Top security threats for August 2022 revealed in new report

Wed, 14th Sep 2022

FYI, this story is more than a year old

The top security threats for the month of August 2022 have been revealed in a new report from Securonix Threat Labs.

The Monthly Intelligence Insights report provides a summary of industry-leading top threats monitored and analysed by Securonix Threat Labs during August.

During the month, Threat Labs analyzed and monitored multiple major threat categories, including several ransomware operations, malware campaigns, attacks on hospitality and travel firms, persistent phishing and credential theft campaigns leading to intrusions and data theft from Russia and the SEABORGIUM threat actor.

Of note was an attack in the beginning of the month on Cisco by Yanluowang ransomware group, which breached its corporate network in late May. The attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employees account. The vulnerability was identified in the Ring Android app that exposed the data and camera recordings of Ring app users on Android devices.

In August, Securonix Autonomous Threat Sweeper identified 4,783 IOCs, 115 distinct threats, and reported 62 threat detections. The top data sources swept against include endpoint management systems, cloud application security broker, web proxy, and web application firewall.

Yanluowang ransomware group

According to Cisco, on 24 May 2022, the Yanluowang ransomware group breached its corporate network. It was caused by a phishing attack targeting one of their employees Google accounts that contained corporate credentials.

In addition, the hackers were only able to find and steal non-sensitive information from the folder in that employees account. Cisco reported that the threat actor has been removed from the environment and has shown persistence by repeatedly attempting to gain access in the weeks following the attack. However, none of these attempts were successful.

Threat Labs summary:

Threat Labs observed that the threat actor maintained access, minimised forensic artefacts, and increased access to systems after obtaining initial access.

Observations from Threat Labs suggest the attack was carried out by an adversary previously referred to as an initial access broker (IAB) associated with UNC2447, Lapsus$, and Yanluowang ransomware.

Securonix Threat Labs encourages all organisations to leverage our findings to inform the deployment of protective measures against the threat group.

IcedID malware dominant in August

Securonix Threat Labs has continued to monitor top malware activities and observed the IcedID threat that has been circulating lately. This IcedID malware continues to be an active malware in our current threat landscape.

In the month of August, the IcedID threat circulated multiple times with different exploits. IcedID is a service provider that has been tracked as a direction to ransomware, but also has been noted on the dark web service that can be used to load some of the ransomware itself.

Multiple researchers from Walmart Global Tech Blog, Palo Alto Unit 42 Intel, and ISC SANS published their analyses and observations.

Walmart Global tech Blog mentioned PrivateLoader continues to function as an effective loading service, recently leveraging the use of SmokeLoader for their payloads. By collecting some sample domains it indicated that these domains are simply proxies but behind them sits a massive operation performing millions of loads for various customers.

Also, Palo Alto Unit 42 Intel Unit monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike which was posted on Twitter reporting that the IcedID (Bokbot) infection led to CobaltStrike. An ISC SANS researcher further provided their analysis of IcedID malware using Dark VNC activity and Cobalt Strike. This method was used by threat actor Monster Libra (also known as TA551 or Shathak) who has started distributing a new IcedID infection generated from a password-protected zip archive sent by Monster Libra.

Threat Labs summary:

Threat Labs has continued to monitor the IcedID malware campaign after it began spreading rapidly. It has observed that the campaign IcedID aka BokBot mainly targets businesses and steals payment information; it also acts as a loader and can deliver other viruses or download additional modules.

TA558 targets hospitality and travel firms

Small threat actors, namely the TA558 group, are targeting hospitality, hotel, and travel organisations primarily with Portuguese and Spanish speakers.

The group operates typically in Latin America, but they are also targeting Western Europe and North America. It uses multiple malware in its attacks, including Loda RAT, Vjw0rm, and Revenge RAT, by using phishing campaigns with hotel booking lures.

As a result, the malware was repurposed to steal personal and financial data from hotel customers, including credit card information, perform lateral movement, and deliver additional payloads.

Threat Labs summary:

Securonix Threat Labs has continued to monitor actively running campaigns by Latin America threat actors TA558 as it began spreading rapidly.

Threat Lab has observed that since 2018, this group has employed consistent tactics, techniques, and procedures to attempt to install a variety of malware, including Loda RAT, Vjw0rm, and Revenge RAT.

According to Threat Labs, operational tempo was higher than previously observed for TA558, during 2022.

Threat Lab has observed TA558 adopting new tactics, techniques, and procedures in its campaigns in place of macro-enabled documents.