In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Russian Military Cyber Actors Target US and Global Critical Infrastructure
Tool Profile AzureHound framework
Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant
Fog Ransomware Now Targeting the Financial Sector
CISA KEV updates
This joint advisory issued on September 05, 2024 details out specific actions taken by Russian state-sponsored cyber threat actors in nefarious operations conducted against global targets. Highlighted in the report are specific tactics, techniques, and procedures (TTPs) associated with Unit 29155, a GRU Cyber Component.
Initial reconnaissance tactics revolve around the use of publicly available tools for scanning and probing for vulnerability exploits against public-facing resources. Of particular note, is the observed exploitation of older CVEs connected to Dahua Security, Atlassian Confluence Server and Data Center, and Sophos: Firewall for initial access.
The report includes a comprehensive section for mitigations as well as a host of additional IoCs.
Source: CISA
AzureHound is a command-line tool from the BloodHoundAD project, designed to collect data from Microsoft Entra ID (formerly Azure AD) and other Azure resources for BloodHound's attack path analysis. Together, AzureHound and BloodHound provide a comprehensive view of potential attack paths in Azure and Active Directory environments, helping security teams understand vulnerabilities.
Threat actors like Peach Sandstorm and Midnight Blizzard have used AzureHound for discovery and enumeration, and alerts involving its use indicate that attackers may already be in the network, necessitating immediate investigation and tighter access controls.
Source: Microsoft Threat Intelligence (Defender/XDR) / BloodHoundAD
The Unit 42 Managed Threat Hunting team identified a variant of WikiLoader (also known as WailingCrab) being distributed through SEO poisoning and spoofing of GlobalProtect VPN software. WikiLoader is a "multistage malware loader that adversaries developed with consideration toward evasion". While not a new technique, SEO poisoning refers to a method in which search engine rankings are manipulated to display malicious sites. These sites often mimic legitimate sites and are used to push malware on unsuspecting users
Source: [Unit42](https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
A threat bulletin issued by Adlumin Cybersecurity highlights some of the tactics used by the Fog Ransomware group. The bulletin goes on to describe an attack launched by the group in early August 2024 using compromised VPN credentials and then pivoting to cripple network security. While the attack was ultimately unsuccessful, one of the key take aways was that the group has expanded operations to the financial sector. According to Adlumin, "Fog is a variant of the STOP/DJVU ransomware family, first observed in 2021".
A detailed list of IoCs is included in the bulletin. The top 3 recommendations listed to protect against Fog ransomware are use MFA, update and patch your VPN software on a regular cadence and monitor VPN access
Source: Adlumin
CISA has added 3 CVE's to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-7262 - CVSS 9.3 - Kingsoft WPS Office Path Traversal Vulnerability CVE-2021-20123 & CVE-2021-20124 - CVSS 7.5 - Draytek VigorConnect Path Traversal Vulnerability
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA .
Source: Known Exploited Vulnerabilities Catalog | CISA