CYBER SECURITY THREAT INTELLIGENCE REPORT – WEEK ENDING 17 OCT 2020

An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals around the globe, we are now dealing with a threat landscape that's become more intense, complex, and saturated than ever before. Considering the expanding nature of today's cyber threats, business leaders must continually utilize up-to-date threat intelligence and invest in the resources necessary to more efficiently protect what is now a larger, more fluid attack surface. The changes happening across the cyber threat landscape are more dramatic and the risks are greater due to the recent network changes. This makes accurate and actionable threat intelligence even more crucial. This blog highlights the cyber criminal community's ability to adapt and take advantage of low-hanging fruit to achieve their goals.
 
The pandemic has reinforced what many industry professionals have already recognized and championed for quite some time: Effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies. While security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, and more adaptable cybersecurity solutions - especially as cyber criminals are adapting their attack methods to leverage personal devices as a springboard into enterprise networks. With this in mind, shoring up remote systems and networks security should make the top of the to-do list.
 
Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training. Ashco Systems is committed to addressing this need by providing leading-edge insights into the cybersecurity threat landscape through our threat research team, advanced threat detection technologies, and in-depth reporting on advancing threat trends. If you have technical questions or need assistance, contact us at info@ashcosystems.com.

PhpStudy.Web.Server.Remote.Code.Execution – This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in PhpStudy. The vulnerability is due to insufficient sanitizing of user supplied inputs. A remote attacker may be able to exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request. The affected Products are PhpStudy 2016 to 2018.

The EKING Variant of Phobos Ransomware – The Phobos ransomware family is fairly recent, having been first spotted by security researchers in early 2019. But since then, it has continued to push out new variants that not only evolve attack methods but also frequently change the extension name of encrypted files in past variants. And in its short history, its victims have often complained that they were cheated by the attacker of Phobos by not restoring their files. Two weeks ago, FortiGuard security researcher captured a new threat sample from the wild. It was a Microsoft Word document with a malicious macro designed to spread the EKING variant of Phobos. A FortiGuard security researcher ran a deep analysis on this sample, and this analysis post shows how this variant infects a victim's system and how it scans and encrypts files using an AES algorithm on a victim's device - as well as on shared network folders.
 
AV Signatures:
VBA/Agent.KBU!tr W32/Phobos.HGAF!tr.ransom
 
Indicator(s):
667F88E8DCD4A15529ED02BB20DA6AE2E5B195717EB630B20B9732C8573C4E83
6E9C9B72D1BDB993184C7AA05D961E706A57B3BECF151CA4F883A80A07FDD955
 
Web Filtering

Kraken masks malware activity behind Windows Error Reporting service – Security researchers at Malwarebytes have discovered a new fileless attack technique that leverages the Microsoft Windows Error Reporting (WER) service. The attack starts with a lure phishing document packaged in a .ZIP file, and inside it contains a document titled "Compensation manual.doc." When the document is opened, it triggers a malicious macro. Once the victim clicks Enable Content, the malicious macro directly injects the fileless malware into the victim machine's WER system. The WER is a crash-reporting tool that is triggered when there is a problem with the operating system, Windows features, or programs. Most victims will not suspect anything and just assume that a normal error occurred, making this a good way to hide the malware activity.

Indicator(s):
yourrighttocompensation[.]com/?rid=UNfxeHM
yourrighttocompensation[.]com/download/?key=15a50bfe99cfe29da475bac45fd16c50c60c85bff6b06e530cc91db5c710ac30&id=0
yourrighttocompensation[.]com/?rid=n6XThxD
yourrighttocompensation[.]com/?rid=AuCllLU
yourrighttocompensation[.]com
asia-kotoba[[.]]net/favicon32[.]ico
asia-kotoba[.]net

Our Research  & Insights:

Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic

Whitepaper: The Essential Guide to Securing Remote Access​

Secure Devops: Learn how to make security integral into your DevOps process.

​E-Book: Effective Security Strategies for Devops & Application Services

​E-Book: How to Build a Next Generation Security Operations Center