In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Sophos MDR tracks two ransomware campaigns
FleshStealer infostealer malware
Pair of SOCKS Lead to LockBit Ransomware
CISA KEV updates
Sophos MDR tracks two ransomware campaigns
Sophos X-Ops’ Managed Detection and Response (MDR) is actively responding to two separate threat actor groups exploiting Microsoft Office 365 to infiltrate organizations, likely for data theft and ransomware deployment. Investigations into these incidents began in November and December 2024, with Sophos tracking the threats as STAC5143 and STAC5777. Both groups operated their own Microsoft Office 365 service tenants to conduct attacks. They also leveraged a default Microsoft Teams setting that allows external users to initiate chats or meetings with internal users.
Both threat actors are relying on several common tactics in the initial stages of the attacks including email bombing, Microsoft Teams messages/calls (often pretending to be from internal IT support) and using Microsofts own remote control tools (Quick assist or Teams screen sharing). It's important to be wary of unexpected Teams communications coming from an external Tenant and inform your users of this threat.
Source: Sophos
FleshStealer infostealer malware
According to a report from Flashpoint, FleshStealer, first observed in September 2024, is a C#-based credential stealer managed through a web based panel. It uses encryption to evade detection and can terminate itself if debugging is detected. The malware is particularly effective at identifying virtual machine (VM) environments and will not execute on them. This tactic helps it avoid forensic analysis, demonstrating an awareness of security research techniques.
Flashpoint's VP of Intelligence stated, "Infostealers have emerged as one of the most persistent and widespread threats in the cybercrime ecosystem." A great way to help defend against the risks posed by infostealers is to deploy endpoint protection, such as Microsoft Defender for endpoint, and monitor for leaked credentials on the dark web.
Source: Flashpoint
Pair of SOCKS Lead to LockBit Ransomware
A recent intrusion detailed by The DFIR Report has highlighted the deployment of several proxy tools to establish C2 on a domain controller. The inital malicious executable delivered to the victim was disguised as the Windows Media Configuration Utility (setup_wm.exe). Once the executable was run, it dropped the proxy tools, SystemBC and GhostSOCKs. This graphic provided by The DFIR Report depicts the initial infection chain:
Initial Access
Once C2 was achieved, the threat actor was able to successfully exfiltrate data in the first 24-hours following initial access. It wasn't until day 11 that the final step of deploying ransomware was carried out. Monitoring network traffic to detect largescale exfiltration events and C2 connections would have helped to identify and stop this attack in its tracks.
Source: The DFIR ReportCISA KEV updates
CISA has added 2 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week:
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact