Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups
- Date of Scan:
- 2024-03-27
- Impact:
- MEDIUM
- Summary:
- Researchers from Unit 42 have discovered two Chinese advanced persistent threat (APT) groups that are involved in cyberespionage against members and organizations connected to the Association of Southeast Asian Nations (ASEAN). Stately Taurus, the first APT organization, is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore with two malware packages. An ASEAN-affiliated entity was infiltrated by the second Chinese APT outfit. In recent months, this APT group has attacked a number of government institutions in Southeast Asia, including those in Singapore, Laos, and Cambodia.
Source:
https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/
—
- Intel Source:
- SonicWall
- Intel Name:
- Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at SonicWall have discovered a new WhiteSnake Stealer version that makes it possible to steal vital, private information from infected systems.The string decryption code has been eliminated in this updated version, which also makes the code easier to understand.
—
- Intel Source:
- Oligo Security
- Intel Name:
- Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Oligo have recently uncovered an ongoing campaign of attacks aimed at a flaw in the popular open-source AI framework Ray. There is no patch for a significant vulnerability that exposes thousands of businesses and servers using AI infrastructure to attack. Due to this flaw, hackers can commandeer the processing power of the organizations and reveal confidential information. For the past seven months, this vulnerability has been actively exploited, impacting a variety of industries including biopharma, education, and cryptocurrencies.
Source:
https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild
—
- Intel Source:
- Lumen
- Intel Name:
- The_Shadowy_Side_Of_TheMoon_Malware
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Lumen have discovered a multi-year campaign that targeting Internet of Things (IoT) devices and routers that are nearing end of life (EoL). This campaign is linked to an upgraded version of the malware known as “TheMoon.” Since its inception in 2014, TheMoon has been running in the background, amassing almost 40,000 bots from 88 countries in January and February of 2024. As researchers have observed, most of these bots serve as the backbone of Faceless, a well-known proxy service targeted at cybercriminals.
—
- Intel Source:
- Rewterz
- Intel Name:
- FormBook_Malware
- Date of Scan:
- 2024-03-27
- Impact:
- MEDIUM
- Summary:
- FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook’s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook’s successor, XLoader, is currently active.
Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98
—
- Intel Source:
- Morphisec
- Intel Name:
- Increase_in_activity_linked_to_Mispadu_banking_trojan
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Morphisec Labs identified a significant increase in activity linked to Mispadu, a banking trojan first flagged in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.
Source:
https://blog.morphisec.com/mispadu-infiltration-beyond-latam
—
- Intel Source:
- SOC Radar
- Intel Name:
- A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- CHAVECLOAK, a banking trojan that has become a serious threat, is a strong cyber threat threatening the Brazilian financial system. This sophisticated malware is made to get past security measures and steal confidential financial data from unsuspecting users.
Source:
https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/
—
- Intel Source:
- Cybereason
- Intel Name:
- The_Effects_of_the_Anydesk_Breach
- Date of Scan:
- 2024-03-27
- Impact:
- LOW
- Summary:
- Researchers at Cybereason have looked at cases of AnyDesk code signing certificates being misused. On February 2, 2024, AnyDesk, a prominent global supplier of Remote Management and Monitoring (RMM) software, made a public announcement announcing that they had discovered a compromise involving production systems. As a result, they started an incident response process and, as part of their remediation activities, they issued fresh certificates and revoked all of their security-related ones.
Source:
https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath
—
- Intel Source:
- Trustwave
- Intel Name:
- The_rise_of_Agent_Tesla
- Date of Scan:
- 2024-03-26
- Impact:
- MEDIUM
- Summary:
- SpiderLabs discovered some phishing email on March 8, 2024, with a Windows executable disguised as a fraudulent bank payment attached to the email. This activity initiated an infection chain culminating in the deployment of Agent Tesla. Trustwave blog shared their deep analysis of a newly identified loader, showing the attack’s advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.
—
- Intel Source:
- CERT-AGID
- Intel Name:
- Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials
- Date of Scan:
- 2024-03-26
- Impact:
- LOW
- Summary:
- Researchers from CERT-AGID have discovered a phishing page that targeting users of the Revenue Agency’s Siatel v2.0 – PuntoFisico of the Revenue Agency. It has been live online from the early afternoon of March 21, 2024. Once the victims have been tricked into entering their password and tax code as part of their access credentials, the attackers ask them to upload or complete a photo of the Security Matrix that corresponds with the given credentials. Access to Punto Fisico, Report Register, and Punto Fisico User Management are all dependent on the latter.
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy MalwareLearn More
-
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell BackdoorLearn More
-
Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPNLearn More