Most recent events in the threat landscape - September 2023

Most recent events in the threat landscape - September 2023

Let's review some of the most recent events in the threat landscape. 

Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In addition, the ALPHV/BlackCat group compromised the computer systems of the Caesar and MGM casinos, generating significant media coverage and public interest. We also saw how DarkLoader, a recently surfaced malware, is getting more and more popular. There has also been uncovered a new RaaS affiliate, ShadowSyndicate. This group likely deployed over seven different ransomware families in attacks over the past year. 

Tracking, Detection & Hunting Capabilities 
The team created or improved the following Adversary Trackers to automatically identify and detect malicious infrastructure: 
  1. Cobalt Strike 
  2. RisePro InfoStealer 
  3. Predator 
  4. AdLoad 
  5. Meduza InfoStealer 
  6. Raccoon 
  7. RedLine 
  8. Danabot  
The following USM Anywhere detections were added or improved in September: 
  1. Delivery & Attack - Brute Force Authentication - Azure AD: Successful Authentication After Brute Force 
  2. Delivery & Attack - Brute Force Authentication - SentinelOne Activity Log - Successful Authentication After Brute Force 
  3. Delivery & Attack - Denial of Service - Resource Exhaustion - McAfee - DoS Activity Detected 
  4. Delivery & Attack - Network Attack - Possible Replay Attack 
  5. Delivery & Attack - Privilege Escalation - Access Governance Alert 
  6. Delivery & Attack - Vulnerable Software Exploitation - Exploit 
  7. Environmental Awareness - Account Manipulation - Linux - Multiple users failed to be added on host 
  8. Environmental Awareness - Account Manipulation - Linux - New user added to admin group  
  9. Environmental Awareness - Account Manipulation - Linux - User successfully added to host after repeated failed attempts 
  10. Environmental Awareness - Account Manipulation - ManageEngine Password Manager Pro: Temporary Account Creation 
  11. Environmental Awareness - Account Manipulation - Security-Enabled Global Group was Created 
  12. Environmental Awareness - Account Manipulation - Security-Enabled Local Group was Created 
  13. Environmental Awareness - Account Manipulation - Security-Enabled Universal Group was Created 
  14. Environmental Awareness - Account Manipulation - User Account password set to never expire 
  15. Environmental Awareness - Anomalous User Activity - Linux - Repeated user add failure 
  16. Environmental Awareness - Anomalous User Behavior - Failed Logon to Nonexistent Account 
  17. Environmental Awareness - Anomalous User Behavior - Multiple Windows Account Lockouts 
  18. Environmental Awareness - Anomalous User Behavior - Network Interface Entered Promiscuous Mode 
  19. Environmental Awareness - Anomalous User Behavior - Permissive File Sharing 
  20. Environmental Awareness - Anomalous User Behavior - UEBA - High score anomalous login 
  21. Environmental Awareness - Anomalous User Behavior - UEBA - Suspicious O365 Login Anomaly 
  22. Environmental Awareness - Anomalous User Behavior - Windows Account Lockout 
  23. Environmental Awareness - Anonymous Channel - Suspicious Outbound Traffic to Tor Entry Node 
  24. Environmental Awareness - Brute Force Authentication - ForeScout NAC: Multiple Login Failures 
  25. Environmental Awareness - Credential Abuse - SentinelOne Activity Log - Impossible travel 
  26. Environmental Awareness - Credential Access - Windows SQL: Brute Force Followed by Successful Member Add 
  27. Environmental Awareness - Credential Access - Windows SQL: SQL Account Unlocked 
  28. Environmental Awareness - Defense Evasion - Cover Tracks - Windows Event Log Cleared 
  29. Environmental Awareness - Defense Evasion - Cover Tracks - Windows Scheduled Task Hidden 
  30. Environmental Awareness - Defense Evasion - Disabling Security Tools - SentinelOne Activity Log - Suspicious path exclusion 
  31. Environmental Awareness - Defense Evasion - Masquerading - Windows renamed binary 
  32. Environmental Awareness - Malicious Network Activity - ForeScout NAC: Malicious Host Policy Match 
  33. Environmental Awareness - Persistence - Default Role Granted to a User 
  34. Environmental Awareness - Persistence - Grant All Permissions Public Users 
  35. Environmental Awareness - Security Critical Event - ManageEngine Password Manager Pro: User granted full access to a resource 
  36. Environmental Awareness - Security Critical Event - SentinelOne - Malicious activity detected 
  37. Environmental Awareness - Security Critical Event - SentinelOne - Suspicious activity detected 
  38. Environmental Awareness - Security Critical Event - SentinelOne Activity Log - Multiple agent uninstall 
  39. Environmental Awareness - Security Critical Event - SentinelOne Activity Log - Unquarantined file in suspicious path 
  40. Environmental Awareness - Security Critical Event - SentinelOne Activity Log - User added to Admin role 
  41. Environmental Awareness - Security Critical Event - User Added to Enterprise Admins Group 
  42. Environmental Awareness - Security Critical Event - User Removed from Enterprise Admins Group 
  43. Environmental Awareness - Security Policy Violation - SentinelOne Activity Log - MFA Disabled 
  44. Environmental Awareness - Suspicious Download - Anonymous File Sharing Suspicious URL 
  45. Environmental Awareness - Suspicious Download - Anonymous File Sharing Suspicious URL Multiple Attempts 
  46. Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - High Severity Alert 
  47. Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - Low Severity Alert 
  48. Environmental Awareness - Suspicious Security Critical Event - Critical Level Event 
  49. Environmental Awareness - Suspicious Security Critical Event - Fortinet - Dropped Internal IPS Events 
  50. Environmental Awareness - Suspicious Security Critical Event - TippingPoint - Low Severity Alert 
  51. Environmental Awareness - Suspicious Security Critical Event - TippingPoint - Medium Severity Alert 
  52. Environmental Awareness - System Error - FortiAnalyzer - Critical System Event 
  53. Environmental Awareness - System Shutdown/Reboot - Windows SQL: SQL Server was Shutdown/Rebooted 
  54. Exploitation & Installation - Code Execution - File Download Using COPY Statement 
  55. Exploitation & Installation - Defense Evasion - Masquerading - Potential COM Object Hijacking 
  56. Exploitation & Installation - Exploit - Known Vulnerability - N-Able Take Control Agent Privelege Escalation 
  57. Exploitation & Installation - Malicious Network Activity - Palo Alto - PsExec Traffic 
  58. Exploitation & Installation - Network Attack - Cisco Meraki - Multiple Internal Network IDS Alerts 
  59. Reconnaissance & Probing - Anomalous User Behavior - Duo Admin Account Lockout 
  60. Reconnaissance & Probing - Brute Force Authentication - Canary - Repeated Login Attempts 
  61. Reconnaissance & Probing - Brute Force Authentication - ManageEngine Password Manager Pro: Successful Authentication After Brute Force 
  62. Reconnaissance & Probing - Brute Force Authentication - SentinelOne Activity Log - Repeated login failure 
  63. Reconnaissance & Probing - Brute Force Authentication - Windows SQL: Successful Authentication After Brute Force 
  64. Reconnaissance & Probing - Credential Access - Windows SQL: SQL Injection Attempt 
  65. System Compromise - Code Execution - Nullsoft Scriptable Installer Script (NSIS) execution file created 
  66. System Compromise - Defense Evasion - Cover Tracks - User Account Hidden Via Registry Modification 
  67. System Compromise - Exploit - Known Vulnerability - Juniper Unauthenticated RCE Detected - CVE-2023-36845 
  68. System Compromise - Exploit - Known Vulnerability - SentinelOne - Exploit detected 
  69. System Compromise - Hacking Tool - MDATP Post-Exploitation Tool Detected 
  70. System Compromise - Hacking Tool - SentinelOne - Hacktool detected 
  71. System Compromise - Malware Infection - Hacking Tool detected by Antivirus 
  72. System Compromise - Malware Infection - MDATP malware detected 
  73. System Compromise - Malware Infection - Palo Alto - Compromised Host 
  74. System Compromise - Malware Infection - SentinelOne - Infostealer detected 
  75. System Compromise - Malware Infection - SentinelOne - Lateral Movement Detected 
  76. System Compromise - Malware Infection - SentinelOne - Malware detected 
  77. System Compromise - Malware Infection - SentinelOne - Multiple threats detected in a single asset 
  78. System Compromise - Malware Infection - SentinelOne - PUA detected 
  79. System Compromise - Malware Infection - SentinelOne - Rootkit Detected 
  80. System Compromise - Malware Infection - SentinelOne - Threat detected in multiple assets 
  81. System Compromise - Malware Infection - SentinelOne - threat detected 
  82. System Compromise - Malware Infection - Windows Defender Malware Detected 
  83. System Compromise - Network Attack - Windows Domain Controller - Kerberoasting 
  84. System Compromise - Ransomware Infection - SentinelOne - Ransomware detected 
  85. System Compromise - Remote Services - FortiAnalyzer - UTM Suspicious Remote Connection 
  86. System Compromise - Suspicious Behavior - MDATP Low Severity Detection 
The following pulses have been created by the team in OTX providing coverage for the latest threats and campaigns: 
  1. Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations 
  2. Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA 
  3. From ScreenConnect to Hive Ransomware in 61 hours 
  4. Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia 
  5. Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia 
  6. VMConnect supply chain attack continues, evidence points to North Korea 
  7. VMConnect supply chain attack continues, evidence points to North Korea 
  8. Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers 
  9. A Deep Dive into Brute Ratel C4 payloads 
  10. Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company 
  11. Malicious ad served inside Bing's AI chatbot 
  12. A cryptor, a stealer and a banking trojan 
  13. Surprise: When Dependabot Contributes Malicious Code 
  14. Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org 
  15. Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests 
  16. Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies 
  17. Warning: Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack 
  18. Dusting for fingerprints: ShadowSyndicate, a new RaaS player? 
  19. ZenRAT: Malware Brings More Chaos Than Calm 
  20. Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities 
  21. New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads 
  22. Examining the Activities of the Turla APT Group 
  23. RedLine Stealer : A new variant surfaces, Deploying using Batch Script 
  24. A multi-ransomware cybercriminal group 
  25. GOLD MELODY: Profile of an Initial Access Broker 
  26. Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted 
  27. PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions 
  28. Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda 
  29. Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government 
  30. Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components 
  31. The Curious Case of “Monti” Ransomware: A Real-World Doppelganger 
  32. OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes 
  33. Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit 
  34. #StopRansomware: Snatch Ransomware 
  35. npm packages caught exfiltrating Kubernetes config, SSH keys 
  36. Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic 
  37. Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape 
  38. Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos 
  39. XWorm: Technical Analysis of a New Malware Version 
  40. Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT 
  41. New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants 
  42. CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones 
  43. Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement 
  44. New MidgeDropper Variant 
  45. A peek into APT36’s updated arsenal 
  46. Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms 
  47. New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials 
  48. Threat Group Assessment: Muddled Libra 
  49. Threat Group Assessment: Turla (aka Pensive Ursa) 
  50. RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware 
  51. PSA: Ongoing Webex malvertising campaign drops BatLoader 
  52. Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets | Microsoft Security Blog 
  53. Email campaigns leverage updated DBatLoader to deliver RATs, stealers 
  54. Downloader Disguised With Contents on Violation of Intellectual Property Rights 
  55. OriginBotnet Spreads via Malicious Word Document 
  56. 3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack 
  57. Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor 
  58. Attacker combines phone, email lures into believable, complex attack chain 
  59. Redfly: Espionage Actors Continue to Target Critical Infrastructure 
  60. Free Download Manager backdoored, a possible supply chain attack on Linux machines 
  61. macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks 
  62. Analysis of Cuba ransomware gang activity and tooling 
  63. “MrTonyScam” — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts 
  64. HijackLoader 
  65. The Case of LummaC2 v4.0 
  66. BlueShell malware used in APT attacks targeting Korea and Thailand 
  67. Steal-It Campaign 
  68. DarkGate Loader Malware Delivered via Microsoft Teams 
  69. MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors 
  70. Spyware Telegram mod distributed via Google Play 
  71. Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 
  72. Cybercriminals target graphic designers with GPU miners 
  73. How an APT technique turns to be a public Red Team Project 
  74. Mac users targeted in new malvertising campaign delivering Atomic Stealer 
  75. Active North Korean campaign targeting security researchers 
  76. I know what you mined last summer: summarizing Summer '23 cryptomining activity 
  77. "Smishing Triad" Targeted USPS And US Citizens For Data Theft 
  78. Exposing RocketMQ CVE-2023-33246 Payloads 
  79. New Agent Tesla Variant Being Spread by Crafted Excel Document 
  80. New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services 
  81. Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers 
  82. RedLine Stealer: Answers to Unit Wireshark Quiz 
  83. Infamous Chisel Malware Analysis Report  Best regards,The Alien Labs team
    • Related Articles

    • Most recent events in the threat landscape - July 2023

      Let's review some of the most recent events in the threat landscape. During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an ...
    • Most recent events in the threat landscape - June 2023

      Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell ...
    • Most recent events in the threat landscape - August 2023

      Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...
    • USM anywhere Azure log collection

      Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment. Warning: To process and display the custom events received from the Azure Event Hubs as generic ...
    • VMware Sensor Deployment

      Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware. Minimum Requirements These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware: Access to ...