Trellix Advanced Research Center: Digest #2
The Bug Report – August 2023 Edition
Welcome back to The Bug Report, the hotter-than-hell Texas edition! For those still unfamiliar with our monthly escapades, every month our trusty Advanced Research Center vulnerability research team filters through a month’s worth of bugs to ensure you are aware of the most critical. This month, we do so in 105°F (~41°C) heat to ensure we actually do put our sweat and tears into it. So, sit back, grab an ice-cold drink, and enjoy.
Qakbot, known under aliases like QBot, QuakBot, and Pinkslipbot, represents an intricately advanced malware strain that has maintained a consistent presence since 2007. Its substantial impact is evident in infecting more than 700,000 victim computers, orchestrating ransomware deployments, and causing widespread financial effects. The consequences of this digital threat have reached across the globe. On August 29, a globally coordinated operation named 'DuckHunt,' led by the Justice Department and the FBI, achieved a significant milestone by successfully dismantling Qakbot's operations. You can find more information regarding the dismantling on the following link – Story Link
This research delves into a substantial upward attack trend observed by Trellix Advanced Research Center. It involves the utilization of JS files as the initial infection vector employed by the QBot malware, a trend that emerged in April 2023.
At the beginning of 2023, top researchers from industry-leading companies established the Supply Chain Attack Research (SCAR) group. To stay one step ahead of this constant race against malicious actors, the group agreed there was a need to foster collaboration among experts, define efficient standards, develop tools to benefit the global community, and promote joint research and information sharing.
Karine Ben-Simhon, VP of Customer Advocacy at Trellix Advanced Research Center is one of the founders of the SCAR forum. While working at Citi’s Cyber Security Innovation Lab, she launched the SCAR forum with a strong emphasis on its cross-industry nature.
The 2023 Gartner Market Guide for XDR is a valuable resource for security leaders looking to learn more about XDR or find a vendor for their organization. From operationalizing threat intelligence to greater detection efficacy and enhanced response coordination, our XDR platform solves all 4 use cases outlined in the guide. See for yourself.
领英推荐
Emotet first appeared in 2014 and continues to be a dangerous and resilient malware, despite attempts by law enforcement agencies to take it down in early 2021. Even following a major takedown effort from Europol, Emotet has been relentless over time and this year it is back with epoch 4 and epoch 5 versions leveraging macros and embedded scripts in Microsoft Word and Microsoft OneNote, respectively.
Since their return last year, Trellix has continued to monitor Emotet to identify new infection vectors and changes in their activities and methodology. In this blog, we will highlight its Global Prevalence, Infection Vectors, new TTPs and discuss detection opportunities to help keep organizations safe from this malware. We will also cover how Trellix Products offer protection against these TTPs.
In a ransomware world where traditional security software and classic endpoint protections are no longer enough, we wanted to educate businesses and organizations better on how ransomware attacks are executed – to discuss how they can be identified and prevented. The best way to detect and block a ransomware attack is to understand this malicious behavior and have security controls in place that set an organization up for success. In this blog we have distilled the most common ransomware TTPs and LoLbin tool usage, which we have come across in the last year. Essentially, we are lifting the veil on how ransomware criminals try to achieve their goal and giving organizations a better understanding of these attacks and ways to spot and stop them before it is too late.
Addressing this growing threat requires a multi-faceted defense and in- depth approach, involving threat intelligence, email protection, MFA, EDR and XDR to stay one step ahead of the ever-evolving ransomware landscape.
On July 11 2023, Microsoft released a patch fixing multiple actively exploited RCE vulnerabilities and disclosed a phishing campaign conducted by the threat actor, identified as Storm-0978, which targeted entities in Europe and North America. This campaign used a zero-day vulnerability tracked as CVE-2023-36884, a remote code execution vulnerability in windows search files that is exploited via crafted Office Open eXtensible Markup Language (OOXML) documents with specific geopolitical lures related to Ukraine World Congress (UWC). While, there was a workaround suggested to mitigate this vulnerability,?on August 8 2023, Microsoft Office Defense in Depth update was released breaking the exploitation chain which led to RCE through windows search (*.search-ms) files.
Education is imperative to reduce detection and response time for ransomware attacks. Join our upcoming webinar series to gain insights from experts on how Trellix XDR can assist. Select the security concerns most pressing to your organization and register now.
Thank you for sharing these insightful findings, Trellix! We're curious - how does Trellix prioritize which cybersecurity threats to delve into in your Advanced Research Center, considering the vast and ever-evolving landscape of digital threats?
Detection & Response Leader | Building Innovative Security Products & Programs | SecOps | Threat Hunting | EDR | XDR
1 年Great content this month! Thank you all the amazing ARC Researchers for sharing your work with the community! ??????