Fortinet also provided an extensive analysis of the Rhysida Ransomware Group. The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023. In a 17 page report, Fortinet described Rhysida's TTPs, threat hunting queries, IOC and MITRE ATT&CK mapping. Link:https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware
Denmark's CERT (SektorCERT) reported that 22 companies that operate parts of Danish energy infrastructure were compromised in a May 2023 coordinated attack, linked to SANDWORM actors. Sandworm is a state-sponsored APT publicly attributed to Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST) by the U.S. government. The attackers leveraged a Zyxel vulnerability CVE-2023-28771 (9.8 critical) to gain control of the firewall. SektorCERT's incident response report includes a detailed analysis and timeline of the attack, recommendations and IOC. Link:https://media.licdn.com/dms/document/media/D4D1FAQG-Qsry8BH9dg/feedshare-document-pdf-analyzed/0/1699785104486?e=1700697600&v=beta&t=icNMQ-rDYgeSojoaax-1KpC7YrCF7MVtkrDClSFiKIY
@avoidthehack@AAKL Yep, I tooted about it yesterday morning while the news was fresh. There's a Microsoft Threat Intelligence tweet. The official SysAid security advisory describes post-compromise activity and includes PowerShell commands and Indicators of Compromise. The Huntress article contains technical analysis and additional IOC.
CISA and federal agencies are aware of the exploited Zero-Day, and are likely to add at least 2-3 to the Known Exploited Vulnerabilities Catalog soon.
Kaspersky reports on ducktail, an infostealer that has been active since the second half of 2021 and targets Facebook business account credentials. Most victims were from India. They describe the infection chain, and the method used to bypass 2 Factor Authentication. MITRE ATT&CK TTPs and IOC listed. Link:https://securelist.com/ducktail-fashion-week/111017/
Security Week: The Atlassian Confluence improper authorization vulnerability CVE-2023-22518 (9.1 critical severity, disclosed 31 October 2023 by Atlassian, significant data loss) is reported under active exploitation. CVE-2023-22518 has a now-public Proof of Concept, as well as technical details (released by Project Discovery). See GreyNoise observations of CVE-2023-22518 exploitation. Link:https://www.securityweek.com/exploitation-of-critical-confluence-vulnerability-begins/
Rapid7 is observing exploitation of Atlassian Confluence in multiple customer environments, with some of the exploits targeting CVE-2023-22518 and even CVE-2023-22515, potentially leading to ransomware deployment. Edit: Post-exploitation behavior and IOC included.
Uptycs: The GhostSec hacktivist group offers Ransomware-as-a-Service (RaaS) framework GhostLocker (advertised through Telegram). GhostSec is currently focusing its attacks on Israel, which Uptycs says is a departure from their past activities and stated agenda. IOC provided. Link:https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec
CISA added CVE-2023-46604 (CVSS: 10.0 critical severity, disclosed 26 October 2023 by Apache) to the Known Exploited Vulnerabilities (KEV) Catalog. This is after the Netherlands NCSC and Rapid7 reported exploitation in the wild yesterday 01 November 2023. Rapid7 attributed the exploitation to 'HelloKitty' (hellokittycat?) ransomware actors. Link:https://www.cisa.gov/news-events/alerts/2023/11/02/cisa-adds-one-known-exploited-vulnerability-catalog
Unit 42 reported on the Kazuar .NET backdoor used by Turla (attributed to Russia's Federal Security Service (FSB)) as a second stage payload. Unit 42 provides a technical analysis of Kazuar, including metadata, configuration, infrastructure and C2 communication. Also noteworthy are its anti-analysis features, system profiling capabilities, and specific targeting of cloud apps. IOC provided. Link:https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
Unit 42 discovered a threat actor’s operation that scanned for exposed AWS identity and access management (IAM) credentials within public GitHub repositories. They found that the threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository. The operation has been in action since at least 2020. IOC provided. Link:https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
Zscaler provides a threat actor profile on AvosLocker Ransomware-as-a-Service (RaaS) group (IOC included):
AvosLocker was a Ransomware-as-a-Service double extortion group.
No new activity has been observed since May 2023.AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid.
AvosLocker heavily targeted the education sector – accounting for 25% of their attacks.
Zscaler revisits the Mystic Stealer. Mystic Stealer is an information stealer and downloader that was first advertised in April 2023, which targets nearly 40 web browsers and more than 70 browser extensions. Mystic Stealer has been regularly updated with improvements to its code obfuscation, configuration, and methods of communication. Its C2 communications have been updated from a custom encrypted binary protocol to HTTP. Mystic Stealer has been used by numerous threat groups that leverage it to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner. Check out the IOC and Appendix. Link:https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited
@regines_radsalon Und wie 72 in München, als israelische Athleten von palästinensischen Terroristen in München ermordet wurden? Ich glaub #IOC und #DOSB meinen gar nichts mehr außer unser Geld haben zu wollen. 😡
Cyble: new Enchant android malware steals sensitive information from cryptocurrency wallet apps, particularly focused on Chinese users. The malware is distributed through adult websites. With the information stolen (wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys) the threat actors gain unauthorized access to victims’ wallets and can carry out fraudulent transactions. IOC and details locked behind an email subscriber-wall. Link:https://cyble.com/blog/new-enchant-android-malware-targeting-chinese-cryptocurrency-users/
A number of Russian judo athletes with military ties are seeking to compete at the European #Judo Championships in France next month as “neutral” athletes, despite International Olympic Committee (#IOC) guidance that active military members should not participate in international sports events.
Trellix: Threat actors, including APTs, are abusing the Discord application for payload delivery, information stealing and data exfiltration. Trellix identified several malware families leveraging Discord's capabilities to conduct their operations, uncovering when they started abusing them. IOC provided. Link:https://www.trellix.com/en-us/about/newsroom/stories/research/discord-i-want-to-play-a-game.html
Unit 42 reported on a new campaign from the XorDDoS Trojan. While the attacking domains remain unchanged, the attackers have migrated their offensive infrastructure to hosts running on legitimate public hosting services. Unit 42 provides an analysis of XorDDoS Trojan's attacking behaviors, the botnet's network infrastructure, and advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. Link:https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/
Cluster25: low-medium confidence that Russian state-sponsored APT28 Fancy Bear attributed to CVE-2023-38831 exploitation as part of a phishing campaign designed to harvest credentials from compromised systems. CVE2-2023-38831 is a 7.8 high severity vulnerability in WinRAR that was exploited as a Zero-Day by cybercriminals, and disclosed by Group-IB on 23 August 2023. Link:https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
CISA, FBI, and MS-ISAC Release Joint Advisory on Atlassian Confluence Vulnerability CVE-2023-22515: Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Includes IOC. Link:https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a