August Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Threat trends

Malicious threat actors are continuing to use proven tactics to exploit their victims. Our team noted that the following attack methods are still a primary concern:

• Ransomware. These attacks top the list of security threats, especially with the risk of attack from threat actor groups like Scattered Spider. Currently, the highest indicator of a ransomware attack is the launch of an application, such as AnyDesk.exe, B2.exe, or Acronis.exe, in rapid succession or in a short time frame. Pondurance has alerting in place for such tactics, techniques, and procedures, and the team suggests blocking Pastebin and other nonbusiness file sharing sites for added protection. 

• Business email compromise (BEC). These threats have a high success rate due to user error, meaning that users mistakenly open malicious emails or attachments or click on links that lead them to credential harvesting sites and adversary-in-the-middle attacks. Many successful attacks result in Office 365 mailbox access where the threat actors create mailbox rules to hide their activity. To combat BEC attacks, the team recommends ongoing user awareness training for all employees.

Tabletop exercises, formal and informal, are also recommended to keep organizations safe from cyber threats. Tabletops are simulations of real-world cyber incidents that allow participants to discuss what their roles, actions, and decisions should be during a cybersecurity threat. These exercises test an organization’s incident response plan to identify any gaps in the response processes or overall security plan. A formal tabletop exercise typically walks an organization through an established incident to learn from what happened during the event. 

An informal tabletop exercise is a casual, role-playing approach and, often times, is a more creative way to walk through incident response scenarios and discuss how different teams or departments would respond to particular hypotheticals. Informal tabletops can include any groups in an organization, and even third parties, and can be used for team-building and training purposes at meetings or conferences. The Pondurance team encourages organizations to “gamify” an informal tabletop exercise to add fun and creativity to the experience. For example, participants can roll dice like a Dungeons and Dragons game or use playing cards like the incident response game Backdoors & Breaches. 

SharePoint vulnerabilities

Microsoft Office SharePoint on-premise exploits started on July 8 with two initial SharePoint vulnerabilities. The first one is an authentication bypass vulnerability that allows an unauthorized threat actor to perform spoofing over a network. This exploit occurs when the threat actors send a crafted HTTP POST request to /_layouts/15/ToolPane.aspx using a spoofed referer header sent to _layouts/SignOut.aspx. The second one is a remote code execution vulnerability that allows authorized threat actors to execute code over a network. This second vulnerability is chained with the first one to achieve remote code execution through a single HTTP POST request. The initial vulnerabilities received patches. Later, two additional vulnerabilities surfaced that were bypasses of the first two patches. 

The vulnerabilities affected Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server 2016. Microsoft released security updates for the bypass vulnerabilities. 

The team has seen some instances of the SharePoint vulnerabilities but not much evidence of lateral movement or privilege escalation, so far. To investigate, the team suggests that organizations using SharePoint servers search their Internet Information Services logs for a large number of HTTP POST requests, as that may indicate an exploitation. Also, payloads deployed through this exploit often harvest the machine keys of the server, and once the threat actors have access to the machine keys, they no longer need the vulnerability for bypass authentication. Instead, they can authenticate and continue to run code on that specific server. 

If the investigation points to an exploit, remediation is important. The team suggests conducting a forensic review of the system to determine if any hands-on-keyboard activity or lateral movement has occurred. If the machine keys were leaked, they must be rotated. As a precaution, the team suggests rotating the machine keys even without evidence of an exploit — and, of course, patching is important. 

The team expects that these attacks will likely evolve over time as more threat actors access the proof-of-concept code for the vulnerability. In particular, the team expects to see remote access tools, such as backdoors and Cobalt Strike, deployed to the system.

Notable vulnerabilities

Approximately 4,300 vulnerabilities were disclosed in June, and seven of those disclosed vulnerabilities were actively exploited. Three proof-of-concept codes were released for Qualcomm, Windows, and Naver/Billboard.js. 

As a monthly trend, the team saw high-profile vulnerabilities that were quickly exploited, especially following the release of a proof-of-concept code. Also on trend, many threat actors now maintain a library of exploits for older vulnerabilities that they use once they gain access to a cyber environment.

During Microsoft Patch Tuesday in June, 66 reported vulnerabilities were addressed. Of those 66, nine were critical vulnerabilities, one was a zero-day vulnerability, and multiple patches were released for the affected products. The zero day is a remote code execution vulnerability that focuses on web-distributed authorizing and versioning. The team provided details about an iOS zero-click campaign and a router path traversal vulnerability.

iOS zero-click campaign. This attack successfully targeted two European journalists by deploying Paragon Solutions’ Graphic spyware on their iOS devices. Threat actors exploited an iOS security flaw handling of iPod links that were populated in iMessage without user interaction. From there, they established the command-and-control server. Patch updates were released for iOS 18.3.1.

Router path traversal vulnerability. This exploit impacts all firmware versions of the D-Link DIR-859 Wi-Fi routers. The attack leverages a malicious POST request to XML that leads to failure to remove the ../, which dumps the credential session IDs and configuration data from the PHP files. A proof-of-concept code was released, but patches will not be released for this vulnerability because the devices are end of life. The team recommends that organizations using D-Link DIR-859 routers purchase new routers.

During Microsoft Patch Tuesday in July, 137 reported vulnerabilities were addressed — twice the number reported in June. Of those 137, 14 were critical vulnerabilities, and all but one of those critical vulnerabilities were remote code execution flaws. One of the 137 vulnerabilities was a zero-day exploit. The zero day is an information disclosure vulnerability that affects the Microsoft SQL Server, but there is no known exploitation of the vulnerability in the wild. 

Telemetry

Last month, the team discussed telemetry — how data from multiple sources is collected and analyzed to understand what is happening within an environment — and compared three host-logging tools: group policy object (GPO), endpoint detection and response (EDR), and Sysmon. This month, the team followed up the discussion by answering a few important telemetry questions. 

When a user increases the GPO audit levels or enables Sysmon, does it take up more computer space? Mostly no. Windows, including PowerShell, has a default of 20 megabytes (MB) for most event logs, and Sysmon defaults to 64MB. When the logs are full, they overwrite themselves, pushing the oldest records out while writing the newest records to the full log. 

Will this increase the LogScale storage amounts and push a client over the limit? The amount of logs and data will increase. If the limits are exceeded, Pondurance will work with the client to tune as much as possible. The limits are not rigid, and the client will not get cut off from service because the service will scale with the data being sent.

If data does increase, how is the tuning handled? Pondurance does most of the tuning, including event enablement, and we can review sources that can help the client cull or filter data or can suggest how to dial back to get to a desired level. Sidecar configurations can be used to remove log sources or event codes. Log forwarders can also be used to filter, but Sidecar is preferred. Both ways are effective for removing the extra data.

How do Pondurance’s rules compare to Sysmon’s rules? When compared to the Sigma HQ rules, Pondurance’s alert rules have similar percentages to the Sysmon rules. In all three sets of rules, more than 1,000 rules are written for process creation. Sysmon ID 1 and Windows ID 4688 are the most crucial event IDs to log, especially if an organization is not using a top-tier EDR solution. 

The team reminded organizations that Windows 10 support, including security updates, will expire on Oct. 14, 2025. There are ways to extend Windows 10 support. However, the team recommends that any organization still using Windows 10 should upgrade to Windows 11.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our security operations center, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.