Our threat intelligence this week highlighted the novel techniques that are being implemented across the threat landscape to produce more effective campaigns. For example, a new Iran-affiliated espionage group TA453 has been observed utilising several fake personas in the same email conversation with targets to increase the authenticity of the correspondence. This technique, dubbed Multi-Persona Impersonation (MPI), was used to impersonate legitimate individuals at Western foreign policy research organisations to deliver malicious documents via OneDrive links.

Meanwhile, cybercriminals have employed a Browser-in-the-Browser (BitB) phishing technique to steal user credentials from the gaming platform Steam. In comparison to typical phishing sites which open in a new tab, BitB creates a fake browser pop-up window that is rendered within the active tab of the phishing website. The pop-up impersonates the legitimate login portal for Steam, tricking users into inputting their credentials. It is possible this technique will be used more widely to impersonate other well-known services, such as Microsoft or Google, to harvest credentials and Multi-Factor Authentication codes.

Key Vulnerabilities

  1. CVE-2022-20695
    A vulnerability (CVSS: 10|OVSS: 40) in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software that is currently being exploited in the wild. This vulnerability could allow an unauthenticated, remote adversary to bypass authentication controls and log in to the device with crafted credentials through the management interface as an administrator.
  2. CVE-2022-34721
    A remote code execution vulnerability (CVSS: 9.8|OVSS: 29) in Windows Internet Key Exchange (IKE) Protocol Extensions. If exploited, an unauthenticated remote adversary could send a specially crafted IP packet to a target machine running Windows and has IPSec enabled, thereby enabling remote code execution.
  3. CVE-2022-39824
    A server-side JavaScript injection vulnerability (CVSS: 8.9|OVSS: 24) that affects Appsmith versions through 1.7.14. This vulnerability could enable a remote threat actor to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, such as performing Denial-of-Service attacks or stealing information.

Key Intelligence Reports

  1. Chinese-linked espionage group deploys ShadowPad to target public entities in Asia 
    Since early 2021, a group of espionage operators formerly associated with the ShadowPad Remote Access Trojan (RAT) have employed a new toolset in an ongoing intelligence collection campaign targeting government and state-owned entities in multiple Asian countries. Read full report >>
  2. New Iran-affiliated espionage group TA453 deploys Multi-Persona Impersonation phishing campaigns 
    Since June 2022, a new Iran-affiliated espionage group TA453 (also known as Nemesis Kitten) has been observed employing a novel targeted social engineering technique tracked as Multi-Persona Impersonation (MPI). Read full report >>
  3. Steam accounts targeted in new Browser-in-the-Browser phishing technique
    Threat actors target user accounts on the popular gaming platform and online retailer Steam using a new Browser-in-the-Browser (BitB) phishing technique that steals user login credentials and sells access to hijacked accounts valued at up to USD 300,000. Read full report >>

If you come across any issues or need assistance, please do not hesitate to reach out to Secrutiny. 

What is OVSS?

The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.

The Orpheus Vulnerability Severity Score (OVSS)