
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- Security Joes
- Intel Name:
- Hackers_Exploiting_MinIO_Storage_System
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Name:
- Cyberattack_by_APT28_Using_msedge_as_a_Bootloader
- Date of Scan:
- 2023-09-05
- Impact:
- LOW
- Summary:
- Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like “photo.zip,” is being distributed to carry out the malicious scheme.
—
- Intel Source:
- Okta
- Intel Name:
- Okta_Warns_of_Social_Engineering_Attacks
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller’s tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.
Source:
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
—
- Intel Source:
- ASEC
- Intel Name:
- Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails
- Date of Scan:
- 2023-09-04
- Impact:
- LOW
- Summary:
- A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user’s computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.
—
- Intel Source:
- Seqrite
- Intel Name:
- ZeroDay_Vulnerabilities_Detected_on_WinRAR
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.
Source:
https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/
—
- Intel Source:
- Securonix Threat Labs
- Intel Name:
- FreeWorld_Ransomware_Attacks_on_MSSQL_Databases
- Date of Scan:
- 2023-09-04
- Impact:
- MEDIUM
- Summary:
- Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.
—
- Intel Source:
- Interlab
- Intel Name:
- A_new_campaign_of_novel_RAT
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.
—
- Intel Source:
- Talos
- Intel Name:
- Analyses_on_new_open_source_infostealer
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.
Source:
https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/
—
- Intel Source:
- Rapid7
- Intel Name:
- New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers
- Date of Scan:
- 2023-09-02
- Impact:
- LOW
- Summary:
- Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.
—
- Intel Source:
- Talos
- Intel Name:
- An_Open_Source_Info_Stealer_Named_SapphireStealer
- Date of Scan:
- 2023-09-01
- Impact:
- LOW
- Summary:
- In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it’s been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.
Source:
https://blog.talosintelligence.com/sapphirestealer-goes-open-source/
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document LuresLearn More
-
Securonix Threat Labs Security Advisory: Detecting Microsoft Office Zero-day HTML Vulnerability (CVE-2023-36884) “RomCom”/Storm-0978 Exploitation With Security AnalyticsLearn More