Most recent events in the threat landscape - August 2023

Most recent events in the threat landscape - August 2023

Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations.

A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 group. Furthermore, Rapid7 observed an increased threat activity targeting Cisco ASA SSL VPN appliances without MFA, and the Dreambot botnet surfaced again, targeting a RocketMQ vulnerability tracked as CVE-2023-33246. Also, the notorious Lazarus group exploited a vulnerability in Manage Engine (CVE-2022-47966) for deploying a new RAT dubbed QuiteRAT. Ransomware gangs continued improving their lucrative business. FortiGuard Labs discovered a new Ransomware variant called Trash Panda, and Sentinel One has published a new blog on how the most active Ransomware families such as Akira, Monti Locker Trigona, or Abyss Locker have adapted their payloads for targeting Linux and ESXi servers. Besides, a new study by Uptycs reveals a rise in the distribution of infostealers over the past year. According to Uptycs, incidents involving info stealers targeting Windows, Linux, and macOS systems have more than doubled in Q1 2023 compared to last year. 

Tracking, Detection & Hunting Capabilities
The following Adversary Trackers to automatically identify and detect malicious infrastructure:
  1. Sliver
  2. Predator the thief
  3. PowerShell Empire
  4. NimbleWay
  5. Amadey Stealer
  6. Meduza infostealer
  7. RedLine
  8. Racoon 
The following USM Anywhere detections were added or improved in August:
  1. Delivery & Attack - Account Manipulation - Duo Two Factor Authentication: User Locked Out
  2. Delivery & Attack - Account Manipulation - RSA Authentication Manager: Password change after login
  3. Delivery & Attack - Brute Force Authentication - Duo Two Factor Authentication: Multiple login failures
  4. Delivery & Attack - Brute Force Authentication - Duo Two Factor Authentication: Password Spraying
  5. Delivery & Attack - Brute Force Authentication - Fortinet Autenticator - Repeated login failure
  6. Delivery & Attack - Brute Force Authentication - Fortinet Autenticator - Successful Authentication After Brute Force
  7. Delivery & Attack - Brute Force Authentication - Sophos XG: Successful authentication after brute force on admin account
  8. Delivery & Attack - C&C Communication - Office Application Using Un-Common Port
  9. Delivery & Attack - Defense Evasion - System Tool - Chromium File Download with Headless Browser
  10. Delivery & Attack - Denial of Service - Resource Exhaustion - FortiAnalyzer - UTM Flood Activity Detected
  11. Delivery & Attack - Malicious Network Activity - Palo Alto - Hacking Tool Detected
  12. Delivery & Attack - Network Attack - McAfee - Outbound Possible Attack to Exploit
  13. Delivery & Attack - Network Attack - McAfee - Possible Attack to Exploit
  14. Delivery & Attack - Phishing - Proofpoint Targeted Attack Protection: A message containing a threat was delivered
  15. Delivery & Attack - Suspicious Security Critical Event - FortiAnalyzer - UTM IPS Event Blocked
  16. Delivery & Attack - Suspicious Security Critical Event - FortiAnalyzer - UTM WebApp Detection
  17. Delivery & Attack - Vulnerability Scanning - SMBGhost scanning activity
  18. Environmental Awareness - Account Manipulation - Salesforce SetupAuditTrail: Delete authentication data multiple users
  19. Environmental Awareness - Account Manipulation - Salesforce SetupAuditTrail: Remove role multiple users
  20. Environmental Awareness - Account Manipulation - Stealth Bits: Password was changed by another user
  21. Environmental Awareness - Anomalous User Behavior - Duo Two Factor Authentication: Impossible travel
  22. Environmental Awareness - Anomalous User Behavior - EC2 user data accessed
  23. Environmental Awareness - Anomalous User Behavior - O365 High Volume of Mail Items Accessed in Short Period of Time
  24. Environmental Awareness - Anomalous User Behavior - Trend Micro Deep Discovery Inspector: User locked out
  25. Environmental Awareness - Anomalous User Behavior - Windows Logon: Successful Authentication After Brute Force For Default Account
  26. Environmental Awareness - Anonymous Channel - Suspicious Internal Traffic With Tor Node
  27. Environmental Awareness - Anonymous Channel - Suspicious Outbound Traffic to Tor Entry Node
  28. Environmental Awareness - Brute Force Authentication - ForeScout NAC: Successful Authentication After Brute Force
  29. Environmental Awareness - Brute Force Authentication - Stealth Bits: Successful Authentication After Brute Force
  30. Environmental Awareness - Collection - Compression followed by encryption
  31. Environmental Awareness - Configuration Modification - Azure AD Add Partner to Cross Tenant Access
  32. Environmental Awareness - Configuration Modification - Azure AD Inbound User Synch Enabled
  33. Environmental Awareness - Credential Access - NLTest Domain Trust Discovery
  34. Environmental Awareness - Credential Misuse - EC2 Instance Connect to multiple instances
  35. Environmental Awareness - Data Exfiltration - ForeScout NAC: Backup File Transfer
  36. Environmental Awareness - Data Exfiltration - Trend Micro Deep Discovery Inspector: Possible Data Exfiltration
  37. Environmental Awareness - Defense Evasion - Cover Tracks - Windows File Cleanup After Installation
  38. Environmental Awareness - Defense Evasion - Masquerading - Trend Micro Deep Discovery Inspector: Suspicious File Rename
  39. Environmental Awareness - Malicious Network Activity - Cisco NGFW - Connection to Malicious Sites Denied
  40. Environmental Awareness - Malicious Network Activity - Cisco NGFW - Connection to Malicious Sites Detected
  41. Environmental Awareness - Phishing - Proofpoint Targeted Attack Protection: Click to threat permitted
  42. Environmental Awareness - Security Critical Event - SentinelOne - Malicious activity detected
  43. Environmental Awareness - Security Critical Infrastructure Update - AWS EC2 new startup data
  44. Environmental Awareness - Security Critical Infrastructure Update - EBS Snapshot shared with another AWS Account
  45. Environmental Awareness - Security Critical Infrastructure Update - ForeScout NAC: User Changed Backup Configuration
  46. Environmental Awareness - Security Critical Infrastructure Update - Salesforce SetupAuditTrail: Whitelist modification
  47. Environmental Awareness - Security Critical Infrastructure Update - Trend Micro Deep Discovery Inspector: Deny List Updated
  48. Environmental Awareness - Security Critical Infrastructure Update - Trend Micro Deep Discovery Inspector: Detection Exceptions Updated
  49. Environmental Awareness - Suspicious Behavior - Suspicious VPN Connectivity to Internal Network
  50. Environmental Awareness - Suspicious Download - Anonymous File Sharing Suspicious URL Multiple Attempts
  51. Environmental Awareness - Suspicious Security Critical Event - RSA Authentication Manager: Security policy modified or deleted
  52. Environmental Awareness - Suspicious Security Critical Event - TippingPoint - High Severity Alert
  53. Exploitation & Installation - Code Execution - Suspicious WebDAV LNK Execution
  54. Exploitation & Installation - Code Execution - Windows Suspicious DLL Launch Detected
  55. Exploitation & Installation - Exploit - Known Vulnerability - Cisco AMP - Exploit Prevention
  56. Exploitation & Installation - Exploit - Known Vulnerability - Trend Micro Deep Discovery Inspector: High risk exploitable file
  57. Exploitation & Installation - Lateral Movement - Windows Xp_Cmdshell Has Been Enabled Followed By Recon Command 
  58. Exploitation & Installation - Malicious Network Activity - Trend Micro Deep Discovery Inspector: Exploit Detected
  59. Exploitation & Installation - Malware Infection - Trend Micro Deep Discovery Inspector: Suspicious File Detected
  60. Reconnaissance & Probing - Account Discovery - Reconnaissance activity with Net command
  61. Reconnaissance & Probing - Account Discovery - Stealth Bits: Account Discovery
  62. Reconnaissance & Probing - Brute Force Authentication - Duo Two Factor Authentication: Successful Login After Brute Force
  63. Reconnaissance & Probing - Brute Force Authentication - Sophos XG: Repeated login failure on admin account
  64. Reconnaissance & Probing - Brute Force Authentication - Stealth Bits: Multiple Invalid MFA codes
  65. Reconnaissance & Probing - Brute Force Authentication - Stealth Bits: Password spraying
  66. Reconnaissance & Probing - Brute Force Authentication - Stealth Bits: Repeated Login Failure
  67. Reconnaissance & Probing - Brute Force Authentication - Trend Micro Deep Discovery Inspector: Multiple Login Failures
  68. Reconnaissance & Probing - Malicious Network Activity - Fortinet FortiWeb - Known Attacks
  69. Reconnaissance & Probing - Malicious Network Activity - Fortinet FortiWeb - SQL/XSS Syntax Based Detection
  70. Reconnaissance & Probing - Malicious Network Activity - Fortinet FortiWeb - Unauthorized GEO IP
  71. Reconnaissance & Probing - Malicious Network Activity - Sophos UTM - Port Scanning Detected
  72. Reconnaissance & Probing - Suspicious Behavior - DLL Executed Spawning Suspicious Command
  73. Reconnaissance & Probing - Suspicious Behavior - WMIC Retrieving Security Configuration
  74. System Compromise - Credential Access - User credentials read with procdump.exe
  75. System Compromise - Defense Evasion - Disabling Security Tools - Suspicious Regsvr32 Execution
  76. System Compromise - Exploit - Known Vulnerability - Potential Webshell Detected - CVE-2023-3519
  77. System Compromise - Hacking Tool - SentinelOne - Hacktool detected
  78. System Compromise - Known Malicious Infrastructure - Trend Micro Deep Discovery Inspector: Malicious Certificate
  79. System Compromise - Malware Infection - Cobalt Strike Service Install
  80. System Compromise - Malware Infection - Linux Clam AV - Virus Detected
  81. System Compromise - Malware Infection - MDATP PUA detected
  82. System Compromise - Malware Infection - McAfee - Network Malware Detected
  83. System Compromise - Malware Infection - SentinelOne - Infostealer detected
  84. System Compromise - Malware Infection - SentinelOne - Lateral Movement Detected
  85. System Compromise - Malware Infection - SentinelOne - Malware detected
  86. System Compromise - Malware Infection - SentinelOne - Multiple threats detected in a single asset
  87. System Compromise - Malware Infection - SentinelOne - PUA detected
  88. System Compromise - Malware Infection - SentinelOne - Rootkit Detected
  89. System Compromise - Malware Infection - SentinelOne - Threat detected in multiple assets
  90. System Compromise - Malware Infection - SentinelOne - threat detected
  91. System Compromise - Malware Infection - Trend Micro Deep Discovery Inspector: Possible Webshell Detected
  92. System Compromise - Malware Infection - Trend Micro Deep Discovery Inspector: Potential Threat Detected
  93. System Compromise - Malware Infection - Trend Micro Deep Discovery Inspector: Suspicious file in SMB network share
  94. System Compromise - Ransomware Infection - SentinelOne - Ransomware detected The team completed the following network detections:
  95. Potential WebShell associated with Citrix Netscaler CVE-2023-3519 vpn/theme
  96. Potential WebShell associated with Citrix Netscaler CVE-2023-3519 uiareas
  97. Potential WebShell associated with Citrix Netscaler CVE-2023-3519 epa/scripts
The following pulses have been created by the team in OTX providing coverage for the latest threats and campaigns:
  1.  From small LNK to large malicious BAT file with zero VT score
  2. Report: Ransomware Command-and-Control Providers Unmasked
  3. SapphireStealer: Open-source information stealer enables credential and data theft
  4. BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
  5. Analysis of Andariel’s New Attack Activities
  6. Hackers Launch Brute-Force Attack Cisco ASA SSL VPNs
  7. MMRat Carries Out Bank Fraud Via Fake App Stores
  8. An Ongoing Open Source Attack Reveals Roots Dating Back To 2021
  9. Earth Estries Targets Government, Tech for Cyberespionage
  10. Shining some light on the DarkGate loader
  11. Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak
  12. Kinsing Malware Exploits Novel Openfire Vulnerability
  13. Peeling Back the Layers of RemcosRat Malware
  14. DreamBus Botnet Exploiting execution Flaw in RocketMQ servers
  15. MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file
  16. UAC-0173: judicial authorities and notaries "under the gun"
  17. Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
  18. FIN8-LINKED ACTOR TARGETS CITRIX NETSCALER SYSTEMS
  19. Adversary On The Defense: ANTIBOT.PW
  20. HTML Smuggling Leads to Domain Wide Ransomware
  21. Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware
  22. Ransomware Roundup – Trash Panda and A New Minor Variant of NoCry
  23. Agniane Stealer
  24. Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat
  25. Flax Typhoon using legitimate software to quietly access Taiwanese organizations
  26. Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study
  27. Telekopye: Hunting Mammoths using Telegram bot
  28. Why LaZagne Makes D-Bus API Vigilance Crucial
  29. Lazarus Group's infrastructure reuse leads to discovery of new malware
  30. What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
  31. Fake Roblox packages target npm with Luna Grabber information-stealing malware
  32. From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families
  33. Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
  34. Scarabs colon-izing vulnerable servers
  35. XLoader's Latest Trick | New macOS Variant Disguised as Signed OfficeNote App
  36. Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America
  37. WHIRLPOOL Backdoor | CISA
  38. Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams
  39. Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile
  40. DotRunpeX - demystifying new virtualized .NET injector used in the wild
  41. DLL Hijacking in the Asian Gambling Sector
  42. Old exploit kits still kicking around in 2023
  43. ProxyNation: The dark nexus between proxy apps and malware
  44. Raccoon Stealer Announce Return After Hiatus
  45. JanelaRAT
  46. German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
  47. Attackers Distribute Malware via Freeze.rs And SYK Crypter
  48. Monti Ransomware Unleashes a New Encryptor for Linux
  49. Xurum: New Magento Campaign Discovered
  50. When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
  51. Focus on DroxiDat/SystemBC
  52. Gootloader: Why your Legal Document Search May End in Misery
  53. LOLKEK Unmasked | An In-Depth Analysis of New Samples and Evolving Tactics
  54. MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors
  55. Rhysida ransomware • Reptile Malware Targeting Linux Systems
  56. VMConnect: Malicious PyPI packages imitate popular open source modules
  57. New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
  58. Latest Batloader Campaigns Use Pyarmor Pro for Evasion
  59. North Korea Compromises Sanctioned Russian Missile Engineering Company
  60. New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3
  61. Honeypot Recon: New Variant of SkidMap Targeting Redis
  62. Threat Actors Exploiting Ivanti EPMM Vulnerabilities
  63. NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts

    • Related Articles

    • Most recent events in the threat landscape - September 2023

      Let's review some of the most recent events in the threat landscape. Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In ...

    • Most recent events in the threat landscape - July 2023

      Let's review some of the most recent events in the threat landscape. During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an ...

    • Most recent events in the threat landscape - June 2023

      Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell ...

    • USM anywhere Azure log collection

      Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment. Warning: To process and display the custom events received from the Azure Event Hubs as generic ...

    • VMware Sensor Deployment

      Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware. Minimum Requirements These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware: Access to ...