Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Open-Source Xeno RAT Poses Increasing Threat
A sophisticated remote access trojan (RAT) called Xeno RAT has been openly published on GitHub, enabling threat actors to access and customize this capable malware easily. Developed from scratch in C# for Windows systems, Xeno RAT boasts features like audio recording, SOCKS5 proxies, hidden virtual networking, and a builder to create variants. The same developer previously released the DiscordRAT malware. Recently, threat actors employed Xeno RAT’s customization to craft a malware downloader relying on shortcuts and the Discord CDN for obfuscation. After escalating privileges, it achieves persistence and phones home to a command server, exhibiting hallmarks of remote access malware. The open availability of Xeno RAT allows this threat to spread rapidly.
Impact: The accessibility of the advanced malware allows threat actors with limited skills or resources to conduct sophisticated cyber attacks and compromise remote systems. Variants can evade defenses amidst widespread vulnerability. Additionally, post-compromise features enable extensive monitoring, control, and data exfiltration.
Recommendation: Organizations should monitor for Indicators of Compromise related to Xeno RAT Additionally, organizations should encourage reporting of suspicious activities and maintain regular data backups to mitigate the impact of a potential breach.
🚩 PIKABOT Malware Returns with Heavy Obfuscation and Evasion Techniques
The PIKABOT malware loader, used to distribute payloads like Cobalt Strike, has resurfaced after a dormant period in updated campaigns starting February 8th. Elastic identified significant changes in the latest variant, including new unpacking methods and heightened obfuscation after successful delivery using email phishing. The encrypted shellcode exhibits anti-debugging and launches a highly obfuscated next-stage loader for initializing PIKABOT core malware. Technical analysis reveals the obfuscated core continues leveraging RC4 encryption, but also implements new string decryption schemes and anti-analysis tricks. It phones home to command servers and offers post-compromise features like command execution, discovery, and injecting additional payloads. The modular nature and ongoing updates suggest continued PIKABOT development.
Impact: The significant update of PIKABOT with enhanced delivery, stealth, and evasive abilities elevates the risk for organizations facing this malware-based threat. Successful attacks can lead to complete system compromise, data theft, and ransomware deployment.
Recommendation: Organizations should monitor systems for Indicators of Compromise associated with the new PIKABOT variant.
🚩 Phishing Campaigns Compromise ScreenConnect for Healthcare & Cryptocurrency Targets
An ongoing phishing campaign is leveraging fake cryptocurrency and healthcare-themed websites to trick users into installing trojanized versions of ScreenConnect, controlled by threat actors. By exploiting the legitimate ScreenConnect software, attackers gain stealthy remote access to view desktops, transfer files, and deploy additional malware post-compromise. Technical analysis revealed that phishing websites imitate platforms like Rollercoin and CloudMine to deceive victims into downloading executables that install ScreenConnect as a service with hardcoded identifiers. With remote control established, the threat actors can quietly extract sensitive data and deploy ransomware.
Impact: Compromised systems provide threat actors immense remote access to healthcare networks, elevating risks of follow-on cyber attacks, data theft, and disruption of services critical for patient care. Significant financial losses, reputational damage, and patient safety impacts could result from this campaign.
Recommendation: Organizations should have clear policies prohibiting employees from downloading unauthorized programs or files from untrusted sources such as torrent sites, file-sharing platforms, or suspicious links. Additionally, IT departments in companies should centrally manage and approve software installation through application allow-listing to prevent unauthorized executables. Phishing training is essential for employees to identify signs of phishing attempts.
Ultimate Member WordPress Plugin SQL Injection Vulnerability
A critical SQL Injection vulnerability (CVE-2024-1071) has been identified in the Ultimate Member WordPress plugin versions 2.1.3 to 2.8.2, allowing unauthenticated attackers to execute malicious SQL queries and extract sensitive data. The flaw, discovered by Christiaan Swiers, poses a significant risk to over 200,000 websites utilizing the plugin.
Impact: This vulnerability enables threat actors to inject additional SQL queries via the ‘sorting’ parameter, potentially leading to unauthorized access to user data, including password hashes. While the flaw primarily affects users with the “Enable custom table for usermeta” option enabled, all users are urged to update to version 2.8.3 immediately to mitigate the risk of exploitation.
Recommendation: Immediately update to version 2.8.3 of the Ultimate Member plugin to patch the vulnerability and ensure all WordPress plugins and themes are regularly updated to prevent future security incidents. Organizations should also implement measures to help prevent SQL injection, such as query input validation.
🚩Change Healthcare Cyberattack Continues to Disrupt Health Care Systems
Change Healthcare, a subsidiary of Optum and UnitedHealth Group, has been experiencing a cyberattack since February 21, 2024, affecting the broader health care system. Despite containment efforts assuring that Optum, UnitedHealthcare, and UnitedHealth Group systems remain unaffected, the American Hospital Association (AHA) in partnership with Health-ISAC has issued advisories urging health care organizations to reassess network connections with these entities based on their own risk evaluations. The guidance aims to help providers balance the restoration of vital connectivity with breach uncertainty. The attack is believed to have exploited vulnerabilities in ConnectWise ScreenConnect, specifically CVE-2024-1708 and CVE-2024-1709. Indicators of compromise have been identified, including involved IP addresses and the unexpected presence of User.xml in the ScreenConnect path. Also, it is important to note that recent advisories have cleared Optum, UnitedHealthcare, and UnitedHealth Group systems of any evidence of compromise. The AHA continues to monitor the situation closely, offering guidance and support to the health care community amid this ongoing cybersecurity threat.
Impact: The reliance of hospitals and care facilities on Change Healthcare for critical data and claims management means this incident poses business disruption, patient safety risks, and care delivery impacts across the entire US health ecosystem.
Recommendation: Organizations, particularly those in health care, should urgently update their ConnectWise ScreenConnect servers to the latest version to mitigate the risk of exploitation. Additionally, it’s recommended to monitor for the identified Indicators of Compromise and disconnect from any Change Healthcare applications still impacted by the cyberattack. This is an ongoing incident and organizations should continue to monitor for updates. Change Healthcare status update can be accessed on their website.
🚩North Korean State-Sponsored Hackers Target Developers with Malicious npm Packages
North Korean state-sponsored hackers have been discovered targeting developers through the distribution of fake npm packages on the Node.js repository. These malicious packages, execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils, masquerade as legitimate utilities but actually install malicious scripts, including cryptocurrency and credential stealers. The attackers have employed sophisticated techniques to obfuscate the malicious code and conceal it within seemingly innocuous test files. Connections to North Korean actors have emerged, with similarities to previous malware campaigns codenamed Contagious Interview. The attackers have been observed adapting their tactics, including self-hosting the malicious npm dependencies and using social engineering tactics to lure developers.
Impact: This attack threatens developers and any organization that uses open source JavaScript components. The malware could lead to stolen credentials, sensitive data theft, system compromise, and more. If trusted developers are compromised, there is risk that the supply chain is polluted with vulnerabilities.
Recommendation: Developers should review the reputation and source of npm packages before installation, especially those with low download counts or suspicious naming conventions.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sraio.wpcomstaging.com/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sraio.wpcomstaging.com/blog/category/tigr/feed