Authors: Dheeraj Kumar, and Ella Dragun
The Monthly Intelligence Insights provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in February. The report additionally provides a synopsis of the threats; indicators of compromise (IoCs); tactics, techniques, and procedures (TTPs); and related tags. Each threat has a comprehensive summary from Threat Labs and search queries from the Threat Research team. For additional information on Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below-mentioned threats, refer to our Threat Labs home page.
Last month Securonix Autonomous Threat Sweeper identified and analyzed 5,817 TTPs and IoCs, 166 emerging threats, investigated 75 potential threats, and elevated 20 threat incidents. The top data sources swept against include Cloud Application Audit, Cloud Content Management, Cloud Antivirus/Malware/EDR, Data Loss Prevention, and Email/Email Security.
Cyber-espionage campaign (Originally published in February 2024)
Both the National Intelligence Service (NIS) of South Korea and the Federal Intelligence Agency (BfV) of Germany have issued an advisory alert regarding an ongoing cyber-espionage campaign on behalf of the North Korean government that targets the global defense sector. The attacks are optimized to steal information on cutting-edge military technology and assist North Korea in modernizing its conventional weapons and creating new military capabilities.
The Democratic People’s Republic of Korea’s cyber espionage has targeted highly advanced defense technologies from agencies around the globe. DPRK focuses on obtaining military technologies. The CSA provided in their report details of DPRK’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs). The BfV and NIS link these incidents to Lazarus and another North Korean cyber threat group. Lazarus is known for spear phishing attacks against diplomatic and security experts and expands their attacks on the defense and financial sectors. The Lazarus group is a sophisticated cyber actor that has captured the world’s attention for being involved in various cyber-attacks.
Threat Labs summary
Securonix Threat Labs recommends caution against these attacks and deploying protective measures against increased threats from this campaign.
- Limit access only to necessary systems when receiving remote maintenance and repair services, and authenticate before user permissions and privileges are granted.
- Store and maintain audit logs including system access records and monitor them regularly to detect anomalous access.
- Adopt a proper PMS (patch management system) procedure to verify user authentication, and implement an adequate verification and confirmation process for the final stage of distribution, as it can be easily targeted by malicious cyber actors for supply chain attacks.
- Always implement SSL/TLS when creating a website to prevent breaches of critical data including account information, even in a situation where logs are captured by a cyber actor.
- If employees are using a VPN to work from home, we recommend implementing multi-factor authentication along with a user ID and password. In this case, to protect critical information include one-time password (OTP) authentication keys to prevent disclosure to a third party.
- Please refer to the section “Mitigations” in the first BfV-NIS Joint CSA published in March 2023 for details about spear phishing prevention guidelines.
- 23 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
Tags: Attack Type: Cyber-espionage campaign | Attack threat group: the North Korean Cyber threat group Lazarus
Recent activities of LockBit (Originally published in February 2024)
After the February 19th disruption by law enforcement, the LockBit ransomware group is back at it, using upgraded encryptors and ransom letters that point to new servers.
A few days ago, the NCA, FBI, and Europol coordinated a disruption against the LockBit ransomware campaign known as “Operation Cronos.”
Law enforcement confiscated infrastructure, obtained decryptors, and—in a humiliating turn of events for LockBit—turned the ransomware gang’s data leak website into a police press portal as part of this investigation.
Soon after, LockBit claimed that law enforcement had compromised their servers using a PHP bug, and they posted a lengthy note to the FBI saying that they had set up a new data leak website.
Instead of rebranding, though, they said they would be back with improved security and updated infrastructure to keep law enforcement from accessing decryptors and conducting operation-wide attacks.
LockBit appears to have resumed attacks as of February 27. New encryptors and infrastructure for data leaks and negotiation sites have been set up.
Zscaler has discovered that the ransomware group has added Tor URLs for their new infrastructure to the ransom letters attached to their encryptor. Subsequently, researchers discovered encryptor samples that had been uploaded to VirusTotal and contained the most recent ransom messages.
Additionally, LockBit has resumed operations following its disruption in February 2024, according to Palo Alto Networks. Like others, they have discovered potential imposters posing as Lockbit 4.0 on VirusTotal. Palo Alto Network has identified five SHA256 hashes as indicators of compromise for this campaign.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy defensive measures against the LockBit group.
- Cyber experts also verified that the negotiation servers of the operation are operational once more, however, they are limited to victims of fresh attacks.
- Approximately 180 affiliates were collaborating with the ransomware operation to carry out attacks at the time LockBit was taken down.
- According to LockBit, they are currently aggressively seeking seasoned pentesters to join their team, which suggests that future attacks will probably grow.
- It remains to be seen if this is a major scheme for LockBit to gradually disappear and rebrand, similar to what happened with Conti. It is safer to presume that LockBit is still a threat for the time being, nevertheless.
- 7 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
Tags: Target: data leak and negotiation sites have been set up | Attack Type: potential imposters posing as Lockbit 4.0
New SUBTLE-PAWS PowerShell backdoor (Originally published in February 2024)
A new SUBTLE-PAWS PowerShell-based backdoor is being used in an intriguing campaign that targets Ukraine. The campaign uses obfuscated techniques to avoid detection and uses infected USB sticks to propagate.
Ukrainian military personnel are the focus of the ongoing campaign Securonix Threat Research identified as possibly related to Shuckworm and is being monitored and tracked as STEADY#URSA. Perhaps via phishing emails, compressed files are used to transmit the harmful payload.
Given that the attack includes multiple TTPs that are only utilized by the group and have been mentioned in previous campaigns against the Ukrainian military, it is most likely connected to Shuckworm.
PowerShell accounted for the majority of the code that the malware ran over the whole attack effort. The exploitation process is straightforward: the target loads and runs a new PowerShell backdoor payload code (located inside another file contained within the same download) by executing a malicious shortcut (.lnk) file. The group is now keeping track of this unique Powershell backdoor under the name “SUBTLE-PAWS.”
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures against increased threats from these malicious campaigns.
- Downloading file attachments from emails or dubious websites should always be done with additional caution, especially if the source is unknown. To avoid unauthorized code execution, be cautious about how shortcut files operate and how to recognize them.
- Keep an eye out for common malware staging locations, particularly for any activity involving scripts in world-writable directories like %APPDATA%.
- For more log detection coverage, implement more process-level logging, such as Sysmon and PowerShell reporting.
- 57 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the SUBTLE-PAWS powershell backdoor include but are not limited to the following:
Monitors for potentially malicious use of PowerShell on a system, by looking for patterns in PowerShell command execution that are commonly associated with malicious scripts or activities use of gc or Get-Conten, Use of the pipeline (|), use of Out-String, and execution of nested PowerShell commands
Tags: Malware: A new SUBTLE-PAWS PowerShell-based backdoor | Target: loads and runs a new PowerShell backdoor payload code (located inside another file contained within the same download) by executing a malicious shortcut (.lnk) file
State-sponsored cyber actors (Originally published in February 2024)
The CISA, NSA, and FBI released a joint Cybersecurity Advisory about People’s Republic of China (PRC) state-sponsored cyber actors who are trying to disrupt IT networks with cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. It was based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) and is a stealthy China-based cyber espionage group that’s believed to be active since June 2021. The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in the communications, energy, transportation systems, and water and wastewater systems sectors—in the continental and non-continental United States and its territories, including Guam.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures for increased threats from these malicious campaigns.
- The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in the joint guide Identifying and Mitigating Living Off the Land Techniques.
- These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt the Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
- Apply the prioritized detection and hardening best practice recommendations provided in the joint guide Identifying and mitigating living off the land techniques.
- Routinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine Technology (ESENT) Application Logs.
- 15 IoCs are available on our Threat Labs home page repository and have been swept for Autonomous Threat Sweeper customers.
Tags: Threat actor’s group: cyber group is known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus | Targets compromised IT environments: multiple critical infrastructure organizations—primarily in communications, energy, transportation systems, and water and wastewater systems Sectors—in the continental and non-continental United States and its territories, including Guam.
Intrusions on MSSQL servers (Originally published in February 2024)
MSSQL database servers with default setups open to the Internet have been targeted and frequently abused since the 2003 SQL Slammer worm, and even before. More recently, Turkish hackers were using MSSQL servers as a means of spreading ransomware throughout the company, according to a threat research security report published by Securonix.
An event that deviated significantly from typical MSSQL server compromise observations was reported by Huntress SOC analysts. Specifically, the research shared the use of the MSSQL native bulk copy command to extract a file from the database, as demonstrated by the following command line:
cmd /c bcp “select binaryTable from uGnzBdZbsi” queryout
“C:\users\public\music\” -T -f
“C:\users\public\music\FODsOZKgAU.txt”
During the incident multiple files were taken out of the database. These included a copy of the AnyDesk RMM tool, two script files (.ps1 and.bat) that generated user accounts, and another batch file (.bat) that initiated AnyDesk and a tunneler. Nevertheless, no attempt was made to run any of the files that were visible in the EDR telemetry during this incident, and no effects of the files being run were discovered in the Windows Event Logs, such as the creation of the user account making it difficult to detect. Moreover, every script terminated with a line that removed the corresponding file, and during the investigation of the incident, every script file was discovered in the endpoint’s file system.
Threat Labs summary
Securonix Threat Labs recommends leveraging our findings to deploy protective measures against increased threats from these malicious campaigns.
- Avoid leaving important servers open to the public internet. Attackers were able to directly brute force their way into the server in the RE#TURGENCE scenario from outside the main network. Enclose access to these resources behind a VPN or other significantly more secure infrastructure.
- Restrict the use of the xp_cmdshell operation on MSSQL database servers. By doing this, the attackers would not have been able to run commands on the victim’s computer.
- Turn on process-level recording on endpoints and servers for improved telemetry for detections and threat hunting when it comes to identifying RMM and/or RAT-like software.
- Implement more process-level logging, such as Sysmon and PowerShell reporting for more log detection and coverage.
- Monitor for the addition of new local users to endpoints, particularly in situations where crucial servers are present.
- 13 IoCs are available on our Threat Labs home page repository and have been swept against Autonomous Threat Sweeper customers.
TTPs related to the malware campaigns include but are not limited to the following:
Monitor for potential signs of malicious activity on Microsoft SQL Server (MSSQL) systems, specifically focusing on patterns that may indicate unauthorized access or misuse
- Use or Changes to xp_cmdshell
- Unusual Child Processes of sqlservr.exe
- Usage of bcp Command
- Command Execution Patterns (cmd /c bcp)
Tags: Malicious campaign: the APT28 threat-actor (aka Sofacy, Fancy Bear, etc.) | Target: MSSQL Servers | Attack Type: the threat actor sent phishing emails to targeted recipients using previously compromised email accounts including using the bulk copy command for file extraction and the deployment of scripts for unauthorized account creation and remote access tool installation.
For a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to our Threat Labs home page. The page also references a list of relevant policies used by threat actors.
We would like to hear from you. Please reach out to us at [email protected].
Note: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with other indicators mentioned.
Contributors: Sina Chehreghani, Dhanaraj K R