Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2023-09-05
Hackers_Exploiting_MinIO_Storage_System
LOW
+

Intel Source:
Security Joes
Intel Name:
Hackers_Exploiting_MinIO_Storage_System
Date of Scan:
2023-09-05
Impact:
LOW
Summary:
Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.


Source:
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services

2023-09-05
Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
LOW
+

Intel Name:
Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
Date of Scan:
2023-09-05
Impact:
LOW
Summary:
Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like “photo.zip,” is being distributed to carry out the malicious scheme.


Source:
https://cert.gov.ua/article/5702579

2023-09-04
Okta_Warns_of_Social_Engineering_Attacks
LOW
+

Intel Source:
Okta
Intel Name:
Okta_Warns_of_Social_Engineering_Attacks
Date of Scan:
2023-09-04
Impact:
LOW
Summary:
Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller’s tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.


Source:
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

2023-09-04
Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
LOW
+

Intel Source:
ASEC
Intel Name:
Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
Date of Scan:
2023-09-04
Impact:
LOW
Summary:
A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user’s computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.


Source:
https://asec.ahnlab.com/en/56512/

2023-09-04
ZeroDay_Vulnerabilities_Detected_on_WinRAR
MEDIUM
+

Intel Source:
Seqrite
Intel Name:
ZeroDay_Vulnerabilities_Detected_on_WinRAR
Date of Scan:
2023-09-04
Impact:
MEDIUM
Summary:
In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.


Source:
https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/

2023-09-04
FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
MEDIUM
+

Intel Source:
Securonix Threat Labs
Intel Name:
FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
Date of Scan:
2023-09-04
Impact:
MEDIUM
Summary:
Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.


Source:
https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/

2023-09-02
A_new_campaign_of_novel_RAT
LOW
+

Intel Source:
Interlab
Intel Name:
A_new_campaign_of_novel_RAT
Date of Scan:
2023-09-02
Impact:
LOW
Summary:
On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.


Source:
https://interlab.or.kr/archives/19416

2023-09-02
Analyses_on_new_open_source_infostealer
LOW
+

Intel Source:
Talos
Intel Name:
Analyses_on_new_open_source_infostealer
Date of Scan:
2023-09-02
Impact:
LOW
Summary:
This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.


Source:
https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/

2023-09-02
New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
LOW
+

Intel Source:
Rapid7
Intel Name:
New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
Date of Scan:
2023-09-02
Impact:
LOW
Summary:
Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.


Source:
https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

2023-09-01
An_Open_Source_Info_Stealer_Named_SapphireStealer
LOW
+

Intel Source:
Talos
Intel Name:
An_Open_Source_Info_Stealer_Named_SapphireStealer
Date of Scan:
2023-09-01
Impact:
LOW
Summary:
In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it’s been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.


Source:
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Labs Monthly Intelligence Insights – July 2023
    Learn More
  • Blog
    Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
    Learn More
  • Blog
    Securonix Threat Labs Security Advisory: Detecting Microsoft Office Zero-day HTML Vulnerability (CVE-2023-36884) “RomCom”/Storm-0978 Exploitation With Security Analytics
    Learn More

Threat Labs Archives

  • Threat Research