In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Ransomware attacks enabled by Iran-based groups on US Orgs
Peach Sandstorm deploys new custom Tickler malware
Suspected Espionage Campaign Delivers “Voldemort”
CISA and Partners Release Advisory on RansomHub
3 Recent CISA KEV additions
A joint Cybersecurity Advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3), provides in-depth details on the TTPs (tactics, techniques, and procedures) used by a group of Iran-based threat actors. The group targeted US organizations in an effort to "to obtain and develop network access" to then collaborate with ransomware affiliate actors and deploy ransomware across multiple sectors including education, finance, healthcare, defense as well as local government entities.
A detailed list of TTPs used by the group is available in the advisory and notes the use of Shodan[.]io for recon, as well as the exploitation of the following network devices to obtain initial access (Citrix Netscaler, F5 BIG-IP, Pulse Secure/Ivanti VPNs, PanOS firewalls, Check Point Security Gateways).
The report provides guidance in its "Mitigations" section to help identify and defend against this activity.
Source: CISA
Microsoft threat intelligence researchers identified Peach Sandstorm, who operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), deploying multi-stage backdoor malware known as "Tickler".
Targeted industries include communications, oil and gas, federal and state government, education and defense. Notable use of Anydesk software in post compromise activities was observed. The linked article has a list of IoCs which are included in detections from Microsoft Sentinel, if you have the Threat Intelligence solution deployed.
Source: Microsoft
Proofpoint security researchers have discovered a new campaign in which threat actors are posing as government tax authorities and whose ultimate goal is to deliver "Voldemort" malware.
The malware utilizes Google Sheets for command and control (C2) and abuses the Saved Search File Format, as well as a host of other well known techniques to achieves its goal. For more of a technical deep dive, please visit the linked article.
Source: ProofPoint
A joint advisory was issued by CISA and a number of other federal agencies. These advisories take a look at recent and historical trends in Ransomware TTPs to help protect organizations.
According to CISA, "Ransomhub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV".
The top three recommendations provided by CISA in the advisory to mitigate Ransomware threats are:
Source: CISA
CISA has added 3 CVE's to their Known Exploited Vulnerability (KEV) catalog this week:
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA .
Source: Known Exploited Vulnerabilities Catalog | CISA