Most recent events in the threat landscape - June 2023

Most recent events in the threat landscape - June 2023

Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell for initial access. Espionage Threat have also taken advantage of some recent vulnerabilities, such as UNC4841, exploiting a zero-day vulnerability of Barracuda (CVE-2023-2868), and UNC3886, exploiting a previously unknown vulnerability (CVE 2023-20867) for VMware ESXi. In addition, Microsoft has uncovered a stealthy campaign focused on post-compromise credential access and network system discovery targeting critical infrastructure organizations in the United States. The attack has been attributed to Volt Typhoon.    

Tracking, Detection & Hunting Capabilities 

The team created the following Adversary Trackers to automatically identify and detect malicious infrastructure:  
  1. Vidar Stealer    
  2. Redline Stealer   
  3. Racoon Stealer   
  4. Armitage  
  5. Covenant  
  6. Mythic C2  
  7. Nimplant C2  
  8. Havoc C2   
The following USM Anywhere detections were added or improved in June:  
  1. Brute Force Authentication - Security Critical Event - Palo Alto XDR - Brute Force Activity 
  2. Delivery & Attack - Anomalous User Behavior - SSM used to access instance metadata 
  3. Delivery & Attack - Anomalous User Behavior - Salesforce suspicious filetype downloaded 
  4. Delivery & Attack - C&C Communication - Malware Beaconing to C&C using IRC 
  5. Delivery & Attack - Code Execution - PowerShell Registry command 
  6. Delivery & Attack - Credential Access - Identity theft using Pass-the-Hash attack 
  7. Delivery & Attack - Credential Access - Identity theft using Pass-the-Ticket attack  Delivery & Attack - Credential Access - Windows Pass The Hash 
  8. Delivery & Attack - Exploit - Known Vulnerability - MOVEit Transfer Vulnerability CVE-2023-34362 Exploitation Detected 
  9. Delivery & Attack - Exploit - Known Vulnerability - Metasploit Bluekeep - Network and host indicators (CVE-2019-0708) 
  10. Delivery & Attack - Exploit - Known Vulnerability - Metasploit Bluekeep exploit detected (CVE-2019-0708) 
  11. Delivery & Attack - Hacking Tool - PowerShell Empire command 
  12. Delivery & Attack - Lateral Movement - Kerberos Golden Ticket activity 
  13. Delivery & Attack - Lateral Movement - Suspicious WMIC Activity 
  14. Delivery & Attack - Lateral Movement - WinRM attempts to multiple hosts 
  15. Delivery & Attack - Malicious Network Activity - Sonic Wall VPN SSL: Network Denial of Service Attack 
  16. Delivery & Attack - Malware Infection - Phishing 
  17. Delivery & Attack - Phishing - O365 Audit - Phishing blocked or detected Alert 
  18. Delivery & Attack - Phishing - Phishing detected by Checkpoint Zero Phishing 
  19. Delivery & Attack - Phishing - Phishing detected by Office ATP 
  20. Delivery & Attack - Privilege Escalation - Possible authentication bypass detected 
  21. Delivery & Attack - Security Critical Event - Palo Alto XDR - Vulnerability Detection 
  22. Delivery & Attack - Security Critical Infrastructure Update - AWS Config configuration added 
  23. Delivery & Attack - Security Critical Infrastructure Update - AWS Config configuration removed 
  24. Delivery & Attack - Security Critical Infrastructure Update - SSM used to disable Windows Defender 
  25. Delivery & Attack - Suspicious Behavior - Multiple Suspicious PowerShell Patterns  
  26. Delivery & Attack - Suspicious Security Critical Event - Sticky keys attack 
  27. Delivery & Attack - Webshell - China Chopper 
  28. Environmental Awareness - Anomalous User Behavior - Bash History Deleted 
  29. Environmental Awareness - Anomalous User Behavior - CheckPoint SmartConsole: Administrator user locked out 
  30. Environmental Awareness - Anomalous User Behavior - Default or Suspicious Workstation Successfully Logged On 
  31. Environmental Awareness - Anomalous User Behavior - EC2 user data accessed 
  32. Environmental Awareness - Anomalous User Behavior - G Suite: Permissive File Sharing 
  33. Environmental Awareness - Anomalous User Behavior - New SSH key added to instance metadata 
  34. Environmental Awareness - Anomalous User Behavior - UEBA - High score anomalous login 
  35. Environmental Awareness - Anomalous User Behavior - UEBA - Windows anomalous login followed by password change 
  36. Environmental Awareness - Anonymous Channel - HTTPS Proxy 
  37. Environmental Awareness - Anonymous Channel - I2P 
  38. Environmental Awareness - Anonymous Channel - Process communicating through the TOR network 
  39. Environmental Awareness - Anonymous Channel - TOR SSL 
  40. Environmental Awareness - Anonymous Channel - Tor 
  41. Environmental Awareness - Anonymous Channel - Tor Onion Proxy 
  42. Environmental Awareness - Anonymous Channel - tor2www Proxy 
  43. Environmental Awareness - Brute Force Authentication - Cisco ISE: Successful Authentication After Brute Force 
  44. Environmental Awareness - C&C Communication - Windows Proxy Established 
  45. Environmental Awareness - Cisco Configuration Change - Cisco ASA - Log Removal 
  46. Environmental Awareness - Code Execution - Postgres Process Spawning Powershell or Commandline Process 
  47. Environmental Awareness - Code Execution - PowerShell diagnostics module execution 
  48. Environmental Awareness - Code Execution - PowerShell executed an interactive shell 
  49. Environmental Awareness - Code Execution - Process Spawning Fodhelper 
  50. Environmental Awareness - Code Execution - Shellcode execution via InstallUtil.exe 
  51. Environmental Awareness - Code Execution - Suspicious PowerShell Arguments 
  52. Environmental Awareness - Collection - Archive Created In Suspicious Filepath 
  53. Environmental Awareness - Configuration Change - Auditing Log Disabled 
  54. Environmental Awareness - Configuration Change - IIS disable HTTP logging 
  55. Environmental Awareness - Configuration Change - SafeBoot registry key deleted 
  56. Environmental Awareness - Configuration Change - Teamviewer Connection Logging Disabled 
  57. Environmental Awareness - Configuration Modification - Admin Audit Log Configuration Disabled 
  58. Environmental Awareness - Credential Abuse - Kerberos Logon To Multiple Accounts 
  59. Environmental Awareness - Credential Abuse - OpenVPN Server: Login attempts from different countries in a short time 
  60. Environmental Awareness - Credential Abuse - OpenVPN Server: Login from different countries in a short time 
  61. Environmental Awareness - Credential Access - Crowdstrike: Credential Theft 
  62. Environmental Awareness - Credential Access - LSASS Protected Mode Disabled 
  63. Environmental Awareness - DLL Injection - AppInit DLL Persistence 
  64. Environmental Awareness - DLL Injection - Possible Windows DNS Server DLL Injection 
  65. Environmental Awareness - DLL Injection - ShimCache Persistence 
  66. Environmental Awareness - Data Exfiltration - Compression followed by exfiltration in a short period of time 
  67. Environmental Awareness - Data Exfiltration - Potential data exfiltration 
  68. Environmental Awareness - Data Exfiltration - PowerShell compression followed by exfiltration 
  69. Environmental Awareness - Defense Evasion - Cover Tracks - Bash History Deleted 
  70. Environmental Awareness - Defense Evasion - Cover Tracks - CloudTrail Delete Log Stream 
  71. Environmental Awareness - Defense Evasion - Cover Tracks - Disabling of security services detected 
  72. Environmental Awareness - Defense Evasion - Cover Tracks - Epic EHR - Log Disabled 
  73. Environmental Awareness - Defense Evasion - Cover Tracks - Multiple log files deleted in a short period of time 
  74. Environmental Awareness - Defense Evasion - Cover Tracks - S3 Bucket Server Access Logging Disabled 
  75. Environmental Awareness - Defense Evasion - Disabling Security Tools - Antivirus Service Terminated 
  76. Environmental Awareness - Defense Evasion - Disabling Security Tools - AppArmor Disabled 
  77. Environmental Awareness - Defense Evasion - Disabling Security Tools - Attempt to stop or delete Windows Defender service 
  78. Environmental Awareness - Defense Evasion - Disabling Security Tools - Attempt was Made to Unregister a Security Event Source 
  79. Environmental Awareness - Defense Evasion - Disabling Security Tools - Box Security Policy Deleted
  80. Environmental Awareness - Defense Evasion - Disabling Security Tools - Disabling Sysmon Driver
  81. Environmental Awareness - Defense Evasion - Disabling Security Tools - ETW providers recording loaded .NET assemblies disabled 
  82. Environmental Awareness - Defense Evasion - Disabling Security Tools - Event Log Disabled 
  83. Environmental Awareness - Defense Evasion - Disabling Security Tools - Firewall Blocking Microsoft Defender ATP Connections 
  84. Environmental Awareness - Defense Evasion - Disabling Security Tools - G Suite: User Erased Alerts 
  85. Environmental Awareness - Defense Evasion - Disabling Security Tools - GuardDuty disabled Management events 
  86. Environmental Awareness - Defense Evasion - Disabling Security Tools - GuardDuty was disabled 
  87. Environmental Awareness - Defense Evasion - Disabling Security Tools - Network Firewall Logging Disabled 
  88. Environmental Awareness - Defense Evasion - Disabling Security Tools - No Rule Groups associated to the Firewall Policy 
  89. Environmental Awareness - Defense Evasion - Disabling Security Tools - Nxlog Service Disabled 
  90. Environmental Awareness - Defense Evasion - Disabling Security Tools - OSX Gatekeeper bypass 
  91. Environmental Awareness - Defense Evasion - Disabling Security Tools - PowerShell added a Defender exclusion 
  92. Environmental Awareness - Defense Evasion - Disabling Security Tools - Powershell Downgrade 
  93. Environmental Awareness - Defense Evasion - Disabling Security Tools - SELinux Disabled 
  94. Environmental Awareness - Defense Evasion - Disabling Security Tools - System settings restored 
  95. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender - Disabled Exploit Guard Network Protection 
  96. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Definitions Removed 
  97. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Disabled 
  98. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Disabled via Group Policy Object 
  99. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Discarded Signatures 
  100. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Defender Exclusion Added 
  101. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Firewall Disabled 
  102. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows Firewall Driver was Stopped  
  103. Environmental Awareness - Defense Evasion - Disabling Security Tools - Windows IOfficeAntivirus Disabled 
  104. Environmental Awareness - Defense Evasion - File Deletion - Backup Catalog Deletion 
  105. Environmental Awareness - Defense Evasion - Masquerading - Persistence via CLSID 
  106. Environmental Awareness - Defense Evasion - Masquerading - Process Execution Using pcwutl.dll 
  107. Environmental Awareness - Defense Evasion - System Tool - Network Activity From mshta 
  108. Environmental Awareness - Defense Evasion - System Tool - Suspicious CMSTP Activity 
  109. Environmental Awareness - Execution Blocked - Powershell Certificate Export - Error 
  110. Environmental Awareness - Execution Blocked - Powershell Execution Restricted - Error 
  111. Environmental Awareness - Execution Blocked - Suspicious Powershell Service Creation 
  112. Environmental Awareness - Hacking Tool - Sliver Service Usage 
  113. Environmental Awareness - Hacking Tool - Windows CSExec Tool Usage 
  114. Environmental Awareness - Hacking Tool - Windows PAExec Tool Usage 
  115. Environmental Awareness - Hacking Tool - Windows PSExec Service Usage 
  116. Environmental Awareness - Hacking Tool - Windows RemCom Tool Usage 
  117. Environmental Awareness - Lateral Movement - WinRS Remote Command Execution 
  118. Environmental Awareness - Lateral Movement - Windows RDP Tunneling 
  119. Environmental Awareness - Malicious Website - Host attempting to access a website with a malicious embedded link 
  120. Environmental Awareness - Network Access Control Modification - Deleted ACL 
  121. Environmental Awareness - Network Access Control Modification - Deleted WAF Rule 
  122. Environmental Awareness - Network Anomaly - Trend Micro Deep Security - Web reputation blocked 
  123. Environmental Awareness - New User Creation - AWS IAM S3Browser Login Profile Creation  
  124. Environmental Awareness - New User Creation - AWS IAM S3Browser User or AccessKey Creation 
  125. Environmental Awareness - Phishing - Malware detected by Office ATP 
  126. Environmental Awareness - Phishing - O365 Audit - Phishing most targeted users 
  127. Environmental Awareness - Privilege Escalation - Container bound to sensitive host directory 
  128. Environmental Awareness - Privilege Escalation - New High Privileged Role Detected 
  129. Environmental Awareness - Privilege Escalation - Permissive File Sharing 
  130. Environmental Awareness - Privilege Escalation - User Privilege Escalation 
  131. Environmental Awareness - Publicly Accessible Resource - Cloud Run service made public 
  132. Environmental Awareness - Publicly Accessible Resource - Exposed GCE Bucket or file   
  133. Environmental Awareness - Publicly Accessible Resource - Git directory exposed in bucket 
  134. Environmental Awareness - Security Critical Event - Windows Scheduled Job Created 
  135. Environmental Awareness - Security Critical Event - Windows Security Event Log Full 
  136. Environmental Awareness - Security Critical Infrastructure Update - AWS EC2 new startup data 
  137. Environmental Awareness - Security Critical Infrastructure Update - AWS privileged role attached to instance profile 
  138. Environmental Awareness - Security Critical Infrastructure Update - CloudTrail Logging Disabled 
  139. Environmental Awareness - Security Critical Infrastructure Update - CloudTrail Trail Deleted 
  140. Environmental Awareness - Security Critical Infrastructure Update - Disabled GKE Node Pool AutoUpgrade 
  141. Environmental Awareness - Security Critical Infrastructure Update - Elasticsearch domain made public 
  142. Environmental Awareness - Security Critical Infrastructure Update - Enable GKE Legacy Metadata API 
  143. Environmental Awareness - Security Critical Infrastructure Update - Flow Logs Deleted 
  144. Environmental Awareness - Security Critical Infrastructure Update - GCP Audit Log Disabled 
  145. Environmental Awareness - Security Critical Infrastructure Update - GCP Audit Logging Disabled 
  146. Environmental Awareness - Security Critical Infrastructure Update - GCP VPC Logging Disabled 
  147. Environmental Awareness - Security Critical Infrastructure Update - GCP user exempted from logging 
  148. Environmental Awareness - Security Critical Infrastructure Update - Network policy disabled 
  149. Environmental Awareness - Security Policy Violation - AWS IAM S3Browser Templated S3 Bucket Policy Creation 
  150. Environmental Awareness - Sensitive Data Disclosure - New Pod using a sensitive volume 
  151. Environmental Awareness - Suspicious Behavior - EC2 instance querying a domain that resolves to the EC2 metadata IP 
  152. Environmental Awareness - Suspicious Behavior - Large shared memory space with accessible permissions 
  153. Environmental Awareness - Suspicious Behavior - Multiple files overwritten by cipher tool 
  154. Environmental Awareness - Suspicious Behavior - PowerShell reverse shell one-liner 
  155. Environmental Awareness - Suspicious Behavior - Process Listening for Raw Sockets 
  156. Environmental Awareness - Suspicious Behavior - S3 server access logging disabled for an S3 bucket 
  157. Environmental Awareness - Suspicious Behavior - Suspicious usage of osascript 
  158. Environmental Awareness - Suspicious Behavior - Tor Networking Activity in AWS Instance  
  159. Environmental Awareness - Suspicious Behavior - Windows RDP hijacking without prompt 
  160. Environmental Awareness - Suspicious Security Critical Event - AWS metadata internal IP in the URL 
  161. Environmental Awareness - Suspicious Security Critical Event - Security Incident Detected 
  162. Environmental Awareness - System Error - Windows Defender Scan or Protection Failed 
  163. Environmental Awareness - System Error - Windows Firewall Driver Failed to Start 
  164. Environmental Awareness - System Error - Windows Firewall Service Failed to Start 
  165. Environmental Awareness - System Persistence - Suspicious Crontab job with URL 
  166. Environmental Awareness - System Persistence - Windows Autorun Registry Entry Added via reg.exe 
  167. Environmental Awareness - User Permission Modification - Excessive AWS Elasticsearch permissions applied 
  168. Environmental Awareness - User Permission Modification - Excessive AWS Key policies attached to master key (CMK) 
  169. Environmental Awareness - User Permission Modification - Excessive AWS Log Deny policies 
  170. Environmental Awareness - User Permission Modification - G Suite: Domain-wide Delegation Enabled 
  171. Environmental Awareness - Weak Configuration - Privileged Account Exposure - Writable Docker Filesystem Mapped to Host Root 
  172. Exploitation & Installation - Code Execution - MDATP PsExec or WMI process execution blocked 
  173. Exploitation & Installation - Code Execution - Successful exploit used to access AWS metadata endpoint   
  174. Exploitation & Installation - Credential Access - MDATP Suspicious NTDS activity detected 
  175. Exploitation & Installation - Defense Evasion - Disabling Security Tools - Encryption downgrade activity 
  176. Exploitation & Installation - Defense Evasion - Masquerading - Rundll32 call from the Public folder  
  177. Exploitation & Installation - Defense Evasion - System Tool - Module hijacking discovered 
  178. Exploitation & Installation - Exploit - Known Vulnerability - Palo Alto XDR - High Severity IOC Detected 
  179. Exploitation & Installation - Exploit - Known Vulnerability - Palo Alto XDR - Low Severity IOC Detected 
  180. Exploitation & Installation - Malware Infection - Palo Alto XDR - Malware or Exploit Prevented 
  181. Reconnaissance & Probing - Account Discovery - Reconnaissance activity with Net command 
  182. Reconnaissance & Probing - Brute Force Authentication - Cisco ISE: Brute Force Machine Account 
  183. Reconnaissance & Probing - Brute Force Authentication - Failed SSH Brute Force Attack Detected 
  184. Reconnaissance & Probing - Brute Force Authentication - Open VPN Server: Password Spraying 
  185. Reconnaissance & Probing - Brute Force Authentication - SSH brute force attack 
  186. Reconnaissance & Probing - Brute Force Authentication - Sonic Wall VPN SSL: User Enumeration 
  187. Reconnaissance & Probing - Brute Force Authentication - Windows Kerberos: Successful Account Enumeration After Brute Force 
  188. Reconnaissance & Probing - Information Gathering - Windows Discovery Command Ran with Output Directed to TMP Directory 
  189. Reconnaissance & Probing - Suspicious Behavior - AWS activity with Tor exit node 
  190. Reconnaissance & Probing - Suspicious Security Critical Event - CheckPoint: High Severity Threat Detected by SmartDefense from an External IP Address 
  191. System Compromise - C&C Communication - Domain Generation Algorithm 
  192. System Compromise - C&C Communication - Malware Beaconing to C&C 
  193. System Compromise - C&C Communication - Malware User-Agent 
  194. System Compromise - Code Execution - PowerShell memory injection 
  195. System Compromise - Code Execution - Powershell Process Created by Chrome 
  196. System Compromise - Code Execution - Powershell Process Created by Firefox 
  197. System Compromise - Code Execution - Powershell Process Created by Internet Explorer  
  198. System Compromise - Code Execution - Powershell Process Created by Office Excel 
  199. System Compromise - Code Execution - Powershell Process Created by Office PowerPoint 
  200. System Compromise - Code Execution - Powershell Process Created by Office Word 
  201. System Compromise - Code Execution - Powershell Process Created by Outlook 
  202. System Compromise - Code Execution - Powershell Process Created by Suspicious Chain of Executables 
  203. System Compromise - Code Execution - Suspicious Javascript execution by mshta.exe 
  204. System Compromise - Code Execution - Suspicious Process Created by mshta.exe 
  205. System Compromise - Code Execution - Suspicious file downloaded and executed with Powershell 
  206. System Compromise - Code Execution - Windows Process In Suspicious Path 
  207. System Compromise - Covert Channel - HTTP Traffic - DNS Port 
  208. System Compromise - Covert Channel - HTTP Traffic - NTP Port  
  209. System Compromise - Covert Channel - OpenSSL Tunnel  
  210. System Compromise - Credential Abuse - Thycotic Secret Server: Adversary In The Middle - MFA Reset with Login  
  211. System Compromise - Credential Access - Crowdstrike: Credential Dump Tool  
  212. System Compromise - Credential Access - Crowstrike: NTDS or SAM Copied  
  213. System Compromise - Credential Access - MDATP Credential Access alert detected  
  214. System Compromise - Credential Access - Retrieve Ntds.dit file from Shadow Copy  
  215. System Compromise - Credential Access - User credentials read with procdump.exe
  216. System Compromise - DLL Injection - DHCP Server Callout DLL Injection
  217. System Compromise - DLL Injection - DNS Plugin DLL Persistence  
  218. System Compromise - DLL Injection - Persistence Using RunOncEx  
  219. System Compromise - Defense Evasion - Disabling Security Tools - Amsi DLL Load By Uncommon Process  
  220. System Compromise - Defense Evasion - Disabling Security Tools - AppLocker Bypass  
  221. System Compromise - Defense Evasion - Disabling Security Tools - Mass Process Killing  
  222. System Compromise - Defense Evasion - Disabling Security Tools - Taskkill killing Antivirus process  
  223. System Compromise - Defense Evasion - Disabling Security Tools - Windows AMSI Bypass  
  224. System Compromise - Defense Evasion - File Deletion - Backup files deleted recursively  
  225. System Compromise - Defense Evasion - File Deletion - Suspicious activity with shadow copies  
  226. System Compromise - Defense Evasion - File Deletion - Windows Shadow Copies Deletion  
  227. System Compromise - Defense Evasion - File Deletion - Windows Shadow Copies resize multiple drives  
  228. System Compromise - Defense Evasion - Obfuscated Command - Suspicious Powershell Encoded Command Executed  
  229. System Compromise - Hacking Tool - CobaltStrike Powershell Detection  
  230. System Compromise - Hacking Tool - Common Powershell Attack Frameworks  
  231. System Compromise - Hacking Tool - F-Secure C3 tool usage  
  232. System Compromise - Hacking Tool - PoshC2  
  233. System Compromise - Hacking Tool - SharPyShell App Detected by IIS Windows Process Activation Service  
  234. System Compromise - Hacking Tool - WMImplant  
  235. System Compromise - Malicious Network Activity - Palo Alto XDR - Suspicious DNS Query  
  236. System Compromise - Malicious Website - Sophos host attempting many connections to new registered website  
  237. System Compromise - Malware Infection - Backdoor  
  238. System Compromise - Malware Infection - Detection for web-shells  
  239. System Compromise - Malware Infection - Eset: PUA detected  
  240. System Compromise - Malware Infection - Fortinet - Possible malware file in spam mail  
  241. System Compromise - Malware Infection - Hosts entry with security vendor name  
  242. System Compromise - Malware Infection - MDATP malware detected  
  243. System Compromise - Malware Infection - Macro Malware  
  244. System Compromise - Malware Infection - McAfee - Infected boot record found  
  245. System Compromise - Malware Infection - Possible malware file in spam mail  
  246. System Compromise - Malware Infection - Quant Loader Windows Firewall Exception  
  247. System Compromise - Malware Infection - RAT using COM Object Hijacking  
  248. System Compromise - Malware Infection - Remote Access Trojan  
  249. System Compromise - Malware Infection - Spyware  
  250. System Compromise - Malware Infection - Trend Micro - Suspicious URL  
  251. System Compromise - Malware Infection - Trend Micro - Suspicious URL in mail detected  
  252. System Compromise - Malware Infection - Webshell  
  253. System Compromise - Malware Infection - Webshell detected by Antivirus  
  254. System Compromise - Malware Infection - Webshell detected by McAfee  
  255. System Compromise - Privilege Escalation - RDP Session Hijack with tscon.exe  
  256. System Compromise - Privilege Escalation - Windows UAC Bypass  
  257. System Compromise - Privilege Escalation - Windows UAC bypass - UACME tool 
  258. System Compromise - Ransomware Infection - Disabling Task Manager and Antispyware in a short period of time  
  259. System Compromise - Ransomware Infection - Potential Lockbit 3.0 Detected  
  260. System Compromise - Ransomware Infection - Snake ransomware disabling network connectivity  
  261. System Compromise - Security Critical Event - Sticky Keys Backdoor  
  262. System Compromise - System Persistence - Detected persistence technique used by malware  
  263. System Compromise - System Persistence - OSX LaunchAgent with .onion domain  
  264. System Compromise - System Persistence - OSX LaunchAgent with downloader executable  
  265. System Compromise - System Persistence - OSX LaunchAgent with hidden executable  
  266. System Compromise - System Persistence - PendingGPOs Persistence  
  267. System Compromise - System Persistence - Persistence via Display Switch  
  268. System Compromise - System Persistence - Persistence via On-Screen Keyboard  
  269. System Compromise - System Persistence - Persistence via Sticky Keys  
  270. System Compromise - System Persistence - Persistence via Utilman  
  271. System Compromise - System Persistence - Suspicious Crontab job with DevTcp  
  272. System Compromise - System Persistence - Windows Autorun Registry with obfuscated JavaScript  
  273. System Compromise - System Persistence - Windows Autorun Registry with obfuscated PowerShell  
  274. System Compromise - Trojan - Eset: Trojan Detected   The team completed the following network detections:  
  275. Human2 Backdoor Inbound Request 
  276. SEASPY Magic TCP SYN Inbound M1 
  277. SEASPY Magic TCP SYN Inbound M2  
  278. SEASPY Magic TCP SYN Inbound M3  
  279. SEASPY Magic TCP SYN Inbound M4   
The following pulses have been created in OTX providing coverage for the latest threats and campaigns:  
  1. New Horabot campaign targets the Americas
  2. A Truly Graceful Wipe Out  
  3. CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief  
  4. Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations  
  5. Qakbot (Qbot) activity, obama271 distribution tag  
  6. Emerging Threat! Exposing JOKERSPY  
  7. Cadet Blizzard emerges as a novel and distinct Russian threat actor
  8. Why Malware Crypting Services Deserve More Scrutiny  
  9. Analysis: Aurora Stealer
  10. Threat Group Assessment: Muddled Libra  
  11. Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox)  
  12. Kimsuky Distributing CHM Malware Under Various Subjects  
  13. RedEyes Group Wiretapping Individuals (APT37)  
  14. Hackers Use Weaponized PDF Files to Attack Organizations  
  15. Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389  
  16. Terminator EDR Killer (Spyboy) | Detecting and Preventing a Windows BYOVD Attack  
  17. Analyzing a YouTube Sponsorship Phishing Mail and Malware Targeting Content Creators
  18. Dissecting TriangleDB, a Triangulation spyware implant  
  19. Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries  
  20. ASEC Weekly Phishing Email Threat Trends (June 4th 2023 – June 10th, 2023)  
  21. RecordBreaker Infostealer Disguised as a .NET Installer  
  22. DoNot APT Elevates its Tactics by Deploying Malicious Android Apps on Google Play Store  
  23. Tsunami DDoS Malware Distributed to Linux SSH Servers  
  24. OnlyDcRatFans: Malware Distributed Using Explicit Lures of OnlyFans Pages and Other Adult Content  
  25. Uncovering a New Activity Group Targeting Governments in the Middle East and Africa  
  26. Shampoo: A New ChromeLoader Campaign  
  27. ChamelGang and ChamelDoH: A DNS-over-HTTPS implant  
  28. Formbook from Possible ModiLoader (DBatLoader)  
  29. Xneelo Users Targeted in a Multi-stage Phishing Attack
  30. Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution  
  31. Mystic Stealer – Evolving “stealth” Malware  
  32. Tracking Diicot: an emerging Romanian threat actor  
  33. Mystic Stealer  
  34. New Malware Campaign Targets LetsVPN Users  
  35. Fake security researchers push malware files on GitHub  
  36. Warning: Malware Disguised as a Security Update Installer Being Distributed  
  37. Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine  
  38. CVE-2017-9248 Exploitation in U.S. Government IIS Server  
  39. Android Malware Impersonates ChatGPT-Themed Applications  
  40. Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China  
  41. Pirated Windows builds with crypto stealer that penetrates EFI partition  
  42. Brand Impersonation Campaign Targeting Big Brands  
  43. The Phantom Menace: Brute Ratel remains rare and targeted  
  44. Analysis of new active malware: MediaArena - PUA  
  45. Zero Day Vulnerability in Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868)  
  46. Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency  
  47. Core Werewolf against the defense industry and critical infrastructure  
  48. RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine  
  49. Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa  
  50. Analysis of the RecordBreaker secret-stealing Trojan spread through video sites  
  51. DynamicRAT — A full-fledged Java Rat  
  52. Asylum Ambuscade: crimeware or cyberespionage?  
  53. #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability  
  54. MOVEit Transfer Exploited to Drop File-Stealing SQL Shell
  55. ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)  
  56. CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief  
  57. Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence  
  58. Operation Triangulation: iOS devices targeted with previously unknown malware  
  59. Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)  
  60. Recent Satacom campaign delivers cryptocurrency-stealing addon  
  61. Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEyes) - ASEC BLOG  
  62. Terminator antivirus killer is a vulnerable Windows driver in disguise
  63. Investigating BlackSuit Ransomware’s Similarities to Royal 
  64. SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations  

    • Related Articles

    • Most recent events in the threat landscape - September 2023

      Let's review some of the most recent events in the threat landscape. Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In ...

    • Most recent events in the threat landscape - July 2023

      Let's review some of the most recent events in the threat landscape. During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an ...

    • Most recent events in the threat landscape - August 2023

      Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...

    • USM anywhere Azure log collection

      Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment. Warning: To process and display the custom events received from the Azure Event Hubs as generic ...

    • VMware Sensor Deployment

      Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware. Minimum Requirements These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware: Access to ...