out the KnowBe4 blog. 

 

 

Phishing Alert: Microsoft Top Target, Social Media on the Rise 

According to a recent Check Point Research report, Microsoft was the most imitated brand for phishing attacks in Q2 2024, accounting for over half of all attempts. This highlights the ongoing threat of brand phishing, where cybercriminals impersonate well-known companies to trick users into revealing personal information or clicking on malicious links. 

The report also reveals new entries to the top 10 most impersonated brands, including Adidas, WhatsApp, and Instagram. This trend indicates a shift in cybercriminals' tactics, as they target social media and technology companies that hold valuable user data. 

Top 10 Most Impersonated Brands in Q2 2024 

1. Microsoft (57%) 

2. Apple (10%) 

3. LinkedIn (7%) 

4. Google (6%) 

5. Facebook (1.8%) 

6. Amazon (1.6%) 

7. DHL (0.9%) 

8. Adidas (0.8%) 

9. WhatsApp (0.8%) 

10. Instagram (0.7%) 

 

Check out Check Point’s blog for more details. 

 

 

New Backdoor Used by APT41: MoonWalk 

A recent blog post by Zscaler details a new backdoor tool called MoonWalk المستخدمة من قبل مجموعة APT41 (used by the APT41 group). MoonWalk is a tool used by the APT41 threat group for espionage. The article discusses MoonWalk’s technical aspects, including its use of Google Drive for communication and Windows Fibers for evasion. MoonWalk also uses a modular design, allowing attackers to customize it for different situations. 

Here are some key takeaways from a threat intelligence perspective: 

• New APT41 Backdoor: APT41 is a well-known threat group known for its targeted attacks. The development of MoonWalk shows that the group is constantly evolving its tactics and techniques. 

• Google Drive for Communication: The use of Google Drive for communication is a novel technique that makes it more difficult for defenders to detect malicious activity. 

• Windows Fibers for Evasion: The use of Windows Fibers for evasion helps MoonWalk to avoid detection by security software. 

• Modular Design: The modular design of MoonWalk allows attackers to easily customize it for different targets and campaigns. 

Organizations should be aware of the MoonWalk backdoor and take steps to protect themselves, such as: 

• Implementing advanced endpoint detection and response (EDR) solutions 

• Educating employees about phishing attacks and social engineering techniques 

• Regularly patching systems and applications 

By following these steps, organizations can help to mitigate the risk of being targeted by APT41 and other threat groups. 

You can read more about MoonWalk here. 

 

Phish-Friendly Domain Registry ".top" Put on Notice 

The ".top" domain registry, managed by Jiangsu Bangning Science & Technology Co. Ltd., has been warned by ICANN for its failure to address phishing abuse. Findings revealed that over 4% of new ".top" domains from May 2023 to April 2024 were used for phishing. ICANN's notice demands immediate improvements, or the registry risks losing its license. This highlights the critical need for vigilant monitoring and prompt action against domain abuse to protect users from phishing threats. 

For more information, read the full article on Krebs on Security. 

 

Over 3,000 GitHub Accounts Exploited in Malware Distribution Scheme 

Summary: A new threat, dubbed 'Stargazers Ghost Network,' involves over 3,000 GitHub accounts used to distribute information-stealing malware via fake repositories. Discovered by Check Point Research, this Distribution-as-a-Service (DaaS) leverages GitHub’s reputation to spread infostealers like RedLine and Lumma Stealer. Despite GitHub's efforts, over 200 malicious repositories remain active. 

Key Takeaway: 

• Attack Mechanism: Utilizes compromised WordPress sites and GitHub repositories. 

• Targets: Cryptocurrency, gaming, and social media enthusiasts. 

• Operation: Accounts serve phishing templates, images, and malware, maintaining resilience even after takedowns. 

• Recommendations: Exercise caution with file downloads from GitHub and use VMs or VirusTotal to scan archives. 

For more information, read the full article on BleepingComputer. 

 

 

North Korean Operative Infiltrates KnowBe4 Using Stolen Identity 

Summary: KnowBe4 recently revealed that a North Korean hacker, posing as a U.S. citizen, successfully got hired as an IT worker. Despite multiple rounds of interviews and background checks, the individual was detected attempting to install malware on their new workstation. No sensitive data was accessed due to robust security measures. 

Key Takeaways: 

• Entry: Hacker used a stolen identity to pass interviews and background checks. 

• Detection: Suspicious activity was identified, and the laptop was quarantined swiftly. 

• Impact: No customer data was accessed; the malware was blocked by security tools. 

• Response: KnowBe4 has enhanced its hiring processes to prevent similar incidents. 

Recommendations: Regularly review and update hiring and onboarding procedures to mitigate risks from sophisticated threat actors. 

For more information, read the full article on KnowBe4 Blog. 

 

Exploiting CrowdStrike Outage: Phishing, Fake Scripts, and Social Engineering 

Summary: Following a recent CrowdStrike update that caused widespread blue screen of death (BSOD) errors, cybercriminals are capitalizing on the confusion. Fake PowerShell scripts, phishing domains, and social engineering attacks are proliferating, posing significant risks. 

Key Takeaways: 

• Fake Scripts: Malicious scripts on platforms like GitHub install dangerous software. 

• Phishing: Surge in domains offering fake fixes. 

• Social Engineering: Impersonation of IT personnel and cybersecurity firms to trick users. 

Recommendations: Verify the authenticity of scripts and domains, and educate users on phishing and social engineering tactics. 

For more information, read the full article on ReliaQuest Blog. 

 

Huntress Foils a Medical Software Update Hack 

Huntress recently uncovered a sophisticated phishing campaign targeting medical software updates. Cybercriminals created a fake version of a legitimate medical image viewer, embedding malicious code that established a secret connection back to the attackers. This attack highlights the critical need for vigilance even when dealing with trusted sources. Huntress's Security Operations Center (SOC) detected the anomaly and quickly isolated the threat, preventing potential data breaches. 

Key Takeaways: 

• Verify the authenticity of software updates. 

• Be cautious of unexpected file sizes or unusual behaviors. 

• Regularly update software from official websites. 

For more details, visit Huntress's blog. 

 

TuDoor: Exploiting DNS Logic Vulnerabilities 

A new DNS attack method, named TuDoor, has been identified, highlighting critical vulnerabilities in DNS response pre-processing. Attackers can use malformed DNS response packets to execute cache poisoning, denial-of-service, and resource exhaustion attacks. TuDoor impacts 24 mainstream DNS software and many public DNS services, potentially affecting millions of users. 

Key Takeaways: 

1. Be aware of the TuDoor attack method. 

1. Ensure DNS software is up-to-date with patches. 

1. Monitor for unusual DNS traffic patterns. 

For more details, visit TuDoor's website. 

 

 

Generative AI Tools: New Target for Scammers 

Recent intelligence highlights a surge in cyber threats exploiting interest in generative AI tools, particularly ChatGPT. Scammers are registering suspicious domains containing keywords like "gpt" and "prompt engineering," aiming to deceive users with phishing schemes and malware distribution. This trend coincides with major AI-related announcements, increasing the risk to individuals and organizations exploring these technologies. 

Key Insights: 

• Domain Surveillance: Monitor new domain registrations for AI-related keywords. 

• Phishing Alerts: Educate users on verifying AI tool sources. 

• Evolving Tactics: Stay updated on scam trends exploiting emerging technologies. 

For more details, visit KnowBe4's Blog. 

 

 

OneDrive Pastejacking: A New Phishing Tactic 

A new phishing threat, "pastejacking," targets OneDrive users by exploiting the copy-paste functionality. Attackers inject malicious commands into users' clipboards through seemingly benign text or files. This method can lead to unauthorized data access or malware installation when unsuspecting users paste the copied content. 

Key Insights: 

• Clipboard Exploitation: Phishing schemes use clipboard manipulation to inject harmful code. 

• User Vigilance: Verify clipboard content before pasting from unknown sources. 

• Security Measures: Put controls in place to limit user PowerShell usage and monitor for any abnormal PowerShell activity.  

For more details, visit Trellix's Blog.