Security & Resilience Update | 8-31-23

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

CISA and the FBI have released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. Originally used as a banking trojan to steal banking credentials for account compromise, QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the U.S. and other global infrastructures, including in the election infrastructure subsector and the financial services, emergency services, and commercial facilities sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Read more at CISA.

As people become more aware of phishing attacks, threat actors are constantly evolving their social engineering tactics to continue to compromise victims. To help organizations stay ahead of the latest phishing tactics, Cofense has written a report highlighting threat actors’ use of misleading dates in subject lines to influence the emotions of recipients and create a false sense of urgency. 

Researchers at Cofense analyzed phishing emails from July 2023 to create the report. According to the researchers, “the subject lines seen were intentionally deceptive, and the dates used in the subjects covered a range from a few days before the email was sent to several days afterwards. Subject lines such as these are specially designed to create a false sense of urgency requiring the victim’s immediate interaction, and not allowing them time to consider how suspicious the email is.” The report divides the phishing emails into the ratios of subjects with dates to those without, late emails (emails with subject times before the date they were accessed), early emails (emails with subject times after the date they were accessed), and on time emails (subjects that had dates in them which matched to the date they were accessed). The report found that in over two-thirds of the emails with dates in their subject line, the listed dates are before the email is accessed, which is not surprising since threat actors employ this tactic to create a false sense of urgency. Therefore, if the date in a subject line is before the date the email is accessed, the recipient should apply additional scrutiny.

Phishing attacks continue to increase every year, according to recent research reports. In fact, just this month a water utility reported a credential phishing attack to WaterISAC. To defend against this activity, members are encouraged to conduct regular security awareness training and implement technical controls, such as multifactor authentication (MFA). Read more at Cofense.

CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. Malicious threat actors exploited this vulnerability as a zero day as early as October 2022 to gain access to ESG appliances. 

Members are encouraged to download the newly released IOCs associated with this activity. Read more at CISA.

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

CISA Releases Four Industrial Control Systems Advisories

Products are used across multiple sectors, please check these latest advisories for specific equipment used across your ICS environments and address accordingly.

• ​ARDEREG Sistemas SCADA
• ​GE Digital CIMPLICITY
• ​PTC Kepware KepServerEX
• ​Digi RealPort Protocol

​Alerts, Updates, and Bulletins:

• CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware
• CISA and FBI Publish Joint Advisory on QakBot Infrastructure
• VMware Releases Security Updates for Aria Operations for Networks
• Juniper Networks Releases Security Advisory for Junos OS and Junos OS Evolved
• Mozilla Releases Security Updates for Firefox and Firefox ESR

The following posts are useful for general awareness of current threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.

ICS/OT/SCADA Threats and other Critical Infrastructure Resilience

• Defending Against Ransomware in Industrial Control Systems (SANS)
• Montreal electricity organization latest victim in LockBit ransomware spree (The Record)
• AlphV group takes credit for ransomware attack on Georgia county (The Record)
• The OT Supply Chain Threat (Industrial Cyber)
• Interesting and cool: DOE launches cyber contest to benefit rural utilities (Cyber Scoop)

Qakbot Takedown News

• Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI (Troy Hunt)
• Check Point Shares Analysis of Qakbot Malware Group (Check Point)
• The removal of Qakbot from infected computers is just the first step (Help Net Security)
• How the FBI nuked Qakbot malware from infected Windows PCs (Bleeping Computer)

IT Vulnerabilities & Threats

• Cisco VPNs with no MFA enabled hit by ransomware groups (Help Net Security)
• Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence (Security Week)
• Multiple Vulnerabilities in VMware Aria Operations for Networks Could Allow for Remote Code Execution (Center for Internet Security)
• BGP Flaw Can Be Exploited for Prolonged Internet Outages (Security Week)
• How to ensure DNS records don’t become a security hazard (SC Media)

Ransomware Awareness

• 2023 ThreatLabz State of Ransomware (Zscaler)
• Why Criminals Keep Reusing Leaked Ransomware Builders (GovInfoSecurity)

Cyber Resilience & General Awareness

• The 7 Tenets of Threat Intelligence Operations – Tenet #4 – Go Beyond IoCs (Threat Connect)
• Alert fatigue: A 911 cyber call center that never sleeps (Security Intelligence)
• MOVEit Breach Shows Us SQL Injections Are Still Our Achilles' Heel (Dark Reading)
• Delinea Research Reveals a Cyber Insurance Gap (Dark Reading)
• Here's What Your Breach Response Plan Might Be Missing (Dark Reading)
• Might be a good one to share with users: Home Office / Small Business Hurricane Prep (SANS Internet Storm Center)

Technical Posts (for security analysts, sysadmins, and other nerds)

• Qakbot Malware Takedown and Defending Forward (Huntress)
• SapphireStealer: Open-source information stealer enables credential and data theft (Talos)
• The low, low cost of (committing) cybercrime (SANS Internet Storm Center)