Cyber Threat Pulse
#2, November 2023
Google Calendar – the new cybersecurity threat
Adversaries who used to rent or build their own infrastructure for operations now prefer to use legitimate cloud services. Their list now includes Google Calendar.
Hackers are using the cloud calendar to deliver malware, remotely control infected desktops, and steal data.
Mandiant has found increased attention to this attack method on underground forums, indicating continued interest in using Google Calendar for malicious purposes.
Defense methods suggested by Google:
● Utilizing a comprehensive security architecture will mitigate risks even if attackers can bypass some controls, such as with the aforementioned cloud services.● Utilize intrusion detection system (IDS) and network monitoring tools to detect C2 traffic at the application, network, or even data theft level. ● Segment your network to reduce the likelihood of an adversary gaining access to additional resources in your environment. ● Develop network traffic baselines and monitor connections to cloud services, with which defenders can identify low prevalence and/or anomalous activity. ● Implement robust centralized logging of security events and regularly monitor anomalous behavior of the environment.
Source
Specific features of attacks on telecommunications providers
CERT-UA reports that during 2023, the Russian hacker group Sandworm* (UAC-0165) conducted a series of attacks against Ukrainian telecommunications companies that resulted in customer service interruptions.
To gain access to their targets' systems, the hackers used open ports, unprotected RDP and SSH interfaces, and compromised VPN accounts that were not protected by multifactor authentication. In some cases, they also exploited known vulnerabilities in target systems.
*Sandworm, active since the early 2000s, is a division of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (known as GRU RF).
We believe the following recommendations from CERT-UA are most essential:
● It is worth reducing the number of information systems and services available online. ● Access to corporate resources, especially VPNs and MAIL, should include the use of two-factor authentication. ● Remote access and especially access to the administration interfaces of server and network equipment must be authorized for specific users from specific IP addresses. ● Running applications, including legitimate utilities (e.g., wscript.exe, cscript.exe, mshta.exe, powershell.exe), should be prohibited for normal users and strictly controlled.
The complete study of attack methods from CERT-UA
Pro-Russian APT group exploits a new vulnerability to bypass Microsoft security feature
In July 2023, UNIT42 analyzed a campaign targeting groups supporting Ukraine's accession to NATO and discovered a new vulnerability to bypass the Microsoft Mark-of-the-Web (MotW) security tool. The activity was associated with a pro-Russian APT group known as Storm-0978.
To infect their targets with malware, the attackers used a sophisticated and well-developed exploit chain that leveraged a remote code execution (RCE) vulnerability in Microsoft Office, labeled CVE-023-36884.
The bait for these attacks was a Microsoft Word document disguised as talking points for attendees of the July 2023 NATO summit to discuss Ukraine's accession to NATO.
This article details the malicious file and provides technical information about the exploit chain of the attack, which has not been publicly discussed so far:
https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/
Monthly cyber threat overview from Picus Security
Picus Security conducts research throughout the month using various resources including threat and malware intelligence platforms, blogs, exploit databases, sandboxes, and network data. The Picus team leverages this wealth of information to provide a holistic view of cyber threats, with a focus on analyzing malware campaigns, APT attacks, and new malware samples.
By examining the monthly threat report, you can identify which threat actors or malware could potentially impact your sector, determine if your country is a particular focus, and understand if the spike in threat activity is related to geopolitical events.
https://www.picussecurity.com/resource/blog/october-2023-key-threat-actors-malware-and-exploited-vulnerabilities