EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Threat actors leverage Microsoft RDP service and RTF files

EclecticIQ Threat Research Team February 5, 2021

Biweekly Threat Intelligence Update Week 5

Summary of Findings

  • Website offers data allegedly stolen during SolarWinds breach
  • Researchers reveal specifics of FIN7 hacking group's malware
  • RDP exposure leads to Dharma ransomware infections
  • Chinese threat groups target Windows vulnerabilities with RTF documents
  • Lokibot TTP uses blurred Images to encourage users to enable macros
  • Threat actors leak stolen COVID-19 vaccine documents following December 2020 breach


“SolarLeaks” website appears to be a scam

A website called SolarLeaks was used to advertise the sale of data allegedly belonging to SolarWinds, FireEye, Microsoft, and Windows that was stolen through the SolarWinds compromise. EclecticIQ analysts cannot certify the authenticity of the data at this time. The URLs indicate the presence of data files matching some of the names of the targeted companies.

The threat actors also claim to be selling the source code for multiple Cisco products. Cisco has stated they do not have any evidence that proprietary data was stolen in related attacks.

The domain was registered on the 11th of January 2021 using Njalla, a registrar known to be used in the past by Fancy Bear, a Russian nation state-sponsored APT group. The NS record suffixes for the domain spell out "YOU CAN GET NO IN FO" - very likely an attempt to taunt security researchers.

Based on preliminary reporting and other factors surrounding the alleged release, EclecticIQ analysts consider the following hypotheses:

  • The site is a scam attempt by unrelated actors trying to monetize the SolarWinds events.
  • The original Sunburst operators released the data.
  • The data is linked to unrelated 4th party collection and sale.
  • The sale is possibly a false flag operation intended to mislead attribution by leveraging known APT associated infrastructure.

Morphisec researchers publish details about a malware variant called JSSLoader

FIN7, a financially motivated threat actor, is suspected of using a remote access trojan named JSSLoader during several campaigns. JSSLoader acts as a RAT and provides features such as exfiltration, persistence, auto-update, downloads of malware, and more. Morphisec researchers confirmed the attack begins with installing a VBScript via a phishing email and includes downloading and installing the primary JSSLoader payload.

The RAT is responsible for the reflective loading of the Carbanak malware and its execution. The researchers noted that the JSSLoader connects to a command-and-control server hosted by a company called FranTech Solutions, which has been used before by the FIN7 group.

Unsecured RDP services enable installation of Dharma ransomware

According to Zscaler, threat actors are scanning for machines with an open Remote Desktop Protocol (RDP) service. After finding potential victims, the attackers gain initial access through brute-forcing RDP or using stolen RDP credentials, eventually installing Dharma Ransomware. Organizations should secure RDP services and/or use zero trust architecture to allow remote users to securely access these servers without exposing them to the entire internet.

Chinese threat groups exploit Microsoft Office

Several Chinese threat groups utilize Royal Road RTF Weaponizer to exploit Microsoft Office Equation Editor vulnerabilities and gain initial access. Organizations whose security landscape includes Chinese threats groups should review RTF files attached to incoming emails and to limit exposure by remediating the targeted vulnerabilities.

Latest Lokibot sample relies on common technique to infect users’ machines

Researchers at Talos have discovered the latest Lokibot sample, which uses the known technique of blurring images in documents to encourage users to enable macros. The researchers also observed that the bot uses a multi-layered dropper and employs three stages and three encryption levels to cover its final payload.

The attack begins with a malicious XLS attachment sent in a phishing email containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage includes three-layered encrypted Lokibot, which is deployed in the third stage after a privilege escalation. Attackers have also been observed combining different techniques to make detection more complex.

Pfizer and BioNtech COVID-19 vaccine data released online

The European Medicines Agency (EMA) issued a statement on 9 December 2020 disclosing that the agency was the subject of a cyberattack. No details of the incident were given at the time. However, on 12 January 2021, EMA posted an update revealing that threat actors unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties, and that the documents were illegally leaked on the internet.

BioNtech, a COVID-19 research and vaccine producer, revealed that documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, were stored on an EMA server and were unlawfully accessed as part of the incident. According to the statement, no Pfizer or BioNTech systems were breached.




Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (115)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo