Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩Surge in Deceptive Bifrost Variants Targeting Linux Systems
A recently identified Linux variant of the Bifrost remote access Trojan (RAT) employs a novel evasion technique through a deceptive domain, download.vmfare[.]com, resembling the legitimate VMware domain. Originating in 2004, Bifrost allows attackers to gather sensitive information and compromise targeted systems. This variant, marked by a notable spike in occurrences, utilizes typosquatting to bypass security measures. Palo Alto Networks detected over 100 instances with Advanced WildFire, prompting concern among security experts. The malware, compiled for x86 and ARM, utilizes stripped binaries and employs RC4 encryption to conceal victim data.
Impact: The increase in deceptive Bifrost variants threatens organizations running Linux systems. Successful infections grant attackers remote access to gather hostnames, IP addresses, and other sensitive data. This can enable further network compromise, data exfiltration, and malware delivery.
Recommendation: Organizations should historically and continuously inspect network traffic for connections to known malicious bifrost domains and other indicators published by Palo Alto as this may indicate an active and/or previous infection of this variant.
Lazarus Group’s FudModule Rootkit Evolves with Admin-to-Kernel Zero-Day Exploit
Researchers discovered North Korea-linked APT Lazarus deploying an updated version of their FudModule data-only kernel rootkit featuring advanced techniques to disrupt security defenses. After exploiting a new Windows zero-day (CVE-2024-21338), FudModule established kernel-mode code execution to tamper with internals like handle tables and ETW providers. Capabilities aim to disable monitoring, remove malware forensics, suspend protected processes, and persist despite patches. The rootkit exhibits substantial new investment into stealth and resilience focused on obstructing incident responders.
Impact: The extensive kernel access risks irrecoverable sabotage, encryption, or exfiltration following any initial compromise. Undocumented techniques also greatly hinder investigation and recovery efforts needed to ascertain damage and restore affected systems, enabling long-dwelling unauthorized access aligned to Lazarus’ strategic interests.
Recommendation: Organizations should monitor systems for the provided Indicators of Compromise associated with Lazarus. Additionally, consider employing or tuning current technologies to monitor and catch subtle kernel tampering or other process anomalies that could indicate high-impact intrusions.
🚩CISA Issues an Updated Advisory Detailing BlackCat/ALPHV Ransomware Threat
The FBI, CISA, and HHS have issued an updated joint Cybersecurity Advisory warning about the escalating threat posed by the BlackCat/ALPHV ransomware group, with recent attacks focusing on the healthcare sector. Updated indicators of compromise and tactics, techniques, and procedures have been shared to help organizations defend against this sophisticated ransomware variant. BlackCat/ALPHV activities have been notably aggressive since mid-December 2023, with an alarming focus on healthcare entities, possibly in retaliation against previous operational actions taken against them.
Impact: The heightened focus on the healthcare sector by BlackCat/ALPHV ransomware poses a significant risk, threatening sensitive patient data and critical healthcare services. This advisory underscores the ransomware’s sophisticated evasion techniques and its potential to cause substantial operational and financial damage to impacted organizations. As evidenced by the recent Change Healthcare attack alleging mass data theft and causing prolong disruption, the effects of ransomware incidents in the healthcare sector span far beyond just the initial victims.
Recommendation: The advisory offers several best practice strategies, aimed at mitigating the threat of ransomware, that organizations should review and implement. Due to the threat BlackCat/ALPHV poses in the healthcare sector, CISA advises healthcare organizations to look to the Healthcare and Public Health (HPH) Sector Cybersecurity Performance Goals CPG to aid in implementing cybersecurity protections against the most common threats, tactics, techniques, and procedures used against this sector.
BlackCat/ALPHV Claims Theft of 6TB Data in Change Healthcare Attack
The prolific BlackCat/ALPHV ransomware group has officially claimed responsibility for the cyberattack on Optum subsidiary Change Healthcare causing continued service outages. According to BlackCat, they have exfiltrated 6TB of data encompassing a wide range of sensitive information from thousands of healthcare providers, insurance companies, and pharmacies, including the U.S. military’s Tricare program, Medicare, CVS Caremark, MetLife, Health Net, among others. The stolen data reportedly includes medical records, insurance and dental records, payment and claims information, along with personally identifiable information (PII) of millions, including active U.S. military/navy personnel. Previous alerts warn of focused targeting against healthcare entities by BlackCat affiliates.
Impact: The breach poses a substantial risk to patient privacy and the integrity of healthcare and insurance data, potentially affecting millions of individuals across various sectors. The exposure of such a vast amount of sensitive data could lead to identity theft, financial fraud, and targeted phishing attacks against individuals whose information was compromised. Despite previous attempts to disrupt their operations, the BlackCat/ALPHV ransomware gang continues to be a persistent threat actor, causing massive damages and highlighting the enduring challenge of defending against highly adaptable cyber adversaries.
Recommendation: Organization, particularly those in healthcare, should continue to stay updated about this incident considering its wide reaching impacts. Change Healthcare has experienced persistent outages as a result of this attack. Change Healthcare status update can be accessed on their website.
🚩TimbreStealer Campaign Targets Mexican Users with Financial Lures
Cisco Talos has identified a new cyber threat campaign, named “TimbreStealer,” operated by a threat actor distributing an obfuscated information stealer primarily targeting Mexican users. The campaign involves a phishing spam campaign using Mexican tax-related themes, with the unnamed threat actor distributing the malware since at least November 2023. The attackers employ geofencing techniques to specifically target users in Mexico, using the country’s digital tax receipt standard and generic invoice themes as phishing lures. TimbreStealer exhibits a high level of sophistication, utilizing techniques like direct system calls, Heaven’s Gate technique, and custom loaders to ensure persistence within compromised systems.
Impact: The TimbreStealer campaign poses a significant threat to Mexican users, particularly those in the financial sector, given its focus on tax-related themes. The malware’s complexity and the threat actor’s use of advanced techniques indicate a well-resourced and skilled adversary. The potential impact includes unauthorized access to sensitive information, credential theft, and the risk of financial losses for victims.
Recommendation: Organizations are advised to monitor systems for the provided Indicators of Compromise associated with the “TimbreStealer” malware campaign. Furthermore, consider instructing employees in affected regions to show caution when managing unsolicited emails, particularly those that are related to tax or financial themes.
GlobalBlock Initiative Aims to Prevent Brand-Name Domain Squatting
Registrars now offer GlobalBlock, a solution enabling businesses to block the registration of domains closely resembling their brand names, including those with homoglyphs and variations across 563+ extensions. This initiative, supported by leading entities such as GoDaddy Corporate Domains and MarkMonitor, targets the mitigation of typosquatting and homograph attacks. GlobalBlock aims to fortify trademark protection by allowing brands to proactively reserve domain space that aligns with their trademarks. This service caters not only to registered trademarks but also to geographical indicators and celebrity names. However, the introduction of GlobalBlock also sparks a debate around the implications for free speech and the potential for domain name monopolization. The Electronic Frontier Foundation (EFF) has voiced concerns, suggesting that while the tool enhances brand safety, it may also limit the diversity and availability of domain names, posing challenges to the principles of open and accessible internet.
Impact: GlobalBlock presents a dual-edge; on one side, it significantly enhances a brand’s ability to protect its digital footprint from malicious actors and prevent misuse. On the other, it might restrict legitimate expressions and discussions related to brands, as well as the usage of common words or phrases in domain names. This initiative could reshape the landscape of domain name registration, prioritizing brand protection over the broader spectrum of online expression and innovation.
Recommendation: Organizations should evaluate the benefits of subscribing to GlobalBlock against the potential implications for free speech and domain availability. It’s crucial to consider whether such a preventive measure aligns with your brand protection strategy and to remain aware of the broader discourse on digital rights and trademark law. Consulting with legal and cybersecurity teams will provide a balanced perspective on adopting such services.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sraio.wpcomstaging.com/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sraio.wpcomstaging.com/blog/category/tigr/feed