{"id":119,"date":"2022-08-12T14:58:18","date_gmt":"2022-08-12T14:58:18","guid":{"rendered":"https:\/\/gcsecurity.us\/?p=119"},"modified":"2023-01-27T19:57:56","modified_gmt":"2023-01-27T19:57:56","slug":"threat-intelligence-bulletin-manjuska-attack-framework-zeppelin-ransomware-and-the-evolving-email-threat-landscape","status":"publish","type":"post","link":"https:\/\/gcsecurity.us\/?p=119","title":{"rendered":"Threat Intelligence Bulletin &#8211; Manjuska Attack Framework, Zeppelin Ransomware, and the Evolving Email Threat Landscape"},"content":{"rendered":"\n<p>CISA adds path traversal vulnerability in Unix versions unRAR utility to Known Exploited Vulnerabilities Catalog<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/thehackernews.com\/2022\/08\/cisa-issues-warning-on-active.html\">https:\/\/thehackernews.com\/2022\/08\/cisa-issues-warning-on-active.html<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Attackers exploiting open redirects to Snapchat and Amex websites as part of phishing campaign<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/cyware.com\/news\/snapchat-and-amex-abused-to-target-microsoft-365-users-05a8c543\">https:\/\/cyware.com\/news\/snapchat-and-amex-abused-to-target-microsoft-365-users-05a8c543<\/a><\/li><li><a href=\"https:\/\/www.inky.com\/en\/blog\/phishers-bounce-lures-off-unprotected-snapchat-amex-sites\">https:\/\/www.inky.com\/en\/blog\/phishers-bounce-lures-off-unprotected-snapchat-amex-sites<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Kimsuky threat actor using SHARPEXT browser extension to steal mail data directly from webmail sessions<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.volexity.com\/blog\/2022\/07\/28\/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext\/\">https:\/\/www.volexity.com\/blog\/2022\/07\/28\/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext\/<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Threat actor exploits Atlassian Confluence bug to deploy Ljl backdoor<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/cyware.com\/news\/tac-040-exploits-confluence-bug-to-deploy-new-ljl-backdoor-66149611\">https:\/\/cyware.com\/news\/tac-040-exploits-confluence-bug-to-deploy-new-ljl-backdoor-66149611<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Manjuska, a new attack framework imitating Cobalt Strike, being used and may become more prevalent<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/blog.talosintelligence.com\/2022\/08\/manjusaka-offensive-framework.html\">https:\/\/blog.talosintelligence.com\/2022\/08\/manjusaka-offensive-framework.html<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Prevalent Trojans from July 29 \u2013 Aug 5 and their associated IOCs<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/blog.talosintelligence.com\/2022\/08\/threat-roundup-0729-0805.html\">https:\/\/blog.talosintelligence.com\/2022\/08\/threat-roundup-0729-0805.html<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>X-FILES infostealer gains new variant, exploiting Follina vulnerability, distributed via phishing<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/x-files-stealer-evolution-analysis-and-comparison-study?&amp;web_view=true\">https:\/\/www.zscaler.com\/blogs\/security-research\/x-files-stealer-evolution-analysis-and-comparison-study?&amp;web_view=true<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>CPR claims that Emotet botnet most prevalent malware in July 2022, followed by Formbook infostealer and XMRig Monero crypto miner<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/emotet-tops-list-most-widely-used\/\">https:\/\/www.infosecurity-magazine.com\/news\/emotet-tops-list-most-widely-used\/<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Commodity malware top threat Cisco responded to in Q2 2022, Education in top 3 targeted industries<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.tanium.com\/blog\/report-reveals-commodity-malware-surpasses-ransomware\/\">https:\/\/www.tanium.com\/blog\/report-reveals-commodity-malware-surpasses-ransomware\/<\/a><\/li><li><a href=\"https:\/\/blog.talosintelligence.com\/2022\/07\/quarterly-report-incident-response.html\">https:\/\/blog.talosintelligence.com\/2022\/07\/quarterly-report-incident-response.html<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>As threat actors pivot away from macros, Windows Explorer becomes top living-off-the-land binary used to execute malware through Windows LNK files<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.sentinelone.com\/labs\/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts\/\">https:\/\/www.sentinelone.com\/labs\/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts\/<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Trends in email threat landscape include LNK files, HTML smuggling, and shellcode hidden in Office documents<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.helpnetsecurity.com\/2022\/08\/11\/email-malware-delivery-techniques\/\">https:\/\/www.helpnetsecurity.com\/2022\/08\/11\/email-malware-delivery-techniques\/<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Cisco releases more details on a breach they suffered from an employee\u2019s compromised Google account and MFA fatigue<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/cisco-confirms-data-breach-hacked-files-leaked\">https:\/\/www.darkreading.com\/attacks-breaches\/cisco-confirms-data-breach-hacked-files-leaked<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Zimbra authentication bypass vulnerability being actively exploited to compromise Zimbra email servers<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/zimbra-auth-bypass-bug-exploited-to-breach-over-1-000-servers\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/zimbra-auth-bypass-bug-exploited-to-breach-over-1-000-servers\/<\/a><\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Zeppelin ransomware advisory and IOCs from CISA<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.ic3.gov\/Media\/News\/2022\/220811.pdf\">https:\/\/www.ic3.gov\/Media\/News\/2022\/220811.pdf<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>CISA adds path traversal vulnerability in Unix versions unRAR utility to Known Exploited Vulnerabilities Catalog https:\/\/thehackernews.com\/2022\/08\/cisa-issues-warning-on-active.html Attackers exploiting open redirects to Snapchat and Amex websites as part of phishing campaign https:\/\/cyware.com\/news\/snapchat-and-amex-abused-to-target-microsoft-365-users-05a8c543 https:\/\/www.inky.com\/en\/blog\/phishers-bounce-lures-off-unprotected-snapchat-amex-sites Kimsuky threat actor using SHARPEXT browser extension to steal mail data directly from webmail sessions https:\/\/www.volexity.com\/blog\/2022\/07\/28\/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext\/ Threat actor exploits Atlassian Confluence bug to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[15,14],"class_list":["post-119","post","type-post","status-publish","format-standard","hentry","category-news","tag-cybersecurity","tag-news"],"_links":{"self":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=119"}],"version-history":[{"count":1,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions"}],"predecessor-version":[{"id":120,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=\/wp\/v2\/posts\/119\/revisions\/120"}],"wp:attachment":[{"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gcsecurity.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}