In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Storm-0501 Hybrid Ransomware attacks from on-prem to cloud
Sparkling Pisces’s expanded toolkit
Intelligence Insights from Red Canary
CISA KEV updates
Storm-0501: Hybrid Ransomware attacks from on-prem to cloud
Microsoft has observed a threat actor known as Storm-0501(formerly Sabbath), exploiting weak credentials and targeting known remote code execution vulnerabilities to compromise on-prem infrastructure and then pivoting to cloud environments. The group has been observed targeting multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Below is an attack chain diagram for Storm-0501 provided by Microsoft:
A few recommendations provided by Microsoft to help combat this threat actor include applying the principle of least privilege, auditing privileged account behavior and deploying conditional access policies. For a deeper dive on TTPs and a full list of mitigation/detection strategies, please visit the linked article.
Source: Microsoft
Sparkling Pisces’s expanded toolkit
Researcher's from Unit 42 recently documented the discovery of two unknown malware samples dubbed KlogEXE and FPSpy. These malware samples were in use from the Sparkling Pisces threat group, which is known to operate out of North Korea. Sparkling Pisces has been dubbed "the king of spear phishing" due to the volume and effectiveness of their phishing campaigns.
KLogEXE malware collects data such as running applications, keyboard input, and mouse clicks, and exfiltrates the data via HTTP. FPSpy is a DLL-based malware with capabilities beyond keylogging, including downloading and executing additional modules, executing arbitrary commands, and enumerating drives and files.
Source: Unit42
Intelligence Insights from Red Canary
Red Canary threat intelligence released their monthly insights report highlighting ChromeLoader as the top malware threat and SocGholish in the number 2 spot. Chromeloader works by modifying a victim's browser and rerouting traffic. SocGholish is considered a downloader that tricks users into running malicious code through the guise of false browser updates.
The report also highlights activity related to the abuse of VPNs for initial access and lateral movement within organizations. The activity is similar to the observed behavior from Storm-0844, which is known to deploy Akira and now FOG ransomware. Both ransomware strains consistently target VPN software, especially Cisco ASA, for initial access. A few recommendations provided by Red Canary to help respond to active VPN abuse suggest disabling layer 2 (East-West) visibility to VPN clients and deploying EDR to all systems.
Source: Red Canary
CISA KEV updates
CISA has added 1 CVE to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-7593 - Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability - CVSS 9.8
- Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
- While Ivanti notes that no known exploitation has been observed for CVE-2024-7593, their advisory makes special note of publicly available exploit code.
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact