Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition analyses cyberattacks related to a new malware campaign targeting Docker APIs, a Phishing-as-a-Service platform attacking Microsoft 365, and an analysis of the cyberespionage group UNC3886.
1. Exposed Docker APIs targeted by crypto-mining malware
Full report available for CYMON users here.
Key Takeaways:
- Researchers have observed a new malware campaign targeting exposed Docker APIs. The campaign aims to deploy cryptominers on infected systems.
- The attack begins by scanning for open port 2375, Docker’s default port. If found, tests determine if the port accepts commands, followed by attempts at privilege escalation.
- After gaining elevated privileges, the threat actor deploys a shell script named vurl. This script receives additional payloads from an attacker-controlled command and control (C2) server.
Analyst comment:
- Monero is a privacy-focused cryptocurrency that cannot be traced using traditional blockchain analysis methods.
- This makes it a popular choice for threat actors deploying cryptominers, as the funds cannot be traced back to the threat actor, almost guaranteeing financial gain.
2. New Phishing-as-a-Service platform used to target Microsoft 365
Full report available for CYMON users here.
Key Takeaways:
- Researchers have identified a new Phishing-as-a-Service (PhaaS) platform named ONNX Store. This platform has been used to target financial firms with the aim of accessing employee Microsoft 365 accounts.
- The phishing service operates through Telegram bots. It targets both Microsoft and Office 365 accounts and features two-factor authentication (2FA) bypass.
- The attacks begin with a phishing email containing a PDF. These emails impersonate HR departments with lures relating to salary updates.
Analysts Comment:
- Phishing-as-a-Service models allow threat actors to provide other attackers with advanced phishing tools for a price.
- Telegram is a popular platform to offer these services, as it allows direct communication and can be automated using bots.
3. Analysis of UNC3886
Full report available for CYMON users here.
Key Takeaways:
- Researchers have analysed UNC3886, believed to be a China-based threat actor focused on cyberespionage. This threat actor has targeted large organisations across multiple campaigns.
- Researchers discovered the threat group exploiting CVE-2023-20867, an authentication bypass flaw on ESCI hosts, allowing for the installation of backdoors. UNC3886 has also exploited numerous zero-day vulnerabilities, including CVE-2022-41328, CVE-2022-42475, CVE-2022-22948, and CVE-2023-20867.
- The threat group uses publicly available rootkits, such as REPTILE and MEDUSA. REPTILE, a Linux rootkit, appears to be the most commonly deployed malware strain by the group. The group has modified its command execution and file transfer functionalities.
Analysts Comment:
- UNC3886 typically targets firewall and virtualisation software which lack extended detection response (EDR) solutions.
- In the past, the threat group has focused its attacks against government, defence, and technology sectors across Asia and the United States.
![](https://www.cyjax.com/wp-content/uploads/2023/08/CYJAX-portal.webp)
Discover the strategic and tactical insights, plus expert analyst comments
Stay ahead of cyber threats with our comprehensive threat intelligence reports. Request a demo today to access these invaluable insights and enhance your cybersecurity posture.