Cybersecurity Newsletter - 10/08/2020
BAHAMUT Group Targeting Governments and Businesses in Middle East and UAE
BlackBerry released new research highlighting the true reach and sophistication of one of the most elusive, patient, and effective publicly known threat actors – BAHAMUT.
The report uncovered malicious applications that are directly attributable to BAHAMUT based on configuration and unique network service fingerprints presented. The applications were complete with well-designed websites, privacy policies and written terms of service which helped them bypass safeguards put in place by both Google and Apple.
Those investigated by BlackBerry were determined to be intended for targets in the UAE as downloads were region-locked to the Emirates.
Kraken: Fileless APT attack abuses Windows Error Reporting service
On September 17th, Malwarebyte discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.
That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.
While this technique is not new, this campaign is likely the work of an APT group that had earlier used a phishing attack enticing victims with a worker’s compensation claim. The threat actors compromised a website to host its payload and then used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.
Universal Health Services says 250 US facilities were hit by a cyber attack
Universal Health Services (UHS), a health care network with more than 400 facilities in the United States, Puerto Rico and the United Kingdom, suffered an aggressive cyber attack - perhaps the largest - in US history during the early hours of this Sunday morning that brought down its digital networks, causing chaos in the pace of work of hospitals. The hospital chain, Health Services, has stated that the IT services of its 250 facilities in the US have been affected by last weekend's malware attack and that efforts to restore hospital networks are continuing. The network has not commented on reports that it was attacked by ransomware. BleepingComputer, spoke to UHS employees who described the attack as having the characteristics of Ryuk, which has been widely linked to Russian cyber criminals and used against large companies.