Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition analyses cyberattacks related to a new malware campaign targeting Docker APIs, a Phishing-as-a-Service platform attacking Microsoft 365, and an analysis of the cyberespionage group UNC3886.
1. Exposed Docker APIs targeted by crypto-mining malware
Full report available for CYMON users here.
Key Takeaways:
- Researchers have observed a new malware campaign targeting exposed Docker APIs. The campaign aims to deploy cryptominers on infected systems.
- The attack begins by scanning for open port 2375, Docker’s default port. If found, tests determine if the port accepts commands, followed by attempts at privilege escalation.
- After gaining elevated privileges, the threat actor deploys a shell script named vurl. This script receives additional payloads from an attacker-controlled command and control (C2) server.
Analyst comment:
- Monero is a privacy-focused cryptocurrency that cannot be traced using traditional blockchain analysis methods.
- This makes it a popular choice for threat actors deploying cryptominers, as the funds cannot be traced back to the threat actor, almost guaranteeing financial gain.
2. New Phishing-as-a-Service platform used to target Microsoft 365
Full report available for CYMON users here.
Key Takeaways:
- Researchers have identified a new Phishing-as-a-Service (PhaaS) platform named ONNX Store. This platform has been used to target financial firms with the aim of accessing employee Microsoft 365 accounts.
- The phishing service operates through Telegram bots. It targets both Microsoft and Office 365 accounts and features two-factor authentication (2FA) bypass.
- The attacks begin with a phishing email containing a PDF. These emails impersonate HR departments with lures relating to salary updates.
Analysts Comment:
- Phishing-as-a-Service models allow threat actors to provide other attackers with advanced phishing tools for a price.
- Telegram is a popular platform to offer these services, as it allows direct communication and can be automated using bots.
3. Analysis of UNC3886
Full report available for CYMON users here.
Key Takeaways:
- Researchers have analysed UNC3886, believed to be a China-based threat actor focused on cyberespionage. This threat actor has targeted large organisations across multiple campaigns.
- Researchers discovered the threat group exploiting CVE-2023-20867, an authentication bypass flaw on ESCI hosts, allowing for the installation of backdoors. UNC3886 has also exploited numerous zero-day vulnerabilities, including CVE-2022-41328, CVE-2022-42475, CVE-2022-22948, and CVE-2023-20867.
- The threat group uses publicly available rootkits, such as REPTILE and MEDUSA. REPTILE, a Linux rootkit, appears to be the most commonly deployed malware strain by the group. The group has modified its command execution and file transfer functionalities.
Analysts Comment:
- UNC3886 typically targets firewall and virtualisation software which lack extended detection response (EDR) solutions.
- In the past, the threat group has focused its attacks against government, defence, and technology sectors across Asia and the United States.
Discover the strategic and tactical insights, plus expert analyst comments
Stay ahead of cyber threats with our comprehensive threat intelligence reports. Request a demo today to access these invaluable insights and enhance your cybersecurity posture.