Most recent events in the threat landscape - September 2023
Let's review some of the most recent events in the threat landscape.
Over the last month, threat actors kept with their operations. The Ransomware groups Cuba and Snatch have been attacking US critical infrastructure in the United States. In addition, the ALPHV/BlackCat group compromised the computer systems of the Caesar and MGM casinos, generating significant media coverage and public interest. We also saw how DarkLoader, a recently surfaced malware, is getting more and more popular. There has also been uncovered a new RaaS affiliate, ShadowSyndicate. This group likely deployed over seven different ransomware families in attacks over the past year.
Tracking, Detection & Hunting Capabilities
The team created or improved the following Adversary Trackers to automatically identify and detect malicious infrastructure:
- Cobalt Strike
- RisePro InfoStealer
- Predator
- AdLoad
- Meduza InfoStealer
- Raccoon
- RedLine
- Danabot
The following USM Anywhere detections were added or improved in September:
- Delivery & Attack - Brute Force Authentication - Azure AD: Successful Authentication After Brute Force
- Delivery & Attack - Brute Force Authentication - SentinelOne Activity Log - Successful Authentication After Brute Force
- Delivery & Attack - Denial of Service - Resource Exhaustion - McAfee - DoS Activity Detected
- Delivery & Attack - Network Attack - Possible Replay Attack
- Delivery & Attack - Privilege Escalation - Access Governance Alert
- Delivery & Attack - Vulnerable Software Exploitation - Exploit
- Environmental Awareness - Account Manipulation - Linux - Multiple users failed to be added on host
- Environmental Awareness - Account Manipulation - Linux - New user added to admin group
- Environmental Awareness - Account Manipulation - Linux - User successfully added to host after repeated failed attempts
- Environmental Awareness - Account Manipulation - ManageEngine Password Manager Pro: Temporary Account Creation
- Environmental Awareness - Account Manipulation - Security-Enabled Global Group was Created
- Environmental Awareness - Account Manipulation - Security-Enabled Local Group was Created
- Environmental Awareness - Account Manipulation - Security-Enabled Universal Group was Created
- Environmental Awareness - Account Manipulation - User Account password set to never expire
- Environmental Awareness - Anomalous User Activity - Linux - Repeated user add failure
- Environmental Awareness - Anomalous User Behavior - Failed Logon to Nonexistent Account
- Environmental Awareness - Anomalous User Behavior - Multiple Windows Account Lockouts
- Environmental Awareness - Anomalous User Behavior - Network Interface Entered Promiscuous Mode
- Environmental Awareness - Anomalous User Behavior - Permissive File Sharing
- Environmental Awareness - Anomalous User Behavior - UEBA - High score anomalous login
- Environmental Awareness - Anomalous User Behavior - UEBA - Suspicious O365 Login Anomaly
- Environmental Awareness - Anomalous User Behavior - Windows Account Lockout
- Environmental Awareness - Anonymous Channel - Suspicious Outbound Traffic to Tor Entry Node
- Environmental Awareness - Brute Force Authentication - ForeScout NAC: Multiple Login Failures
- Environmental Awareness - Credential Abuse - SentinelOne Activity Log - Impossible travel
- Environmental Awareness - Credential Access - Windows SQL: Brute Force Followed by Successful Member Add
- Environmental Awareness - Credential Access - Windows SQL: SQL Account Unlocked
- Environmental Awareness - Defense Evasion - Cover Tracks - Windows Event Log Cleared
- Environmental Awareness - Defense Evasion - Cover Tracks - Windows Scheduled Task Hidden
- Environmental Awareness - Defense Evasion - Disabling Security Tools - SentinelOne Activity Log - Suspicious path exclusion
- Environmental Awareness - Defense Evasion - Masquerading - Windows renamed binary
- Environmental Awareness - Malicious Network Activity - ForeScout NAC: Malicious Host Policy Match
- Environmental Awareness - Persistence - Default Role Granted to a User
- Environmental Awareness - Persistence - Grant All Permissions Public Users
- Environmental Awareness - Security Critical Event - ManageEngine Password Manager Pro: User granted full access to a resource
- Environmental Awareness - Security Critical Event - SentinelOne - Malicious activity detected
- Environmental Awareness - Security Critical Event - SentinelOne - Suspicious activity detected
- Environmental Awareness - Security Critical Event - SentinelOne Activity Log - Multiple agent uninstall
- Environmental Awareness - Security Critical Event - SentinelOne Activity Log - Unquarantined file in suspicious path
- Environmental Awareness - Security Critical Event - SentinelOne Activity Log - User added to Admin role
- Environmental Awareness - Security Critical Event - User Added to Enterprise Admins Group
- Environmental Awareness - Security Critical Event - User Removed from Enterprise Admins Group
- Environmental Awareness - Security Policy Violation - SentinelOne Activity Log - MFA Disabled
- Environmental Awareness - Suspicious Download - Anonymous File Sharing Suspicious URL
- Environmental Awareness - Suspicious Download - Anonymous File Sharing Suspicious URL Multiple Attempts
- Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - High Severity Alert
- Environmental Awareness - Suspicious Security Critical Event - Azure Security Center - Low Severity Alert
- Environmental Awareness - Suspicious Security Critical Event - Critical Level Event
- Environmental Awareness - Suspicious Security Critical Event - Fortinet - Dropped Internal IPS Events
- Environmental Awareness - Suspicious Security Critical Event - TippingPoint - Low Severity Alert
- Environmental Awareness - Suspicious Security Critical Event - TippingPoint - Medium Severity Alert
- Environmental Awareness - System Error - FortiAnalyzer - Critical System Event
- Environmental Awareness - System Shutdown/Reboot - Windows SQL: SQL Server was Shutdown/Rebooted
- Exploitation & Installation - Code Execution - File Download Using COPY Statement
- Exploitation & Installation - Defense Evasion - Masquerading - Potential COM Object Hijacking
- Exploitation & Installation - Exploit - Known Vulnerability - N-Able Take Control Agent Privelege Escalation
- Exploitation & Installation - Malicious Network Activity - Palo Alto - PsExec Traffic
- Exploitation & Installation - Network Attack - Cisco Meraki - Multiple Internal Network IDS Alerts
- Reconnaissance & Probing - Anomalous User Behavior - Duo Admin Account Lockout
- Reconnaissance & Probing - Brute Force Authentication - Canary - Repeated Login Attempts
- Reconnaissance & Probing - Brute Force Authentication - ManageEngine Password Manager Pro: Successful Authentication After Brute Force
- Reconnaissance & Probing - Brute Force Authentication - SentinelOne Activity Log - Repeated login failure
- Reconnaissance & Probing - Brute Force Authentication - Windows SQL: Successful Authentication After Brute Force
- Reconnaissance & Probing - Credential Access - Windows SQL: SQL Injection Attempt
- System Compromise - Code Execution - Nullsoft Scriptable Installer Script (NSIS) execution file created
- System Compromise - Defense Evasion - Cover Tracks - User Account Hidden Via Registry Modification
- System Compromise - Exploit - Known Vulnerability - Juniper Unauthenticated RCE Detected - CVE-2023-36845
- System Compromise - Exploit - Known Vulnerability - SentinelOne - Exploit detected
- System Compromise - Hacking Tool - MDATP Post-Exploitation Tool Detected
- System Compromise - Hacking Tool - SentinelOne - Hacktool detected
- System Compromise - Malware Infection - Hacking Tool detected by Antivirus
- System Compromise - Malware Infection - MDATP malware detected
- System Compromise - Malware Infection - Palo Alto - Compromised Host
- System Compromise - Malware Infection - SentinelOne - Infostealer detected
- System Compromise - Malware Infection - SentinelOne - Lateral Movement Detected
- System Compromise - Malware Infection - SentinelOne - Malware detected
- System Compromise - Malware Infection - SentinelOne - Multiple threats detected in a single asset
- System Compromise - Malware Infection - SentinelOne - PUA detected
- System Compromise - Malware Infection - SentinelOne - Rootkit Detected
- System Compromise - Malware Infection - SentinelOne - Threat detected in multiple assets
- System Compromise - Malware Infection - SentinelOne - threat detected
- System Compromise - Malware Infection - Windows Defender Malware Detected
- System Compromise - Network Attack - Windows Domain Controller - Kerberoasting
- System Compromise - Ransomware Infection - SentinelOne - Ransomware detected
- System Compromise - Remote Services - FortiAnalyzer - UTM Suspicious Remote Connection
- System Compromise - Suspicious Behavior - MDATP Low Severity Detection
The following pulses have been created by the team in OTX providing coverage for the latest threats and campaigns:
- Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations
- Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA
- From ScreenConnect to Hive Ransomware in 61 hours
- Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
- Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
- VMConnect supply chain attack continues, evidence points to North Korea
- VMConnect supply chain attack continues, evidence points to North Korea
- Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
- A Deep Dive into Brute Ratel C4 payloads
- Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
- Malicious ad served inside Bing's AI chatbot
- A cryptor, a stealer and a banking trojan
- Surprise: When Dependabot Contributes Malicious Code
- Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org
- Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests
- Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies
- Warning: Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack
- Dusting for fingerprints: ShadowSyndicate, a new RaaS player?
- ZenRAT: Malware Brings More Chaos Than Calm
- Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities
- New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads
- Examining the Activities of the Turla APT Group
- RedLine Stealer : A new variant surfaces, Deploying using Batch Script
- A multi-ransomware cybercriminal group
- GOLD MELODY: Profile of an Initial Access Broker
- Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted
- PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions
- Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
- Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
- Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components
- The Curious Case of “Monti” Ransomware: A Real-World Doppelganger
- OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
- Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit
- #StopRansomware: Snatch Ransomware
- npm packages caught exfiltrating Kubernetes config, SSH keys
- Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic
- Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
- Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos
- XWorm: Technical Analysis of a New Malware Version
- Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
- New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
- CapraTube | Transparent Tribe’s CapraRAT Mimics YouTube to Hijack Android Phones
- Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
- New MidgeDropper Variant
- A peek into APT36’s updated arsenal
- Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms
- New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials
- Threat Group Assessment: Muddled Libra
- Threat Group Assessment: Turla (aka Pensive Ursa)
- RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware
- PSA: Ongoing Webex malvertising campaign drops BatLoader
- Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets | Microsoft Security Blog
- Email campaigns leverage updated DBatLoader to deliver RATs, stealers
- Downloader Disguised With Contents on Violation of Intellectual Property Rights
- OriginBotnet Spreads via Malicious Word Document
- 3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack
- Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
- Attacker combines phone, email lures into believable, complex attack chain
- Redfly: Espionage Actors Continue to Target Critical Infrastructure
- Free Download Manager backdoored, a possible supply chain attack on Linux machines
- macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks
- Analysis of Cuba ransomware gang activity and tooling
- “MrTonyScam” — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts
- HijackLoader
- The Case of LummaC2 v4.0
- BlueShell malware used in APT attacks targeting Korea and Thailand
- Steal-It Campaign
- DarkGate Loader Malware Delivered via Microsoft Teams
- MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors
- Spyware Telegram mod distributed via Google Play
- Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
- Cybercriminals target graphic designers with GPU miners
- How an APT technique turns to be a public Red Team Project
- Mac users targeted in new malvertising campaign delivering Atomic Stealer
- Active North Korean campaign targeting security researchers
- I know what you mined last summer: summarizing Summer '23 cryptomining activity
- "Smishing Triad" Targeted USPS And US Citizens For Data Theft
- Exposing RocketMQ CVE-2023-33246 Payloads
- New Agent Tesla Variant Being Spread by Crafted Excel Document
- New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services
- Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers
- RedLine Stealer: Answers to Unit Wireshark Quiz
- Infamous Chisel Malware Analysis Report Best regards,The Alien Labs team
Related Articles
Most recent events in the threat landscape - July 2023
Let's review some of the most recent events in the threat landscape. During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an ...
Most recent events in the threat landscape - June 2023
Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell ...
Most recent events in the threat landscape - August 2023
Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...
USM anywhere Azure log collection
Azure Event Hubs enables the Azure Sensor to receive and process information from an event hub so that you can manage it in your USM Anywhere environment. Warning: To process and display the custom events received from the Azure Event Hubs as generic ...
VMware Sensor Deployment
Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware. Minimum Requirements These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware: Access to ...