Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations.
A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 group. Furthermore, Rapid7 observed an increased threat activity targeting Cisco ASA SSL VPN appliances without MFA, and the Dreambot botnet surfaced again, targeting a RocketMQ vulnerability tracked as CVE-2023-33246. Also, the notorious Lazarus group exploited a vulnerability in Manage Engine (CVE-2022-47966) for deploying a new RAT dubbed QuiteRAT. Ransomware gangs continued improving their lucrative business. FortiGuard Labs discovered a new Ransomware variant called Trash Panda, and Sentinel One has published a new blog on how the most active Ransomware families such as Akira, Monti Locker Trigona, or Abyss Locker have adapted their payloads for targeting Linux and ESXi servers. Besides, a new study by Uptycs reveals a rise in the distribution of infostealers over the past year. According to Uptycs, incidents involving info stealers targeting Windows, Linux, and macOS systems have more than doubled in Q1 2023 compared to last year.
Tracking, Detection & Hunting Capabilities
The following Adversary Trackers to automatically identify and detect malicious infrastructure:
- Sliver
- Predator the thief
- PowerShell Empire
- NimbleWay
- Amadey Stealer
- Meduza infostealer
- RedLine
- Racoon
The following USM Anywhere detections were added or improved in August: