Suspected Threat Actors: Group123 (Konni APT37), Potential Correlation to Fancy Bear (APT28)
Researchers have recently disclosed details on a new attack campaign attacking high-value targets in the Czech Republic, Poland, and other countries. The ongoing campaign tracked as STIFF#BIZON by researchers has been linked to North Korea APT group Konni aka APT37 based on some of the artifacts and tradecraft. According to researchers, the trivial initial infection starts with phishing emails that entice victims to open a malicious document that has the Konni-based malware embedded into a document as a compressed file attachment. The archive contains files “missile.docx” and “_weapons.doc.lnk” that when opened start the infection chain and lead to a modified version of Konni malware being used.
The cyber conflict between Iran and Israel has grown increasingly in the past couple of years. Israel has traditionally been sticking to ambiguous responses, which might change as Iran also broke the silence and discussed some of the incidents publicly.
Experts suggest the following reasons for the cyber conflict between the two countries going public:
Cyber-actions are becoming less covert
Both nations have been engaged in offensive covert cyber-operations, although neither took credit publicly. The discovery of Stuxnet malware was the first public evidence to be used as a cyberweapon against Iran. There have been multiple other alleged cyberattacks and incidents between the two countries giving it global attention.
A recent comment about Israel’s strategy toward Iran from Israeli Prime Minister Naftali Bennett landed the long-running conflict in the spotlight.
The reason for going public
Experts argue that giving up on the advantages of covertness and choosing to disclose the detail to the public allows victims of a cyberattack to respond in a variety of ways. This includes complete silence, attribution, and assigning blame. For example, Israel chooses to publicize the cyberattack on its “water command and control systems.”
This strategy not only allowed them to set the public narrative but also avoid any further humiliation in case Iran or any third party claimed credit for the attack. It also helped Israel minimize the risk of escalation by not directly blaming Iran, despite media reports doing so.
Researchers have recently observed several different methods that cybercriminals are leveraging to spread malware by utilizing messaging platforms like Telegram and Discord. They have figured out ways to use these platforms to host, distribute, or execute various functions that eventually lead to data from unsuspecting users. There are several info stealers freely available in the wild that rely on Discord or Telegram for their functionality.
One such Info stealer malware known as Blitzed Grabber leverages Discord’s webhooks feature to store data exfiltrated through the malware. This malware is capable of pillaging a host of information including autofill data, bookmarks, browser cookies, credentials from virtual private network (VPN) clients, payment card information, cryptocurrency wallets, OS information, passwords, and Windows products keys. Several of this malware including Blitzed Grabber, Mercurial Grabber, and 44Caliber, also target credentials of gaming platforms Minecraft and Roblox.
Another Telegram-focused malware known as X-files – whose functionally are accessible via bot commands inside Telegram – can siphon various user details and direct them to the Telegram Channel of their choosing.
Researchers observed that attackers are abusing the cloud infrastructure of these apps to facilitate their malware campaign. Many of these attackers are hosting the malware payload on Discord’s content delivery network (CDN) and seemingly remain unrestricted when hosting such malicious payloads. Below are the malware families observed by researchers whose payloads were hosted by Discord CDN:
SonicWall has recently issued a public security notice about a critical SQL injection vulnerability that affects SonicWall GMS and Analytics On-Prem. SonicWall is urging customers to update to patched versions. Specifically, customers using Analytics 184.108.40.206-2520 or earlier and/or GMS 9.3.1-SP2-Hotfix1 or earlier are advised to apply patches Analytics 220.127.116.11-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2, respectively. Both the affected products do not have any workarounds.