Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- ASEC
- Intel Name:
- Surge_in_Phishing_Attacks_Impersonating_Korean_Websites
- Date of Scan:
- 2024-04-22
- Impact:
- MEDIUM
- Summary:
- AhnLab’s Security Intelligence Center (ASEC) has identified a significant rise in phishing attempts mimicking Korean portal websites, logistics brands, and webmail login pages. These attacks utilize sophisticated tactics, such as replicating the appearance of legitimate websites and leveraging NoCodeForm for credential exfiltration.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- A_Malicious_PDF_File_Using_to_Deliver_Malware
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Researchers at SANS have noted that billions of PDF files are shared on a regular basis, and that many individuals take these files for trust because they believe they are “read-only” and contain just “a bunch of data”. Previously, PDF viewers were vulnerable to nasty vulnerabilities in poorly crafted PDF files. Particularly the Acrobat or FoxIt readers, they were all impacted at least once. Additionally, a PDF file can be rather “dynamic” by containing embedded JavaScript scripts, auto-open actions that cause scripts (like PowerShell on Windows) to run, or any other kind of embedded data.
Source:
https://isc.sans.edu/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/
—
- Intel Source:
- Microsoft
- Intel Name:
- Microsoft_Defender_Exposes_Kubernetes_Vulnerabilities
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Microsoft Defender recently identified a significant attack targeting Kubernetes workloads leveraging critical vulnerabilities in OpenMetadata for cryptomining. Exploiting flaws disclosed on March 15, 2024, attackers gained access to Kubernetes clusters, executed reconnaissance commands, and deployed cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later, provides guidance for vulnerability checks, and highlights the role of Defender for Cloud in detecting and mitigating such threats, underlining the importance of proactive security measures in containerized environments.
—
- Intel Source:
- Securelist
- Intel Name:
- The_APT_group_ToddyCat_compromise_infrustructure
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- This month, Securelist researchers ran an investigation on how attackers got constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they used for it. ToddyCat is a threat actors group that in general targets governmental organizations located in the Asia-Pacific region. The group’s main goal is to steal sensitive information from hosts.
Source:
https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/
—
- Intel Source:
- CERT-UA
- Intel Name:
- Sandworm_Groups_Cyber_Scheme
- Date of Scan:
- 2024-04-22
- Impact:
- LOW
- Summary:
- Researchers at CERT-UA found that the Sandworm group had a plan to mess with almost 20 important places in March 2024. They wanted to mess up the computer systems that control energy, water, and heat in different parts of Ukraine. CERT-UA also found out that three supply chains were messed with, either because of weak software or because employees from the supplier could get into the systems.
—
- Intel Source:
- Ars Technica
- Intel Name:
- Phishing_campaign_attacks_LastPass_users
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.
—
- Intel Source:
- SOC Radar
- Intel Name:
- Security_Risks_in_OpenMetadata
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).
Source:
https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/
—
- Intel Source:
- Avast
- Intel Name:
- Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- Avast’s investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group’s commitment to control and data extraction.
—
- Intel Source:
- picussecurity
- Intel Name:
- Threat_Landscape_Update_Exploits_and_Breaches
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm
—
- Intel Source:
- Stairwell
- Intel Name:
- The_CVE_2024_31497_PuTTY_vulnerability
- Date of Scan:
- 2024-04-19
- Impact:
- LOW
- Summary:
- In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack ChainsLearn More
-
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy MalwareLearn More
-
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell BackdoorLearn More