Weekly Threat Briefing: February 5 - 9, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.

Volt Typhoon Remained Undetected for Years in US Infrastructure

On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored actors from the People’s Republic of China (PRC), specifically the Volt Typhoon APT group. According to this report, Volt Typhoon is actively compromising U.S. critical infrastructure sectors with the intent of pre-positioning for potential disruptive or destructive cyberattacks during crises or conflicts.

The group has been observed using a variety of tools and techniques to target organizations in US as well as other countries. They are specifically targeting government organizations, communications, energy, transportation, and water/wastewater facilities.

Volt Typhoon is a highly sophisticated threat actor group with a variety of tools and techniques that can be applied during attacks. As such, it is critical that organizations follow a defense-in-depth approach that includes Network, Endpoint, and Log monitoring to identify malicious activity.

Organizations across impacted regions and industries are strongly encouraged to proactively review and apply the recommendations included in CISA’s joint advisory.

Learn more in the full threat advisory here.

AnyDesk Breach

On February 2nd, the Remote Desktop Application company confirmed it was impacted by a cyberattack on its production systems. The breach was discovered during a security audit that was carried out after unusual activity was identified.

Updated versions of AnyDesk signed with a new certificate will be made available shortly. AnyDesk is asking users to updated to the last versions once they are published. Details on specific versions can be found on AnyDesk’s Incident FAQ.

The breach of AnyDesk's production servers highlights the role of a defense-in-depth strategy and the importance of Endpoint Detection and Response (EDR) tools, which are a cornerstone of a multi-layered defense strategy.

Unlike traditional antivirus solutions that rely on known signatures to identify threats, EDR systems monitor and evaluate behaviors and anomalies in real-time. This capability is crucial for detecting sophisticated cyberattacks, including zero-day exploits, Advanced Persistent Threats (APTs), and compromised code signing certificates which may not have known signatures but exhibit irregular patterns indicative of malicious activity.

Learn more in the full threat advisory here.

Microsoft Report on Iranian APT Activity

On February 6th, Microsoft released a report detailing the latest activity in the region. Iran’s cyber-enabled operations targeting Israel have followed a three-stage approach:

• Phase 1 – Reactive and Misleading: Threat actors have been leveraging pre-existing access to perform cyberattacks and re-used old leak data to claim new attacks.
• Phase 2 – All Hands on Deck: Iran increased the number of threat actor groups targeting Israel and shifted to performing destructive attacks. Additionally, Iranian threat actor groups began to increasingly share information and tradecraft amongst themselves.
• Phase 3 – Expanded Geographic Scope: Attacks have become more targeted and shifted to include other regions such as Albania, Bahrain, and the USA. The attacks have also increasingly included hacktivist type language, with specific reference to Israel.

US-Iranian tensions are currently high, due to an attack on US troops in Jordan by the Iranian-backed Iraqi military group Kataib Hezbollah and a US missile strike which resulted in the death of a Kataib Hezbollah leader. Due to the escalating tensions between the US and Iran, it is probable that Iranian APT groups will shift to increasingly target both government and private organizations in the US.

Iran's cyber operations against Israel and its allies showcase a sophisticated understanding of cyber warfare's strategic potential. The use of influence operations, rapid adoption of new exploits, and targeted attacks on critical infrastructure demonstrate Iran's commitment to advancing its cyber capabilities.

Learn more in the full threat advisory here.

About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.