Picus Labs Threat Newsletter - August

Picus Labs Threat Newsletter - August

Welcome to Picus Labs Monthly newsletter, your trusted destination for a comprehensive blend of the most recent threat intelligence, cutting-edge security research, and thorough analysis, all in one convenient location.

No alt text provided for this image

Cybersecurity Trends

No alt text provided for this image

Are you a security professional using Splunk?

Our comprehensive whitepaper, "Optimizing Threat Detection in Splunk: Strategies to Improve Performance and Effectiveness," equips you with practical strategies to maximize your Splunk deployment.?

You will also gain actionable insights on overcoming common challenges security professionals often face when implementing and managing detection rules within Splunk, including:

  • ?Effective log management and optimization for reliable data flow
  • ?Addressing alert fatigue and managing false positives
  • ?Strategies to optimize performance while dealing with resource-intensive rules
  • ?Navigating the evolving threat landscape with threat intelligence

More Info? GET YOUR WHITEPAPER

Cybersecurity 101

At Picus Security, we're excited to launch our "Cybersecurity 101" blog series. In these posts, we'll demystify commonly-used but often misunderstood cybersecurity terminology including but not limited to MITRE ATT&CK Framework, Cyber Threat Intelligence (CTI), Attack Surface Management, and more.

Our aim is to provide comprehensive insights to simplify cybersecurity, empowering newcomers to hit the ground running in this ever-evolving field.

This month, we delve into the world of APTs in our blog post, "What Is Advanced Persistent Threat (APT)?".

No alt text provided for this image

This month, we delve into the world of APTs in our blog post, "What Is Advanced Persistent Threat (APT)?".?

These sophisticated adversaries may not always exhibit technical superiority, but their power lies in their stealthy, persistent presence within target systems or networks, often state-sponsored. We'll delve into notorious examples such as APT28 (Fancy Bear) and APT38 (Lazarus) with real-life cases. Our discussion will extend to the role of state-sponsored APTs, illuminating their diverse objectives that range from cyber espionage and financial gain to hacktivism and destruction.

Click here to learn how Picus Threat Library provides ready-to-run attack templates to simulate attack campaigns of Advanced Persistent Threat (APT) groups!

Resources

No alt text provided for this image

While macOS is widely regarded for its user-friendly nature, it's important to acknowledge that no operating system is immune to security threats. From malware and phishing attacks to data breaches and unauthorized access, macOS users must be vigilant and proactive in safeguarding their systems and personal information.

Check out this blog to take a closer look at the world of macOs security and the layers of protection offered by Apple.

Threats in Focus

No alt text provided for this image

On July 28th, 2023, The Cybersecurity and Infrastructure Security Agence (CISA) released a security alert on a critical remote command injection vulnerability found in Barracuda Email Security Gateway (ESG). CVE-2023-2868 is a zero-day vulnerability with a CVSS score of 9.8 (Critical) and has been exploited by the Chinese cyber threat group UNC4841 since October 2022.

Click here to see how the Barracuda CVE-2023-2868 exploit works and the malware used by UNC4841!

No alt text provided for this image

On June 20th, 2023, the Cybersecurity and Infrastructure Security Agency (CISA)?released a cybersecurity advisory on an actively exploited critical vulnerability discovered in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway products. The advisory alerted to three vulnerabilities, CVE-2023-3466 (a Reflected XSS vulnerability), CVE-2023-3467 (allowing for privilege escalation to root administrator level), and the most severe, CVE-2023-3519 (CVSS 9.8), an unauthenticated remote code execution (RCE) vulnerability affecting millions of users across the globe. This vulnerability has been leveraged by many threat actors to implant webshells in vulnerable systems.

Click here to see the detailed tactics, techniques, and procedures (TTPs) used by adversaries to exploit the latest Citrix vulnerabilities!

No alt text provided for this image

The cyber threat landscape is under the watchful eyes of threat actors, who are always seeking to exploit vulnerabilities for their gains. Microsoft recently flagged a sophisticated phishing campaign carried out by a threat actor known as Storm-0978. This meticulously crafted attack, specifically devised to exploit defense and government organizations in Europe and North America, leverages a potent remote code execution vulnerability, CVE-2023-36884, to breach defenses. This vulnerability was cunningly exploited via Word documents, baited with topics related to the Ukrainian World Congress - before its disclosure to Microsoft.

Check out our blog to see the recommendations to prevent exploitation attacks for Microsoft's recent vulnerability, CVE-2023-36884!

No alt text provided for this image

On July 11, 2023, Microsoft Threat Intelligence detected the activities of Storm-0558 , a China-based threat actor that targeted email systems of around 25 organizations. Uniquely operating apart from other Chinese groups, they focused on US, European, and Taiwan-related interests across multiple sectors. Using an acquired encryption key for OpenID v2.0 tokens, Storm-0558 was able to forge access tokens, impersonating users to gain unauthorized access to Azure Active Directory applications. This sophisticated attack, exploiting a security issue in the Microsoft OpenID protocol's token verification process, underscores their high technical skills and deep understanding of complex authentication protocols. Since detection in May 2023, Microsoft has mitigated the threat and strengthened affected systems.

No alt text provided for this image

On July 28, 2023, the CISA published malware analysis reports concerning the exploitation of a vulnerability in the Barracuda Email Security Gateway. The reports detail two backdoors planted by threat actors: SEASPY and SUBMARINE backdoors. The SUBMARINE backdoor exemplifies a sophisticated type of cyber-espionage attack, utilizing the inherent capabilities of the Linux system, reflecting the attacker's deep understanding of the system's architecture. The operation exploits the method of Linux Shared Object Preloading, analogous to DLL side-loading in Windows, which alters the loading sequence of libraries to preferentially load malicious ones before legitimate ones, making detection more difficult. The attack primarily manipulates the Batched Simple Mail Transfer Protocol (BSMTP) daemon, an element of the Linux system's email infrastructure, cleverly disguising the malicious activity as normal system behavior.

Notorious Threats of the Month

Threat Group

In July 2023, the Cl0p Ransomware Gang, known as TA505, was exceptionally active, targeting a range of sectors with a significant uptick in cyberattacks. The group exploited the SQL injection vulnerability CVE-2023-34362 in MOVEit Transfer software, leading to the installation of a web shell named LEMURLOOT. This allowed the group to steal data and persist within the compromised system, marking their transition from encryption-based attacks to a focus on data exfiltration. Notably, the group's malware toolkit includes FlawedAmmyy/FlawedGrace RAT, SDBot RAT, Truebot, Cobalt Strike, DEWMODE, and LEMURLOOT, demonstrating their ability to operate as a Ransomware as a Service (RaaS), an initial access broker, and a large botnet operator.

Malware

In July 2023, cyber threat groups TA544 and TA551 launched high-profile attack campaigns targeting Italian organizations, deploying the advanced WikiLoader malware. This multifaceted malware manipulates compromised hosts to retrieve obfuscated shellcodes via PHP, presenting a challenging front for security measures with its advanced evasion capabilities. Intricate obfuscation techniques including busy loops, string encoding, and indirect syscalls help maintain its stealth, making detection difficult. Notably, the malware introduced a new stealth tactic of employing the MQTT protocol to fetch the notorious Ursnif banking Trojan as the second-stage payload, thereby bypassing the need for direct communication with compromised hosts. WikiLoader further complicated its operation by writing the shellcode stages byte-by-byte through the NtWriteVirtualMemory API instead of performing a single pass. This subtle mechanism allowed the Ursnif Trojan to be stealthily injected and executed, potentially compromising sensitive data.

For more information, visit our Threat Library on the Picus Platform.


Simulate cyberattacks with the Picus Platform to test your defenses against the latest threats within minutes.

No alt text provided for this image



要查看或添加评论,请登录

社区洞察

其他会员也浏览了