Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Gootloader Malware – Active IOCs
July 26, 2023Rewterz Threat Alert – CVE-2023-38606 – Apple macOS, iOS and iPadOS Vulnerability Exploited in the Wild
July 26, 2023
Severity
High
Analysis Summary
Cybersecurity researchers recently made a significant discovery, identifying what appears to be the first open-source software supply chain attacks specifically aimed at the banking sector. The attackers utilized advanced techniques, including focusing on specific components within the web assets of victim banks by attaching malicious functionalities to them. The published report highlighted the nature of these attacks.
The attackers employed deceptive tactics, including creating a fake LinkedIn profile to appear credible and customizing command-and-control (C2) centers for each target. By exploiting legitimate services, they managed to carry out their illicit activities effectively. The malicious npm packages used in these attacks were later reported and taken down, although their names were not disclosed. In the initial attack, the malware author posed as an employee of the target bank and uploaded packages to the npm registry in early April 2023. These packages contained a preinstall script that triggered the infection sequence. To deliver the second-stage payload, the attackers cleverly utilized Azure’s CDN subdomains, incorporating the name of the targeted bank to bypass traditional deny list methods.
The second-stage payload, identified as Havoc, is an open-source command-and-control (C2) framework, which the attackers used to evade detection typically associated with the use of other tools like Cobalt Strike, Sliver, and Brute Ratel.
In another unrelated attack detected in February 2023, targeting a different bank, the adversary uploaded a package to npm designed to blend into the bank’s website and intercept login data covertly. This data was then exfiltrated to an actor-controlled infrastructure.
The importance of supply chain security was highlighted, as once a malicious open-source package enters the software development pipeline, it can lead to an instantaneous breach, rendering subsequent countermeasures ineffective.
“Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user.”, they added
Notably, the Russian-speaking cybercrime group RedCurl was involved in breaching a major Russian bank and an Australian company in November 2022 and May 2023, respectively. They carried out multiple attacks on companies from various countries, stealing corporate secrets and employee information through a sophisticated phishing campaign.
Financial institutions have also faced attacks using a web-inject toolkit called drIBAN, which alters legitimate banking transfers performed by users, diverting money to illegitimate accounts controlled by the attackers.
“This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our Software Development Lifecycle (SDLC) in the first place.”
These incidents emphasize the critical need for enhanced cybersecurity measures, collaboration between developers, researchers, and organizations, and constant vigilance to protect against emerging threats in the ever-evolving cyber landscape.
Impact
- Security Bypass
- Unauthorized Access
- Reputational Damage
Indicators of Compromise
MD5
- 58a4f9eed576b9bc14e1a06afd52f00e
- 031e48ff1c1c14c73e961773ef32823c
- 5a789786e5996cfdceb8866993b02fd2
- 494bd8c8d2fbdbbb53855cc1a533a1ef
- 087cf30324aae7397d95df39895c521a
SHA-256
- 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
- d2ee7c0febc3e35690fa2840eb707e1c9f8a125fe515cc86a43ba485f5e716a7
- f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
- 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
- 79c3d584ab186e29f0e20a67187ba132098d01c501515cfdef4265bbbd8cbcbf
SHA-1
- 921c5c8d5dd416ae69d880b1af9eb52d6c3ab1db
- 7700cf0e7761cbefa40fdfb84dde29bfa4061173
- 626e4db197fb18f8d67ceba5014d28deb54afa75
- 0f6a8dd9c9651ff94f45d916a3a20d210dc3747c
- 5306353bb71410ab2fef5e76805b669e2636040d
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Conduct thorough code reviews and dependency analysis to identify and scrutinize all third-party dependencies, including open-source packages. Regularly update and patch these dependencies to mitigate known vulnerabilities.
- Implement a secure Software Development Lifecycle (SDLC) process that incorporates security checks at each stage of software development. This includes secure coding practices, code reviews, and security testing before deployment.
- Enforce the use of two-factor authentication for all employees, especially those with access to critical systems or repositories. This reduces the risk of unauthorized access even if credentials are compromised.
- Ensure the integrity of the software supply chain by verifying the authenticity of packages and repositories. Use digital signatures or checksums to validate software components during installation