Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
NiceRAT malware targets South Korean users via cracked software.
(TLP: CLEAR) As of June 2024, a new malware campaign dubbed “NicerAT” has been identified, primarily targeting entities in South Korea. This sophisticated malware has been designed to evade detection and carry out espionage activities. It infiltrates systems by exploiting vulnerabilities in software and employs various techniques to remain undetected, including fileless execution and encryption of its communication channels.
(TLP: CLEAR) Comments: NicerAT specifically targets South Korean organizations, suggesting a strategic motive, possibly espionage or data theft. Security experts advise heightened vigilance and the implementation of robust cybersecurity measures to mitigate the risk posed by this emerging threat.
(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 24 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR
Source: https://thehackernews.com/2024/06/nicerat-malware-targets-south-korean.html
Thousands of car dealerships stalled out after software provider cyberattack.
(TLP: CLEAR) In a recent cybersecurity incident affecting thousands of car dealerships, a software provider experienced disruptions that impacted their services. This incident left dealerships unable to access critical software tools necessary for operations, including inventory management, sales processing, and customer relations management systems. The disruption stemmed from a cyber incident at the software provider, though specific details about the nature of the attack or compromise were not disclosed.
(TLP: CLEAR) Comments: The aftermath caused significant operational downtime and financial losses for the affected dealerships, highlighting the dependence of automotive businesses on robust and secure software services. Efforts to restore services and mitigate the impact were underway, emphasizing the importance of resilience and contingency planning in the face of cyber threats targeting service providers in various industries.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented, or detected and addressed.
“An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.
“The deployed anti-malware solution(s):
- Detects all known types of malware.
- Removes, blocks, or contains all known types of malware.
“Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation whether such system components continue to not require anti-malware protection.
“The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”
Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://www.darkreading.com/application-security/thousands-of-car-dealerships-stalled-out-after-software-provider-cyber-incident
Chinese cyber espionage targets telecom operators in Asia since 2021.
(TLP: CLEAR) In June 2024, a significant cyber espionage campaign targeting global telecommunications providers has been uncovered, attributed to Chinese threat actors. The operation, dubbed “Cloudhopper,” aims to infiltrate the networks of telecommunications companies worldwide, enabling extensive surveillance and data exfiltration. The attackers employ sophisticated techniques, including supply chain attacks and exploiting vulnerabilities in network infrastructure and software.
(TLP: CLEAR) Comments: This campaign underscores ongoing efforts by Chinese cyber espionage groups to gather intelligence and potentially gain strategic advantages through unauthorized access to sensitive telecommunications data. Security experts emphasize the critical need for enhanced cybersecurity measures and vigilance within the telecommunications sector to mitigate the risks posed by such targeted operations.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in realtime with previously-observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2024/06/chinese-cyber-espionage-targets-telecom.html
Beware of malicious search results leading to SolarMarker malware installation.
(TLP: CLEAR) As of the latest report, a new strain of malware known as “SolarMarker” has been identified, posing a significant threat to cybersecurity. SolarMarker operates as a malicious search engine optimization (SEO) malware that infiltrates systems through deceptive websites hosting fake software downloads and updates. Once installed, it establishes persistence on infected systems, evades detection using anti-analysis techniques, and communicates with its command-and-control servers.
(TLP: CLEAR) Comments: SolarMarker’s primary goal is to deploy additional payloads, steal sensitive information, and conduct further malicious activities. Security experts highlight the malware’s complex infection chain and recommend robust endpoint protection, regular updates, and user education to mitigate the risk of infection and data compromise.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: “Anti-malware mechanisms and processes are active, maintained, and monitored
“The anti-malware solution(s) is kept current via automatic updates.
“The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.
OR
• Performs continuous behavioural analysis of systems or processes.
“If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”
Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output. As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days depending on the type of device. Protective DNS solutions can update their detection rules in real-time and provide support for network-based behavioural analytics.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://cybersecuritynews.com/malicious-search-solarmarker-malware/
Hackers attacking ERP server to deploy proxy and VPN services.
(TLP: CLEAR) Hackers targeted enterprise resource planning (ERP) servers to deploy a malicious Virtual Private Network (VPN) configuration. The attack involved unauthorized access to ERP systems, where attackers modified the VPN settings to establish a covert channel for command-and-control communication. This method enabled the hackers to maintain persistent access and conduct further malicious activities undetected.
(TLP: CLEAR) Comments: Such attacks highlight vulnerabilities in ERP systems and emphasize the importance of securing VPN configurations and monitoring for unauthorized changes. Organizations are advised to implement robust access controls for their application servers, regularly update/patch ERP software, and perform egress monitoring from application servers and server farms to prevent and detect similar intrusions.
(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.
“While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.
“WAFs may come in the form of an appliance, server plugin, or filter and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) Vercara: To protect the ERP server from compromise Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://cybersecuritynews.com/hackers-attack-erp-server-deploy-vpn/
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
