How LLMs could help defenders write better and faster detection

Most users will associate large language models (LLMs) like ChatGPT with answering basic questions or helping to write basics lines of text.  

But could these tools actually help defenders in the cybersecurity industry write more effective detection content?  

Several security researchers from across Cisco recently looked into how LLMs, which have surged in popularity over the past year, could assist them in the detection research process. 

Part of their jobs is to try and perform test behavior that will trigger existing detection rules to check their effectiveness and try to emulate the behavior of a typical adversary — all in the name of updating that detection content to catch the latest tactics, techniques and procedures (TTPs). 

LLMs may be able to assist in this complex, time-consuming tax, as Darin Smith, Yuvi Meiyappan, Moazzam Khan and Ray McCormick write in this paper, which you can download below. 

Khan, a security researcher for Cisco, will be presenting the findings of this paper at the upcoming BSides Portland conference. 

Cisco Talos Blog – ​Read More

HeptaX: Unauthorized RDP Connections for Cyberespionage Operations

Key takeaways


Cyble Research and Intelligence Labs (CRIL) came across an ongoing cyberattack campaign originating from malicious LNK files.

The sophisticated multi-stage attack chain relies heavily on PowerShell and BAT scripts to streamline the download and execution of additional payloads, demonstrating the Threat Actor’s (TA) preference for script-based methods to evade detection by traditional security solutions.

The attack involves the creation of an administrative account on the victim’s system and altering Remote Desktop settings to lower authentication requirements, simplifying unauthorized RDP access for the attacker.

The campaign deploys an additional well-known password recovery tool, ChromePass, which collects saved passwords from Chromium-based browsers, increasing the risk of broader account compromises.

Based on its TTPs, we have not been able to attribute this campaign, so for tracking purposes, we are naming it “HeptaX”.

Overview

CRIL has come across a multi-stage cyberattack campaign that begins with a ZIP file containing a malicious shortcut file (.lnk). While the source of this ZIP file remains unknown, it is suspected to be disseminated through phishing emails. Based on the LNK file name, it is suspected that this campaign targets the healthcare industry.

Upon execution, the LNK file triggers a PowerShell command that downloads and executes a series of additional payloads, including PowerShell scripts and BAT files, from a remote server. These scripts work in tandem to create a new user account on the compromised system with administrative privileges and modify Terminal Services (RDP) settings, lowering authentication requirements. This setup enables the TAs to easily establish remote desktop access (RDP) to the victim’s system, facilitating further malicious activities such as data exfiltration, the installation of additional malware, or even system monitoring.

Furthermore, CRIL identified the presence of an unwanted application called “ChromePass” within the threat actors’ network infrastructure. This hacking tool is designed to steal saved passwords from Chromium-based browsers, adding another layer of risk for victims by exposing their credentials. The image below illustrates the infection chain.

Based on the information obtained through pivoting, this group has been operational since 2023 and has executed a range of attacks across different sectors, as reflected in the names of the lure files. While the overall attack flow has remained consistent, it is surprising that they are still active using the same techniques. Several researchers have previously identified this campaign [1],[2],[3],[4],[5], with the majority of findings shared by the Malware Hunter Team.

Campaign analysis

Over the past 12 months, this unidentified group has consistently reemerged with various lure themes while maintaining unchanged attack patterns. Tracked as HeptaX,’ the campaign relies heavily on PowerShell and Batch scripts to gain control over compromised systems. By pivoting the IP address, we uncovered several additional artifacts associated with the same TAs used across different campaigns.

One of the notable files from this campaign is:


202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf.lnk

In addition, older campaigns attributed to this threat group over the past year include malicious files with names such as:


SOW_for_Nevrlate.pdf

WebContentWriting_Handout.pdf

Blockchain_Trading_Website_Manager.docx

Project Description – PoC smart assistant Vhyro Project from jvope signature.pdf

Resume – professional sax, keys and guitar player with over 40 years experience working with own bands, accompanied world stars.pdf

dropshipping Elien project prposal-soft online service ventilization from xihu.pdf.lnk

The diversity in file names and themes suggests that this group tailors its campaigns to appeal to a variety of victims, indicating a broad targeting strategy across multiple industries.

Technical Analysis

 Upon execution, the LNK file runs a PowerShell command that downloads and executes subsequent payloads from a remote server. The image below shows a partially de-obfuscated PowerShell command.

First stage – bb.ps1

As an initial step, the downloaded PowerShell script constructs a base URL to which it sends information and from which it downloads other stage payloads. The PowerShell script contains multiple functions, the first of which retrieves a unique identifier (UID) for the compromised system. This UID is obtained either from a specific registry path (HKEY_LOCAL_MACHINESOFTWAREWireless) or from a log file (id.log) in the “C:UsersPublicDocuments” directory. If neither exists, a new GUID is generated and saved to a newly created id.log file.

Next, the PowerShell script creates a shortcut file in the Windows Startup folder for persistence. The contents of the newly generated LNK file match those of the original malicious LNK file. The image below shows the function responsible for creating the new LNK file in the startup folder.

Then, the PowerShell script constructs a URL by appending the previously generated UID to the remote server, forming the request hxxp://157.173.104.153/up/get-command.php?uid=<UID>, and uses WebClient to send a request to fetch commands from the server. Upon receiving a successful response, it checks whether the response contains the string “autoreconnect”. If this string is present, the Powershell script runs the code in the current session using `iex`; otherwise, it executes the code as a background task in a separate PowerShell process.

Afterward, the PowerShell script downloads a password-protected lure document from the above-mentioned remote server, saves it in the system’s temporary directory “C:Users<Username>AppDataLocalTemp”, and then launches the document. The image below displays the function code and the open directory containing the lure PDF.

Finally, the PowerShell script retrieves two registry values related to User Account Control (UAC):


HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin, which controls the consent prompt behavior for administrators.

HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA, which indicates whether UAC is enabled.

If either of these values is 0, suggesting that UAC is either disabled or configured to a less secure setting, the script proceeds to download and execute another PowerShell script (b.ps1) from the remote server.

Second Stage – b.ps1

The newly downloaded second-stage PowerShell script includes several functions, some mirroring those from the first stage. The primary function of this script is focused on evaluating the system’s User Account Control (UAC) settings, utilizing the same registry checks employed earlier to determine whether UAC is enabled and if the consent prompt for administrators remains active.

If UAC is disabled or the consent prompt behavior is configured to a less secure state, the function sends a message to the remote server indicating that UAC is off by default: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC off in default!”).

If both settings are enabled, the function enters a loop, repeatedly attempting to disable UAC by setting the “ConsentPromptBehaviorAdmin” value to 0. Once successful, it sends a message to the remote server stating that UAC has been forcefully disabled: (“hxxp://157.173.104[.]153/up/index.php?uid=$uid&msg=UAC force disabled!”). The below image shows the function code responsible for sending a POST request to the remote server, transmitting information about the victim’s User Account Control (UAC) status.

After a brief 300-millisecond sleep, the PowerShell script calls the schReg() function, which downloads three batch files from the remote server into the system’s temporary directory ($env:TEMP). The files are named “k1.bat,” “scheduler-once.bat,” and “k2.bat.” After downloading, the script runs the “scheduler-once.bat” file using the “Start-Process” cmdlet with elevated privileges. The image below shows the code responsible for downloading and executing the batch files.

Third Stage – scheduler-once.bat

The executed batch file copies “k1.bat” and “k2.bat” from the %temp% directory to “C:WindowsSystem32”, renaming them to “sysmon.bat” and “sysmon2.bat”. It then deletes the original “k1.bat” and “k2.bat” files from the temp location. Next, the batch file checks for and removes any scheduled tasks named:


Intel(R) Ethernet Connection 1219-LM

Intel(R) Ethernet2 Connection 1219-LM

Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection 1219-LM” to run “sysmon2.bat”. Finally, the script “scheduler-once.bat” deletes itself to cover its traces from the system. The image below displays the contents of the batch file “scheduler-once.bat”.

Fourth Stage – sysmon2.bat

Once the scheduled task is triggered to execute the “sysmon2.bat” file, it first checks for and removes any existing scheduled tasks named:


Intel(R) Ethernet Connection 1219-LM2

Intel(R) Ethernet2 Connection 1219-LM2

Afterward, it creates a new scheduled task called “Intel(R) Ethernet2 Connection1219-LM2” to run the “sysmon.bat” file located in the “C:WindowsSystem32” folder. Notably, the previous third-stage batch file performs similar checks, but the task names differ slightly. The image below shows the content of the “sysmon2.bat” file.

Fifth Stage – Sysmon.bat

The sysmon.bat script executes a series of actions:


Creates a new user account named “_BootUEFI_”.

Sets the password for this newly added account to “123456!!!” and activates it.

Adds the “_BootUEFI_” account to the Administrators group, granting it administrative privileges.

Adds the “_BootUEFI_” account to the Remote Desktop Users group, allowing it to utilize Remote Desktop.

Removes the “_BootUEFI_” account from the Users group, ensuring it retains only administrative and remote desktop privileges.

Additionally, the batch file makes several registry modifications to enable Remote Desktop and lower its security features. This includes hiding the “_BootUEFI_” user from the login screen and adjusting Terminal Services (Remote Desktop) settings to facilitate easier remote connections without stringent authentication requirements.

The batch file runs a PowerShell command that circumvents execution policy restrictions and adds the System32 directory, which contains the three malicious batch files, to the Windows Defender exclusion list.

Finally, it initiates a background PowerShell process that downloads and executes another PowerShell script from the remote server (hxxp://157.173.104[.]153/up/a.ps1).

Sixth Stage – a.ps1

The newly downloaded PowerShell script “a.ps1” functions similar to the first stage script (bb.ps1). It constructs a URL by appending the previously generated UID to the remote server address, forming a request to “hxxp://157.173.104.153/up/get-command.php?uid=<UID>”.

The script then utilizes a WebClient to send a request and retrieve commands from the server. Upon receiving a response, it checks for the presence of the string “autoreconnect id.” If this string is found, the PowerShell script executes the code in the current session using iex; otherwise, it runs the code as a background task in a separate PowerShell process. Notably, in both stages, we did not receive any specific commands such as “autoreconnect” or “autoreconnect id”. The main difference in this sixth-stage script is that it looks for the string “autoreconnect id” instead of just “autoreconnect”. The below image shows the code for reconnecting to the server.

Seventh Stage – Server response PowerShell Script

Upon establishing a connection with the server, a new PowerShell script is executed. This script contains several functions aimed at system reconnaissance, data exfiltration, and interaction with the remote server.

The script collects detailed system information, including:


Computer name and username.

Retrieves recent files from the directory: C:Users<user profile>AppDataRoamingMicrosoftWindowsRecent.

Acquires network configuration details using “ipconfig /all”.

List of users on the machine (net user).

Obtains current logged-in user details.

Identifies local user groups associated with the current user.

Retrieves excluded directories in Windows Defender.

Lists installed antivirus products.

Captures running processes using “tasklist”.

Gathers overall system information using “systeminfo”.

All this data is saved in a log file located at “C:WindowsTempOneDriveLogOneDrive.log”.

The script then reads the contents of the log file, converts the data into a byte array, and encodes it in Base64 format. This encoded data, along with the unique user ID (uid), is appended to the base URL” hxxp://157.173.104[.]153/up/index.php” and sent via a POST request. After successfully transmitting the data, the log file and its directory are deleted to eliminate any traces of the data collection.

Taking Remote desktop

With all the collected information, User Account Control (UAC) disabled, and a new user account named “BootUEFI” created with administrative privileges, along with lowered authentication requirements for Terminal Services, the TAs can easily gain access to the compromised remote desktop. This access enables them to perform various actions on the victim’s machine, such as:


Installing additional malware

Exfiltrating sensitive data

Monitoring user activity

Modifying system settings

Utilizing the machine for malicious activities

Additionally, we observed an unwanted application—a hacking tool named ChromePass—associated with the same network infrastructure at “hxxp://157.173.104[.]153/up/Tool/ChromePass.exe” This tool is designed to steal saved passwords from Chromium-based browsers.

Conclusion

Over the past year, this group has executed multiple attacks utilizing various lures and targeting different victims, all while remaining largely unnoticed. Their reliance on basic scripts has enabled TAs to gain remote access to compromised systems seamlessly, allowing for extensive exploitation without triggering alarms.

Additionally, the deployment of the ChromePass tool further underscores the group’s intent to harvest sensitive information, such as saved passwords from Chromium-based browsers, thereby posing a significant threat to the security of individuals and organizations alike. This combination of tactics highlights the need for enhanced detection and prevention measures to combat these stealthy cyber threats effectively.

Recommendations


The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.

Consider disabling the execution of shortcut files (.lnk) from email attachments or implementing policies that require explicit user consent before executing such files.

Consider disabling or limiting the execution of scripting languages, such as PowerShell and cmd.exe, on user workstations and servers if they are not essential for legitimate purposes.

Implement policies that prevent the unauthorized creation of privileged accounts.

Regularly track changes to User Account Control (UAC)- related registry keys, such as “EnableLUA” and “ConsentPromptBehaviorAdmin.” Monitoring these keys helps identify potential attempts to bypass UAC, enhancing system protection against unauthorized changes.

Strengthen the security of Remote Desktop Protocol (RDP) by enforcing strong authentication mechanisms, such as multi-factor authentication (MFA), and by using network-level authentication (NLA). Limiting RDP access to trusted IP addresses and utilizing VPNs can also help mitigate risks.

Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic
Technique
Procedure

Initial Access (TA0001)
Phishing (T1566)
The LNK file may be delivered through phishing or spam emails

Execution (TA0002)
User Execution:  Malicious Link (T1204.001)    Command and Scripting Interpreter: PowerShell (T1059.001)
  Execution begins when a user executes the LNK file     The LNK file executes PowerShell commands

Defense Evasion (TA0005) 
Obfuscated Files or  
Information (T1027)   
Scripts include packed or encrypted data.

Persistence (TA0003)
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
Adds LNK file in the startup folder

Privilege  
Escalation 
(TA0004) 
Abuse Elevation Control  Mechanism (T1548)    Account Manipulation (T1098)
Bypass User Account Control      Manipulate accounts to maintain and/or elevate access to victim systems.

Discovery (TA0007)
System Information Discovery (T1082)
Script gathers system information.

Credential Access (TA0006)
Credentials from Password Stores: Credentials from Web Browsers (T1555.003
Retrieves credentials from web browsers 

C&C 
(TA0011) 
Ingress Tool Transfer 
(T1105
Downloads files from webservers via  
HTTP 

C&C 
(TA0011) 
Application Layer Protocol 
(T1071
Malware exe communicate to C&C server. 

Indicators Of Compromise

Indicators
Indicator Type
Description

6605178dbc4d84e789e435915e86a01c5735f34b7d18d626b2d8810456c4bc72
SHA256
Zip File

18e75bababa1176ca1b25f727c0362e4bb31ffc19c17e2cabb6519e6ef9d2fe5 5ff89db10969cba73d1f539b12dad42c60314e580ce43d7b57b46a1f915a6a2b
SHA256
Malicious LNK file

1d82927ab19db7e9f418fe6b83cf61187d19830b9a7f58072eedfd9bdf628dab
SHA256
bb.ps1

a8d577bf773f753dfb6b95a3ef307f8b4d9ae17bf86b95dcbb6b2fb638a629b9
SHA256
b.ps1

999f521ac605427945035a6d0cd0a0847f4a79413a4a7b738309795fd21d3432
SHA256
K1.bat

4b127e7b83148bfbe56bd83e4b95b2a4fdb69e1c9fa4e0c021a3bfb7b02d8a16
SHA256
GooglePass

hxxp://157.173.104[.]153/up/index.php hxxp://157[.]173.104.153/up/b.ps1 hxxp://157.173.104[.]153/up/bb.ps1 hxxp://157.173.104[.]153/up/scheduler-oncex
hxxp://157.173.104[.]153/up/trigger
hxxp://157.173.104[.]153/up/Tool/ChromePass.exe
hxxp://157.173.104[.]153/up/get-command.php
hxxp://157.173.104[.]153/up/bait/202409_Resident_Care_Quality_Improvement_Strategies_for_Nursing_Homes_Enhancing_Patient_Satisfaction_and_Health_Outcomes.pdf
URL
Remote server

References

The post HeptaX: Unauthorized RDP Connections for Cyberespionage Operations appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Unveils Four Groundbreaking Capabilities for Enhanced Threat Intelligence

With rapid digital advancement, organizations face unprecedented challenges in safeguarding their assets and reputation. Recognizing this need, Cyble Inc. has launched four revolutionary capabilities tailored specifically for Cybersecurity for Executives. These innovations significantly advance Executive Protection and digital risk management, ensuring executives are equipped to navigate the complexities of modern threats. From safeguarding executive travels to countering deepfake threats and providing real-time Azure Security Monitoring, these capabilities highlight Cyble’s unwavering commitment to comprehensive security. Here’s a closer look at each innovation and the unique benefits they bring to today’s threat landscape. 

Physical Threat Intelligence for Executive Travel: Ensuring Safety Wherever You Are 

For executives and teams on the move, the need for Executive Threat Intelligence is critical. Real-world risks can emerge unexpectedly, making real-time awareness essential for informed decision-making. Cyble’s Physical Threat Intelligence leverages hyper-local data to monitor potential threats worldwide—from bustling cities like Manila to Milan, and from Bangalore to San Francisco. This capability allows executives to proactively address risks, enabling them to travel confidently and securely.  

At a time where Physical Threat Intelligence for Executive Travel is paramount, Cyble’s approach emphasizes not just reaction but prevention. By providing contextualized threat assessments tailored to specific locations, executives can prepare for various scenarios, ensuring both safety and business continuity. Executives can also be monitored during their travel to different locations across the world and will be updated on any news surrounding the place of travel that may have effect them. This capability is a game changer for organizations committed to protecting their leaders and maintaining operational integrity. 

Deepfake Detection and Automated Takedown: Protecting Integrity and Reputation 

The rise of deepfake technology poses critical risks, including potential CEO fraud and misinformation. Cyble’s new Deepfake Takedown Solution, a feature within its Executive Monitoring service, empowers organizations to quickly detect and remove deepfakes, from manipulated videos to impersonation attempts, ensuring real-time protection of executive identities. 

Designed to act as a strong deterrent against fraudulent activity and misinformation, this solution reinforces the security of high-profile individuals and protects organizational integrity. Cyble’s commitment to proactive measures in combating deepfake threats helps organizations maintain stakeholder trust, mitigating the risks associated with AI-generated content misuse. 

Cyble Threat Lens: A New Era in Sandboxing and Threat Intelligence Updates 

With cyber threats growing in sophistication, organizations must adopt advanced technologies to stay ahead. Cyble’s Threat Lens represents a significant leap forward in malware analysis, enhancing Threat Intelligence Updates with state-of-the-art sandboxing capabilities. This tool enables organizations to perform in-depth analyses of suspicious files, applications, and network activities. 

Designed to support Enhanced Cybersecurity for Executives, Threat Lens accelerates threat detection and reduces response times significantly. By providing organizations with actionable insights, it equips decision-makers with the information necessary to effectively mitigate risks. In a landscape where timely response is critical, Cyble’s Threat Lens serves as a crucial resource for protecting sensitive information and assets. 

Microsoft Azure Exposure Monitor: Real-Time Threat Monitoring for Azure Accounts 

As organizations increasingly adopt cloud infrastructure, the necessity for Real-Time Azure Monitoring becomes critical for identifying potential vulnerabilities. Cyble’s Microsoft Azure Exposure Monitor is a robust tool that tracks exposed Azure assets, including containers and blobs, providing organizations with essential real-time insights. 

With over 28,760 Azure accounts and nearly 4.75 billion Azure blobs analyzed, this tool not only highlights at-risk areas but also empowers organizations to secure critical assets proactively. The capability for Real-Time Threat Monitoring for Azure Accounts ensures that businesses can detect and respond to unauthorized access and data leaks effectively. Coupled with Azure Exposure Protection, Cyble’s solution offers unparalleled transparency in Azure Security Monitoring, helping organizations to maintain compliance and safeguard their digital environments. 

The New Four Horsemen from Cyble 

Cyble’s four groundbreaking capabilities—Physical Threat Intelligence for Executive Travel, Deepfake Detection and Automated Takedown, Cyble Threat Lens, and Microsoft Azure Exposure Monitor—are poised to redefine Enhanced Cybersecurity for Executives. By embracing cutting-edge technologies and a proactive approach to Executive Threat Intelligence, Cyble addresses the security challenges of today head-on. Continuous advancements in Deepfake Prevention and Security, along with comprehensive Azure Exposure Protection, solidify Cyble’s role as a leader in Executive Protection and digital risk management. 

As the cyber threat landscape continues to evolve, organizations must equip themselves with the tools and intelligence necessary to navigate this complex environment. With Cyble’s innovative capabilities, executives can focus on driving their organizations forward, knowing that their security is in capable hands. 

The post Cyble Unveils Four Groundbreaking Capabilities for Enhanced Threat Intelligence appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Warns of Critical Vulnerabilities: CVE-2024-20481 and CVE-2024-37383 Require Immediate Attention

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent advisories regarding two vulnerabilities that pose substantial risks to organizations: CVE-2024-20481, a denial-of-service (DoS) vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), and CVE-2024-37383, a cross-site scripting (XSS) vulnerability in RoundCube Webmail. Both vulnerabilities highlight the necessity for immediate action to safeguard against potential exploitation.

The relevant CVE IDs for these vulnerabilities are CVE-2024-37383 and CVE-2024-20481. The first vulnerability, CVE-2024-37383, affects Roundcube Webmail versions prior to 1.5.7 and 1.6.x before 1.6.7, while CVE-2024-20481 impacts Cisco products running a vulnerable release of Cisco ASA or FTD Software with the RAVPN service enabled. 

Even though patches are available for both vulnerabilities, with public exploits noted for CVE-2024-37383. Links to the respective patches for Roundcube Webmail and Cisco ASA or FTD Software are provided for reference.

New Vulnerability details: CVE-2024-37383 and CVE-2024-20481

CVE-2024-20481 retains a critical denial-of-service vulnerability found in Cisco ASA and FTD devices. The flaw allows an unauthenticated attacker to exploit the affected systems through a crafted HTTP request, which can lead to a system crash and a complete service outage.

This vulnerability has been assigned a CVSSv3.1 score of 9.8, categorizing it as critical. The implications of a successful exploit are severe, as it can have wide-ranging consequences, such as disrupting operations and compromising the availability of critical network security devices. Cisco ASA and FTD devices are essential for maintaining secure network infrastructures, making this vulnerability particularly concerning for organizations that rely on these systems for their security posture.

The second vulnerability that was highlighted by CISA is CVE-2024-37383, which is a cross-site scripting (XSS) vulnerability found in RoundCube Webmail. This vulnerability allows attackers and APT groups to inject malicious scripts into web pages viewed by users, potentially leading to data theft, session hijacking, or other malicious activities.

CVE-2024-37383 has been rated with a CVSSv3.1 score of 6.5, indicating a medium severity level. However, the potential consequences of a successful XSS attack can be significant, especially in webmail applications where users may unwittingly expose sensitive information.

Recommendations and Mitigation Strategies

To address the risks posed by CVE-2024-37383 and CVE-2024-20481, organizations are advised to take the following actions:


Organizations should promptly apply updates and patches released for RoundCube to close this vulnerability and prevent potential exploitation.

Implementing strict input validation and sanitization practices can help mitigate the risks associated with XSS vulnerabilities. This involves ensuring that all user input is properly escaped and validated before being rendered on a web page(s).

Educating users about the risks of clicking on suspicious links or opening unexpected emails can reduce the likelihood of falling victim to XSS attacks.

Deploying WAFs can provide an additional layer of security by filtering and monitoring HTTP traffic to and from web applications, blocking malicious requests before they reach the application.

Organizations should apply the latest Cisco patches as soon as possible. This is essential to protect against potential exploitation of the vulnerability.

Implementing better monitoring and logging practices can help detect unusual activities that may indicate an attempted exploitation of the vulnerability.

Proper segmentation of networks can minimize the risk of a successful attack impacting the entire network infrastructure.

Firewalls and access controls should be employed to protect critical assets.

Conclusion

CISA’s advisories regarding CVE-2024-20481 and CVE-2024-37383 highlight the critical nature of addressing cybersecurity vulnerabilities. Organizations that utilize Cisco ASA and FTD devices or RoundCube Webmail must take immediate action to mitigate the risks associated with these vulnerabilities.

Patches must be applied on time to maintain the integrity and availability of online systems. Organizations must prioritize these actions to protect their networks and sensitive information from potential exploitation.

The post CISA Warns of Critical Vulnerabilities: CVE-2024-20481 and CVE-2024-37383 Require Immediate Attention appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect New Attacks on CMS; IoT Exploits Continue

Overview

Cyble’s weekly sensor intelligence report detailed dozens of active attack campaigns against known vulnerabilities.

New to the list are attacks on a vulnerability in the SPIP open-source content management (CMS) and publishing system, while previously reported campaigns targeting vulnerabilities in PHP, Linux systems, Java and Python frameworks, and more have continued unabated.

Older vulnerabilities in IoT devices and embedded systems continue to be exploited at alarming rates. New to the report this week are exploits of vulnerabilities that may still be present in some Siemens products and network devices. As these vulnerabilities likely exist within some critical infrastructure environments, organizations with internet-facing IoT devices and embedded systems are advised to check for risk exposure and apply necessary mitigations.

Here are some of the details of the Oct. 16-22 sensor intelligence report sent to Cyble clients.

SPIP CMS Attacks Detected By Cyble

SPIP before versions 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue reported last month as CVE-2024-8517. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

As the vulnerability was found as part of a hacking challenge, multiple published PoCs (Proofs of Concept) have increased the odds that older versions of SPIP will be exploited. SPIP admins are advised to update as soon as possible.

IoT Device and Embedded Systems Attacks Persist

IoT device attacks detailed in last week’s report declined significantly, as Cyble honeypot sensors detected 31,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66. Last week, Cyble sensors had detected more than 411,000 attacks on the vulnerability attempting to gain administrator privileges.

CVE-2020-11899 is also part of the “Ripple20” series of Treck TCP/IP vulnerabilities that can lead to data theft, changes in device behavior or function, network intrusion, device takeover, and other malicious activities. Cyble sensors have detected nearly 1 million exploit attempts since August on CVE-2020-11899 and two other “Ripple20” vulnerabilities (CVE-2020-11900 and CVE-2020-11910), so owners of vulnerable internet-facing devices should assume compromise.

Also of concern for critical infrastructure are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263.

Cyble sensors typically detect 3,000 to 4,000 attacks a week on these vulnerabilities, and as they can be present in a number of older Siemens SIPROTEC 5, RUGGEDCOM Win, Power Meters and other devices, as well as a number of network devices from major IT companies, any exposure to these vulnerabilities should be considered critical.

Linux, Java, and Other Attacks Persist

Several other recent exploits observed by Cyble remain active:

Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active, and CoinMiner, Mirai, and IRCBot attacks remain active threats against Linux systems.

Previously reported vulnerabilities in PHP (CVE-2024-4577), GeoServer (CVE-2024-36401), and AVTECH IP cameras (CVE-2024-7029) also remain under active attack by threat actors.

The Spring Java framework (CVE-2024-38816) remains a target of threat actors (TAs), and ValvePress WordPress plugins also continue to be targeted.

The Aiohttp client/server framework for asyncio and Python also continues to be exploited.

Phishing Scams Detected by Cyble

Cyble detected thousands of phishing scams this week, including 306 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in six prominent cam campaigns.

E-mail Subject 
Scammers Email ID 
Scam Type 
Description 

Did you authorize anyone to claim your funds.    
Mr.Jecob.Philip@mail.com 
Claim Scam 
Fake refund against claims 

BMW INTERNATIONAL LOTTERY DEPARTMENT                                                          
ronnie_harrison@aliyun.com 
Lottery/Prize Scam 
Fake prize winnings to extort money or information 

My Donation 
test@cinematajrobi.ir 
Donation Scam 
Scammers posing as a Doner to donate money 

COOPERATION!! 
mrabdulm48@gmail.com 
Investment Scam 
Unrealistic investment offers to steal funds or data 

Re: Consignment Box 
info@hashtagamin.net 
Shipping Scam 
Unclaimed shipment trick to demand fees or details 

UN Compensation Fund 
info@usa.com 
Government Organization Scam 
Fake government compensation to collect financial details 

Brute-Force Attacks

Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, here are the top 5 attacker countries and ports targeted:


Attacks originating from the United States targeting ports were aimed at ports 5900 (43%), 3389 (35%), 22 (15%), 23 (4%) and 80 (3%).

Attacks originating from Russia targeting ports attempted to exploit ports 5900 (75%), 1433 (11%), 445 (8%), 1080 (3%) and 3306 (3%).

The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.

Security Analysts are advised to add security system blocks for the attacked ports (such as 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:


Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).

Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.

Constantly check for Attackers’ ASNs and IPs.

Block Brute Force attack IPs and the targeted ports listed.

Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.

For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple systems highlighted, companies need to remain vigilant and responsive. The large number of brute-force attacks and phishing campaigns demonstrates the vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect New Attacks on CMS; IoT Exploits Continue appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Flags Critical Vulnerability (CVE-2024-47575) in Fortinet’s FortiManager 

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog, indicating a pressing need for organizations to address the associated risks. 

The critical vulnerability identified as CVE-2024-47575 has been assigned a CVSS score of 9.8. This vulnerability affects various versions of FortiManager, including FortiManager 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12, as well as multiple iterations of FortiManager Cloud.  

The vulnerability stems from a missing authentication issue within the critical functions of the FortiManager fgfmd daemon, allowing remote, unauthenticated attackers to execute arbitrary commands or code via specially crafted requests. This flaw poses a significant risk to organizations that rely on this technology. 

Recovery Methods 

Organizations impacted by CVE-2024-47575 are encouraged to undertake specific recovery actions to address the vulnerability effectively. One recommended recovery method is database rebuilding or resynchronization, which helps ensure that the FortiManager configuration remains uncompromised. This can involve installing a fresh FortiManager virtual machine (VM) or reinitializing a hardware model and re-adding devices. Additionally, restoring a backup taken before any indicators of compromise (IoC) detection is advised. 

An alternative recovery action is the Quick Recovery Option, which allows for swift recovery without extensive database changes. However, this method requires manual verification of the current configuration. In this case, organizations should install a new FortiManager VM or reinitialize a hardware model and restore components from a compromised FortiManager. They can also restore from a backup taken from the compromised system. 

To further mitigate the risks associated with this vulnerability, organizations should consider upgrading to fixed versions of FortiManager or implementing certain workarounds. For FortiManager versions 7.0.12 and above, 7.2.5 and above, and 7.4.3 and above (excluding 7.6.0), it is recommended to enable a configuration that denies unknown devices from registering.  

This setting is important as it may prevent FortiGates with serial numbers not listed on the device roster from successfully registering. Additionally, for FortiManager versions 7.2.0 and above, organizations should implement local-in policies to whitelist FortiGate IP addresses that are permitted to connect.  

This involves configuring policies to accept connections on port 541 for the specified source addresses. Finally, organizations should ensure that custom certificates are implemented for versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, thereby guaranteeing that only authorized certificates are utilized within their systems. 

Recommendations and Mitigations 

To effectively combat vulnerabilities like CVE-2024-47575, organizations should: 


Regularly update systems with patches from official vendors and prioritize critical updates. 

Establish an effective patch management strategy to ensure timely application of updates. 

Use network segmentation to protect critical assets and limit exposure to threats. 

Create and maintain a comprehensive incident response plan to address security incidents effectively. 

Utilize monitoring solutions to detect and analyze suspicious activities within the network. 

Conclusion 

The inclusion of vulnerabilities in CISA’s KEV catalog signals that threat actors are actively exploiting these flaws in real-world scenarios. This development highlights the urgency for organizations to respond promptly to mitigate risks associated with CVE-2024-47575 and similar vulnerabilities. Failure to address these vulnerabilities can lead to severe consequences, including data breaches and system compromises. 

The post CISA Flags Critical Vulnerability (CVE-2024-47575) in Fortinet’s FortiManager  appeared first on Cyble.

Blog – Cyble – ​Read More

Weekly Industrial Control System (ICS) Vulnerability Intelligence Report: New Flaws Affecting Siemens, Schneider Electric, and More 

Overview 

Cyble Research & Intelligence Labs (CRIL) has shared new details about weekly industrial control systems (ICS) vulnerabilities. These vulnerabilities were issued by the Cybersecurity and Infrastructure Security Agency (CISA) from October 15 to October 21, 2024. The report outlines critical security concerns affecting various vendors and highlights the urgency for organizations to address these vulnerabilities promptly.  

During the reporting period, CISA released seven security advisories targeting ICS, which collectively identified 13 distinct vulnerabilities across several companies, including Siemens, Schneider Electric, Elvaco, Mitsubishi Electric, HMS Networks, Kieback&Peter, and LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME. Notably, Elvaco disclosed four vulnerabilities, while Kieback&Peter reported three.  

Among the highlighted vulnerabilities, particular attention is drawn to those affecting the Elvaco CMe3100 and Kieback&Peter DDC4000 Series. The Elvaco CMe3100 is a compact and intelligent communication gateway designed to remotely read energy meters. Cyble’s ODIN scanner has identified 1,186 instances of the CMe3100 exposed to the internet, with a large concentration of these devices in Sweden.  

The Kieback&Peter DDC4000 Series comprises digital controllers utilized primarily in building automation systems for HVAC (heating, ventilation, and air conditioning) management. The scanner detected eight instances of these controllers that require urgent attention. 

Vulnerability Overview 

The vulnerabilities reported by Cyble Research & Intelligence Labs (CRIL) provide critical insights for organizations aiming to prioritize their patching efforts.   

CVE-2024-3506: Among the key vulnerabilities identified, CVE-2024-3506 affects Siemens’ Siveillance Video Camera, with all versions prior to V13.2 vulnerable to a medium-severity classic buffer overflow, impacting physical access control systems and CCTV.   

CVE-2023-8531: Schneider Electric’s Data Center Expert, specifically versions 8.1.1.3 and prior, is susceptible to CVE-2023-8531, which involves high-severity improper verification of cryptographic signatures, affecting control systems such as DCS, SCADA, and BMS.  

CVE-2024-49396 and CVE-2024-49398: Elvaco’s CMe3100, version 1.12.1, is highlighted with multiple vulnerabilities, including CVE-2024-49396 for insufficiently protected credentials and CVE-2024-49398 for an unrestricted upload of files with dangerous types; both vulnerabilities are classified as high and critical respectively, posing risks to gateway and remote access systems.   

CVE-2024-41717: Kieback&Peter’s DDC4002 and related versions are affected by CVE-2024-41717, which presents a critical path traversal vulnerability impacting field controllers and IoT devices.   

CISA’s recent advisories reveal a predominance of such high-severity vulnerabilities within the ICS sector, highlighting the need for organizations to remain vigilant and implement effective mitigation strategies in response to these emerging threats. 

Recommendations for Mitigation 

Cyble emphasizes several key recommendations to enhance organizational cybersecurity: 


Organizations should closely track security advisories and alerts issued by vendors and relevant authorities to stay informed about potential vulnerabilities. 


Implement a risk-based vulnerability management strategy to minimize the likelihood of exploitation, while adopting a Zero-Trust security framework. 


Threat intelligence analysts should play a crucial role in the patch management process by continuously monitoring critical vulnerabilities identified in the CISA’s Known Exploited Vulnerabilities (KEV) catalog. 


Develop better patch management strategy that encompasses inventory management, assessment, testing, deployment, and verification of patches. Automation of these processes can enhance efficiency and consistency. 


Effective network segmentation is essential to limit attackers’ ability to move laterally within critical environments. 


Regular audits, vulnerability assessments, and penetration testing exercises are critical for identifying and addressing security gaps. 


Establishing ongoing monitoring and logging capabilities allows for early detection of network anomalies and potential threats. 


Leveraging Software Bill of Materials (SBOM) can improve visibility into the components and libraries in use, along with their associated vulnerabilities. 

Conclusion 

The ISC vulnerability report highlights the pressing need for organizations to address the high-severity vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency.  

With significant risks affecting major vendors like Siemens and Schneider Electric, it is crucial for businesses to adopt proactive measures, including patch management strategies and effective network segmentation.  

By staying vigilant and responsive to these vulnerabilities, organizations can better protect their critical infrastructure and enhance their overall cybersecurity posture. 

The post Weekly Industrial Control System (ICS) Vulnerability Intelligence Report: New Flaws Affecting Siemens, Schneider Electric, and More  appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in adidas Running | Kaspersky official blog

As we’ve discussed before, one does not simply install a fitness tracking app and start using it straight away without first configuring the privacy settings both on the phone and in the app itself. With default settings, these apps often share full details of your workouts with the entire internet, including your precise location. And criminals and fraudsters can use this data for their nefarious purposes.

If you care even in the slightest about your privacy, check out our previously published guides for general smartphone settings and other popular fitness apps: Strava, Nike Run Club, and MapMyRun. Today’s post is for all fans of the famous three stripes: we’ll be setting up privacy in the adidas Running app (available for Android and iOS).

Formerly known as Runtastic, this fitness app now belongs to Europe’s largest sportswear manufacturer and is simply called adidas Running. While adidas Running doesn’t offer as granular privacy controls as, say, Strava, it’s still crucial to make sure everything is configured correctly.

To access the privacy settings in adidas Running, tap Profile in the bottom right corner, then the cog icon in the top right, then select Privacy.

Where to find the privacy settings in adidas Running (Runtastic): Profile → Settings → Privacy

The first thing you’ll want to check is the Maps section (who can see your maps) — make sure it’s set to either Followers or, even better, Only me.

Next, do the same for Activity (who can see your activity) — again, select either Followers or Only me. The remaining settings are slightly less critical, but it’s still a good idea to ensure they’re also set to at least Followers or, ideally, Only me.

Recommended privacy settings in adidas Running (Runtastic)

I also recommend toggling off the switches at the bottom of the page next to Follower suggestions and Join running leaderboard. The app won’t be bothering you as much.

Finally, consider disabling excessive notifications from adidas Running. Go back to Settings, select Notifications, and go through the (rather extensive) list of options.

If you decide to stop using adidas Running altogether, remember to delete your profile data. To do this, go to SettingsAccount, tap the big red Delete account button, and follow the prompts.

If you use other fitness apps to track your workouts, you can set their privacy settings using our guides:

Strava
Nike Run Club
MapMyRun
(ASICS Runkeeper – still to come)

You can also learn how to configure privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and shield you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog to stay ahead of scammers with more guides and helpful articles.

Kaspersky official blog – ​Read More

Notifications in Threat Intelligence Lookup 

We are thrilled to announce a significant enhancement to Threat Intelligence Lookup — Notifications. The new functionality allows users to subscribe to real-time notifications for new results related to their specified queries.

Tracking emerging and evolving cyber threats has never been easier.

What Are Lookup Notifications? 

Lookup Notifications enable users to receive timely updates on relevant Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs) that matter to their organizations. 

Use TI notifications to stay updated on your query results

Previously, users needed to perform regular searches to receive new results, risking the chance of missing important updates.

Collect threat intel on the latest malware and phishing campaigns with TI Lookup 



Get 20 free requests


With Lookup Notifications, users can now subscribe to specific queries. When new results appear, a notification will be displayed in the dashboard — new results will be highlighted in green, making it easy to identify fresh information at a glance. 

New results for the queries are highlighted in green

If the number of new results exceeds 1,000, the subscription will pause, alerting you to review the accumulated results before proceeding. This ensures that you stay informed without being overwhelmed by excessive data. 

Key Benefits of Lookup Notifications 

Real-Time Updates 

Regularly receive fresh threat data of your interest. The service monitors results and stores updates automatically, ensuring you never miss critical information. 

Global Insights 

Quickly track changes in IOCs, IOAs, and IOBs extracted from public samples analyzed in ANY.RUN’s Interactive Sandbox by over 500,000 security professionals. Our data is sourced from a diverse community, ranging from freelancers to large corporations, providing comprehensive coverage of potential threats. 

Enhanced Monitoring 

Monitor the frequency of IOCs, IOAs, and IOBs that are of interest to you. If you identify something suspicious in your SIEM, you can verify it against TI Lookup’s database. 

Proactive Defense 

Strengthen your organization’s security by enhancing your detection rules, enriching your data with relevant indicators, and staying informed about changing threats. This proactive approach enables better threat management and response strategies. 

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup



How to Use Lookup Notifications 

Lookup Notifications are available for all paid users. Subscribing to notifications is straightforward: you can easily add or remove specific queries from your notifications by clicking the bell to the right of the search box. 

Save the query by pressing the bell button

You can also unsubscribe from the query, pin, delete or mark it as viewed by clicking three dots near subscription in your TI dashboard. 

Press the three dots, and you will see all available options for the query

Each update subscription uses only a single request from your total quota. All additional updates collected under this subscription do not consume extra search requests, allowing for efficient use of your resources. 

Wrapping Up 

With the introduction of Lookup Notifications, ANY.RUN‘s TI Lookup becomes a powerful tool not just for operational investigations but also for strategic planning. By enabling real-time alerts and streamlined monitoring, we are committed to helping your organization strengthen resilience against evolving risks.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance 

Record and study all aspects of malware behavior

Collaborate with your team 

Scale as you need

Request free trial → 

The post Notifications in Threat Intelligence Lookup  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Talos IR trends Q3 2024: Identity-based operations loom large

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users’ identities.  

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account–making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network. 

Threats against identity 

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts.  

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user’s credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations. 

Ransomware 

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit. 

A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. 

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

Looking forward: While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor. 

Targeting 

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January – March), where the education and manufacturing companies were the most targeted. 

Initial access 

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a slight increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access. 

Looking forward: Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices. 

Security weaknesses 

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs. 

Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions. 

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking “uncategorized” websites in Cisco Umbrella’s “Web Content Categories” will help proactively mitigate suspicious or malicious activity. 

Top-observed MITRE ATT&CK techniques 

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK appendix include:  

In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials. Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy. In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely. 

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Cisco Talos Blog – ​Read More