December Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Data exfiltration in the cloud

Not all tools used by threat actors are malicious malware. Rclone, a command line program with no graphical user interface, is a free and open source for file transfer and syncing. The program is ideal for threat actors to use for exploits because it’s a legitimate tool that’s not always detected by endpoint detection and response solutions. The digital forensics and incident response team recently worked an unusual case that exposed how a threat actor accessed a client’s entire Google Drive environment and transferred the data using Rclone. 

In the case, the Qilin ransomware group leveraged a single account that many employees at the organization use to access Google Drive from a single system. When the Qilin group accessed the system, a live session was in progress on Google Drive. The group stole the session token from that specific browser and reconfigured Rclone to sync all the data from the organization’s Google Drive to the group’s own infrastructure. 

The team recommends that organizations take action to prevent exploitation of data on the cloud. The most critical action is to use the principle of least privilege, or only giving employees access to the accounts and data necessary to perform their jobs. Organizations can also configure the applications for Google Drive, as well as Azure, Amazon Web Services, and other platforms, to limit access and the applications that access the data. In addition, they should establish a limitation on session durations and ensure security around specific access keys to stay secure. 

Notable vulnerabilities

More than 4,300 vulnerabilities were newly disclosed in October, similar to what the team saw in September, and 32 of those disclosed vulnerabilities were actively exploited, double the number reported in September. Microsoft accounted for eight of the 32 vulnerabilities; however, a wide range of products and operating systems were impacted, including Broadcom, Adobe, Motex, Oracle E-Business Suite (EBS), Dassault Systemes, and Apple. As many as 21 proof-of-concept codes were released on the internet, making the information available for threat actors to use to exploit vulnerabilities. 

The team discussed the Oracle EBS attack in detail. The CL0P ransomware group, known to exploit zero-day vulnerabilities, steal data, and attempt to extort ransoms from its victims, exploited this SyncServlet vulnerability. The attack occurs when a POST request creates a malicious template in the XDO_TEMPLATES_B database table and stores an Extensible Stylesheet Language file payload in the LOB_CODE/XDO_LOBS directory. The payload is then decoded into Java classes, allowing the threat actor to gain unauthenticated remote code execution. Two Java payloads, Goldvein and SageGift, occur in memory, followed by execution of additional Java class files. After the attack, an extortion email is sent to executives from compromised third-party email accounts. The attack potentially exposes as many as 1,400 Oracle EBS instances across industries in the United States, Europe, and Asia.

During Microsoft Patch Tuesday in October, a record-high 172 reported vulnerabilities were addressed. Of those 172, eight were critical vulnerabilities, and three were zero-day exploits. Multiple patches were released for the affected products. 

In November, 63 reported vulnerabilities were addressed during Microsoft Patch Tuesday, a significant decrease from October. Of those 63, five were critical vulnerabilities, and one was a zero-day exploit. The zero day was a privilege elevation vulnerability for Windows Kernel. Microsoft released patches for the zero day and the critical vulnerabilities, including Windows Graphics Component, Nuance PowerScribe, Microsoft Office, DirectX Graphics Kernel, and Visual Studio.

As a final reminder, the team discussed that Microsoft no longer supports Windows 10. However, Microsoft does offer extended security updates for critical vulnerabilities that are discovered, but clients must enroll in the updates program to receive those critical patches. 

SOC trends

The security operations center (SOC) team is always looking for new trends in threat activity so it can respond to changes and keep clients safe. Currently, the SOC team is seeing an uptick in the following activity:

• Use of Direct Send. Threat actors have ramped up their use of Microsoft 365’s Direct Send as a vector to deliver spoofed messages to victims. To execute this attack, they simply need the domain name, a valid recipient, and the smart host or email server. From there, without logging in or having any user credentials, the threat actors can send a Direct Send email that appears to come from an internal address. Indicators for this exploit include users sending emails to themselves, command line user agents or PowerShell coming through as user agents, suspicious attachments or file names, and the use of a QR Code in email bodies. To protect against a Direct Send attack, organizations can configure to reject Direct Send via PowerShell, if appropriate. Also, organizations should offer phishing training to employees to ensure that they know to look for suspect, unfamiliar, unexpected emails and attachments.

• Holiday-focused phishing emails. At year-end, the team commonly sees attacks based around end-of-year activities such as holiday events, annual budgets, and audits. The team is seeing the generation of malicious inbox rules, which is visible in over 90% of successful business email compromise attacks, so employees need to be on the lookout for these types of attacks. New employees are more likely to fall victim to these scams.

The team also discussed preventative controls, tuning, and feedback loops with clients. The team showed numbers for alerts worked, threat tickets raised, and percent escalated over the past few months. As clients provide feedback for tuning, the team narrows down the number of alerts worked, while the number of threat tickets raised stays fairly consistent. As a result, the percent escalated increases. For example, in July, there were 15,371 alerts worked and 1,066 threat tickets raised for a percent escalated total of 6.93%. Every month since, the percent escalated has increased. In late November, there were 9,400 alerts worked and 1,165 threat tickets raised for a percent escalated total of 12.39%. The higher percentage means the team is spending its time more efficiently and creating more worthwhile escalations for clients.

LogScale

CrowdStrike LogScale is a centralized log management and observability platform that collects, stores, and analyzes log and event data. LogScale offers case-sensitive searching and index-free log searching for log data, high compression data, and data that uses parallel scanning and MapReduce. The team uses this fast, efficient tool for SIEM, compliance, and incident response — and clients can take advantage of LogScale, too. The team recommends that all clients use the built-in tutorial to learn how to use LogScale. The tutorial explains what clients need to know to use it, and the dashboarding is quick and easy. 

To search using LogScale, clients need to start by casting the widest net possible with @rawstring and can later narrow down the parameters to get faster, more efficient searches. Everything in a data record is contained on @rawstring. To begin, type in @rawstring = /crowdstrike/i. Clients with logs have a log repository (customer code - -norm-log). Clients who also have a network sensor have a log repository plus a network repository (customer code - -norm-network). A client with both should specify the repository to use to speed up and narrow down results. Clients can scroll through the results and then add #data_source to the next line to further narrow down the search. 

The team also explained how data and alerts flow through LogScale. First, the data is enriched, tagged, normalized, and backed up to S3. Then, it goes to the repositories. Log data comes from the client data sources and goes to the log repository, and network data comes from a Pondurance network server and goes to the network repository. Clients with both log and network data see a combination of the two in their View, and clients with log-only data see a single data type in their View. Dashboards and custom alerts are also created in the client’s View. The SOC team can see the two different client Views, log and network alerts are applied to all clients equally against the two Views, and threat hunting takes place across all Views.

The team highly recommends that clients use LogScale as it provides unmatched searching capabilities. If clients need assistance in using LogScale, the team is available to help.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.