Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
Recorded Future has an 18 page report on Ransomware Exploitation of vulnerabilities for the past six years (2017). Here are the key findings:
Ransomware groups alone in exploiting three or more vulnerabilities exhibit a clear targeting focus, which defenders can use to prioritize security measures. For example, CL0P has uniquely and infamously focused on file transfer software from Accellion, SolarWinds, and MOVEit. Other ransomware groups with high levels of unique exploitation exhibit similar patterns.
All of the vulnerabilities ransomware groups have targeted most widely are in software frequently used by major enterprises and can be easily exploited via penetration testing modules or single lines of curl code. These vulnerabilities are ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), ZeroLogon (CVE-2020-1472), Log4Shell (CVE-2021-44228), CVE-2021-34527, and CVE-2019-19781.
Vulnerabilities requiring unique or custom vectors to exploit (for example, malicious files using particular forms of compression) are more likely to be exploited by only one or two groups.
Ransomware operators and affiliates are highly unlikely to discuss specific vulnerabilities, but the cybercriminal ecosystem that supports them has discussed publicly known vulnerabilities andproducts as targets of interest for exploitation
Censys assesses that Russian company Raccoon Security is a brand of NTC Vulkan, an IT company contracted by Russian intelligence to create offensive cyber tools. NTC Vulkan documents were leaked, and they detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team, according to Mandiant. Censys assesses with high confidence that the NTC Vulkan hosts, certificates, and domains identified in this report belong to the same NTC Vulkan, and that Raccoon Security, and its related domains, host, and certificates belong to the Moscow-based cybersecurity development brand of the same name. Links:https://censys.com/discovery-of-ntc-vulkan-infrastructure/ and see semi-related Mandiant article.
Recorded Future: Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. Their cyber operations focus on targets that align with China's military, political, economic, and domestic security priorities. No IOCs. Link:https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power
Unit 42 reported on the Kazuar .NET backdoor used by Turla (attributed to Russia's Federal Security Service (FSB)) as a second stage payload. Unit 42 provides a technical analysis of Kazuar, including metadata, configuration, infrastructure and C2 communication. Also noteworthy are its anti-analysis features, system profiling capabilities, and specific targeting of cloud apps. IOC provided. Link:https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
Fox-IT observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding. "This explains the much discussed plummet of identified compromised systems in recent days. Using a different fingerprinting method, Fox-IT identifies 37890 Cisco devices that remain compromised." Link:https://www.linkedin.com/posts/fox-it_2_important-we-have-observed-that-the-implant-activity-7122238350849150976-Qy1-/
Kaspersky elaborates on Operation Triangulation in which domestic subscribers, diplomatic missions, and embassies were targeted with Apple iOS zero-days (Russia’s FSB accused the USA for Operation Triangulation). The threat actors introduced two validators in the infection chain in order to ensure that the exploits and the implant do not get delivered to security researchers. Additionally, microphone recording could be tuned in such a way that it stopped when the screen was being used. They used private undocumented APIs in the course of the attack, indicating a great understanding of iOS internals. They additionally implemented in some modules support for iOS versions prior to 8.0, suggesting access for years. Link:https://securelist.com/triangulation-validators-modules/110847/
I am working on my dissertation project and decided to create a Debian-based system called Koios for CTI and above all OSINT.
Despite the ambitious mission, I am asking the intel community a big question ... What tools would you like to see? Bear in mind, that at least three tools must be mine ...
I have some ideas, but I am looking for some inputs.
Trellix: Threat actors, including APTs, are abusing the Discord application for payload delivery, information stealing and data exfiltration. Trellix identified several malware families leveraging Discord's capabilities to conduct their operations, uncovering when they started abusing them. IOC provided. Link:https://www.trellix.com/en-us/about/newsroom/stories/research/discord-i-want-to-play-a-game.html
Unit 42 reported on a new campaign from the XorDDoS Trojan. While the attacking domains remain unchanged, the attackers have migrated their offensive infrastructure to hosts running on legitimate public hosting services. Unit 42 provides an analysis of XorDDoS Trojan's attacking behaviors, the botnet's network infrastructure, and advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. Link:https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/
Cluster25: low-medium confidence that Russian state-sponsored APT28 Fancy Bear attributed to CVE-2023-38831 exploitation as part of a phishing campaign designed to harvest credentials from compromised systems. CVE2-2023-38831 is a 7.8 high severity vulnerability in WinRAR that was exploited as a Zero-Day by cybercriminals, and disclosed by Group-IB on 23 August 2023. Link:https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
CISA, FBI, and MS-ISAC Release Joint Advisory on Atlassian Confluence Vulnerability CVE-2023-22515: Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Includes IOC. Link:https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a