TLP WHITE Threat Intelligence Report – March 4, 2024

leave a comment »

This report was created in tandem between Scot Terban and the ICEBREAKER INTEL ANALYST created and trained by Scot Terban.

CAVEAT: Please take these reports and use them as a source to create your own CTI reporting in your format and in your manner of briefing your executives. The report below is the more technical report that you can pull from and collect your links etc to send tactical information to your consumers.

In the case of the executive report, do the same, pull from it what you will, these are complex issues and all orgs have varying levels of threats and problems. This is not a tailored solution, but instead, a generalist TLP WHITE report set of what is being seen today online.

Executive Summary

This report provides a comprehensive overview of the current cybersecurity threat landscape, highlighting significant attacks, breaches, vulnerabilities, and emerging threats observed up to March 4, 2024. It synthesizes data from multiple sources to offer insights into the tactics, techniques, and procedures (TTPs) used by threat actors and recommends actionable steps for organizations to mitigate these risks.

Key Findings

The recent surge in data breaches and cyber attacks has had a significant impact across various sectors, with a noticeable increase in incidents within the financial sector and notable attacks on major entities. Here’s a summary of the key findings from recent reports:

• The MOVEit data breach has emerged as a significant incident, affecting a wide range of organizations including high-profile names like Sony Interactive Entertainment, BBC, British Airways, and the US Department of Energy. This breach underscores the cascading effects of vulnerabilities in widely used software, leading to extensive data privacy concerns across numerous governments and industries.
  • The Ontario Birth Registry experienced a breach through the MOVEit vulnerability, impacting 3.4 million individuals. This incident highlights the vulnerability of healthcare data and the far-reaching consequences of such breaches.
• Other notable breaches in 2024 include Topgolf Callaway and Freecycle, affecting millions of users. These incidents involved a variety of personal information, from healthcare data to user IDs and email addresses, underscoring the diverse nature of cyber threats and the importance of robust cybersecurity measures.
• A ransomware attack on a U.S. healthcare payment processor has been described as the most serious of its kind, indicating the growing severity of ransomware attacks and their impact on critical infrastructure and services.
• The financial sector saw a 35% increase in ransomware attacks, highlighting the escalating threat to this industry. This trend emphasizes the need for enhanced security protocols and vigilance against ransomware campaigns.
• Learning from past incidents, such as the Guardian Attack, the Toronto SickKids ransomware incident, and the Royal Mail ransomware attack, can provide valuable insights into the evolving tactics of cybercriminals and the importance of preparedness and resilience in cybersecurity strategies.

Vulnerabilities and Patches Report – March 4, 2024

This report aggregates and analyzes critical vulnerabilities and patches announced up to March 4, 2024, with a focus on the government and education sectors. The vulnerabilities are ordered from high to low based on their Common Vulnerability Scoring System (CVSS) scores.

High Severity Vulnerabilities

Microsoft Exchange Server and Outlook Vulnerabilities:

• CVE-2024-21410 (CVSS: 9.8) – An elevation of privilege vulnerability in Microsoft Exchange Server that could allow an attacker to authenticate as the targeted user.
• CVE-2024-21413 (CVSS: 9.8) – A remote code execution vulnerability in Microsoft Outlook.

Oracle Retail Applications Vulnerabilities:

• CVE-2022-42920 (CVSS: 9.8) – A vulnerability in Oracle Retail Advanced Inventory Planning that could allow high confidentiality, integrity, and availability impacts.

Moby BuildKit and OCI runc Vulnerabilities:

• CVE-2024-23651 (CVSS: 8.7) – A race condition in Moby BuildKit that could grant access to files from the host system within the build container.
• CVE-2024-21626 (CVSS: 8.6) – A file descriptor leak in runc that could facilitate a container escape.

Microsoft Dynamics Business Central/NAV Vulnerability:

• CVE-2024-21380 (CVSS: 8.0) – An information disclosure vulnerability.

Medium to Low Severity Vulnerabilities

Google Chrome Vulnerabilities:

• Various use-after-free vulnerabilities in Chrome’s WebAudio and WebGPU components, with CVSS scores not explicitly mentioned but categorized under high severity by Google. These issues could potentially lead to arbitrary code execution, data corruption, or denial-of-service.

SAP Vulnerabilities:

• SAP addressed multiple vulnerabilities, including a code injection bug and a denial-of-service issue, along with vulnerabilities in Edge Integration Cell and Business Technology Platform (BTP) Security Services Integration Libraries.

Oracle MySQL Server Vulnerabilities:

• Several vulnerabilities in MySQL Server’s Optimizer affecting versions 8.0.35 and prior, 8.2.0 and prior, with CVSS scores ranging, indicating potential high impact.

Threat Intelligence:

The evolving cyber threat landscape of 2024, as detailed by leading cybersecurity firms like CrowdStrike, Microsoft, Mandiant, and NCC Group, underscores a pivotal shift towards more sophisticated and covert cyber operations. The emergence of 34 new adversaries, alongside a notable 75% increase in cloud intrusions as reported by CrowdStrike, highlights the expanding battleground of cyber warfare, particularly within cloud environments. Microsoft’s principled approach towards managing AI-related cybersecurity risks reflects an industry-wide acknowledgment of the growing threat posed by AI-powered attacks, including those orchestrated by nation-state actors and cybercriminal syndicates. Mandiant’s emphasis on continuous vigilance and NCC Group’s identification of January 2024 as an exceptionally active period for ransomware attacks further illustrate the dynamic nature of cyber threats. Together, these reports reveal a cyber realm increasingly dominated by stealthy, identity-based attacks and the exploitation of digital supply chains, compelling organizations to adapt rapidly to this changing environment with enhanced detection, response capabilities, and a collaborative approach to cybersecurity.

Malware Trends and Types

The landscape of top malware campaigns in 2024 reveals an alarming trend of sophistication and diversification in cyber threats, targeting both individual users and organizations. Here’s a summary based on the latest findings:

In 2023, loaders, stealers, and RATs (Remote Access Trojans) were identified as the dominant malware types, with a forecast for their continued prevalence in 2024. Loaders, facilitating the download and installation of further malicious payloads, along with stealers and RATs, which enable remote access and control over infected devices, are particularly noted for their increasing sophistication and adaptability to evade detection mechanisms.

Notable Malware Threats: Ransomware

The landscape of Ransomware as a Service (RaaS) groups in early 2024 continues to be dominated by several key players, despite law enforcement efforts to disrupt their activities. The most active groups, based on leak site data and law enforcement actions, are as follows:

LockBit: Continues to be the most prolific RaaS group, representing a significant portion of ransomware activities. LockBit’s operations have been notable for their widespread impact across various sectors, leveraging multiple ransomware variants to infect both Linux and Windows operating systems. The group’s adaptability and the availability of tools like “StealBit” have facilitated its affiliates’ ransomware operations, making LockBit a preferred choice for many threat actors.

ALPHV (BlackCat): Despite facing significant setbacks from law enforcement actions, including an FBI operation that disrupted its operations, ALPHV has been fighting back against these disruptions. However, the group’s future remains uncertain as it struggles to maintain its reputation among criminal affiliates. There’s speculation that ALPHV could potentially shut down and rebrand under a new identity.

Clop: Known for utilizing zero-day exploits of critical vulnerabilities, Clop’s activities have highlighted the disparities between reported impacts on its leak site and the real-world implications of its attacks. Clop has heavily focused on North American targets, with significant attention also on Europe and the Asia-Pacific region.

The disruption efforts by the U.S. and U.K. against the LockBit group have been a notable development, marking a significant blow against one of the world’s most prolific ransomware gangs. These actions have included the unsealing of indictments against key LockBit operators, the disruption of U.S.-based servers used by LockBit members, and the provision of decryption keys to unlock victim data. This collaborative international effort underscores the commitment of law enforcement agencies to combat cybercrime and protect against ransomware threats.

For businesses and organizations, the prevailing ransomware threat landscape underscores the importance of implementing robust cybersecurity measures. This includes enabling multifactor authentication, maintaining regular backups, keeping systems up-to-date, verifying emails to prevent phishing attacks, and following established security frameworks like those from the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST). These strategies can help mitigate the risk of ransomware attacks and reduce the potential impact on operations.

In conclusion, while the threat from ransomware groups remains significant, ongoing law enforcement actions and adherence to cybersecurity best practices offer a path forward in combating these cyber threats. Organizations must remain vigilant and proactive in their security measures to navigate the evolving ransomware landscape.

Malvertising Campaigns

The NodeStealer malware campaign has been highlighted as a new threat, exploiting Facebook ads to distribute malware. This campaign underscores the increasing use of social media networks by cybercriminals to launch sophisticated malvertising attacks, targeting a vast user base and compromising their privacy and security.

Exploited Vulnerabilities

Recent reports have also shed light on exploited vulnerabilities, including those in Cisco products (CVE-2024-20253) and VMware’s vCenter systems (CVE-2023-34048), exploited by espionage groups. Citrix NetScaler appliances were found vulnerable to two zero-day vulnerabilities (CVE-2023-6548 and CVE-2023-6549), stressing the need for immediate application of patches to mitigate risks.

Emerging Malware Statistics

Emerging malware statistics reveal that Domain Generation Algorithms (DGAs) continue to hamper malware mitigation efforts, with over 40 malware families employing DGAs to generate numerous domain names, complicating the shutdown of botnets. Additionally, the frequency and impact of malware, including ransomware and IoT malware, have been noted to increase, with new malware variants detected daily, emphasizing the continuous evolution of cyber threats.

These insights highlight the dynamic and evolving nature of cyber threats in 2024, underscoring the critical need for robust cybersecurity measures, including regular software updates, enhanced security protocols, and increased awareness of emerging threats.

The landscape of phishing campaigns in 2024 demonstrates a sophisticated evolution in tactics that exploit human vulnerabilities across a broad spectrum of digital interactions. Spear phishing, despite constituting only a small fraction of email-based attacks, is responsible for a majority of breaches, underscoring its effectiveness in targeting specific individuals within organizations. This method, along with whaling attacks that deceive high-ranking officials, has seen significant growth, particularly with the shift to remote work environments.

The threat landscape has been further complicated by the integration of advanced technologies such as generative AI, which has been employed to create more convincing disinformation and phishing attempts. Election security, for instance, faces challenges from phishing and disinformation, with officials expressing concerns over their preparedness to tackle these sophisticated threats.

In a detailed examination of phishing attack statistics, notable incidents like the Russia/Ukraine digital confrontations, the Lapsus$ extortion spree, and the Conti group’s attack on Costa Rica highlight the global and impactful nature of phishing campaigns. These incidents not only demonstrate the broad targets, from governments to corporations, but also the substantial financial and operational damages inflicted.

Phishing emails have been increasingly weaponized with malicious attachments, including executables and script files, posing significant risks to individuals and organizations alike. Brand impersonation remains a prevalent tactic, with companies such as Yahoo and DHL being among the most mimicked in phishing attempts, exploiting their familiarity and trust with users.

Looking ahead, phishing campaigns are expected to leverage IoT vulnerabilities, utilize social media platforms as phishing grounds, and employ sophisticated ransomware attacks. The emergence of deepfake technology in phishing scams and the targeting of small businesses due to their limited cybersecurity resources mark a notable shift towards more personalized and technologically advanced phishing methods.

These trends and incidents highlight the critical need for heightened awareness, robust cybersecurity measures, and ongoing education to mitigate the risks posed by evolving phishing campaigns.

Recommendations

• Strengthen Cloud Security: Organizations should enhance their cloud security posture by implementing robust access controls, encryption, and monitoring to detect and prevent unauthorized access.
• Ransomware Mitigation: Develop comprehensive backup and recovery plans, and conduct regular ransomware simulation exercises to ensure preparedness.
• Phishing Awareness Training: Regularly train employees to recognize and respond to phishing attempts and other social engineering tactics.
• Patch Management: Maintain an effective patch management program to ensure timely application of security patches and reduce the attack surface.
• Threat Intelligence Integration: Leverage threat intelligence feeds and services to stay informed about emerging threats and TTPs used by adversaries.

EXECUTIVE REPORT DOWNLOAD:

tlp-white-exec-threat-intel-brief-march-4th-2024Download

Written by Krypt3ia

2024/03/04 at 15:27

Posted in CTI, Threat Intel, Threat Intelligence