October Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Social engineering scams

Social engineering scams, such as phishing, are on the rise. The digital forensics and incident response (DFIR) team shared techniques that threat actors use to deceive targets and the classic signs that clients should look out for. These include:

• Unsolicited requests for credentials or multifactor authentication codes, particularly urgent ones. 

• Calls from a familiar caller ID.

• A generic greeting with no specific last name or a skipped introduction.

• Suspicious links to a login via phone or email.

• Calls to personal cell phones.

• Unexpected calendar invites.

The team also explained how threat actors are conducting reconnaissance to know exactly who they need to target, obtain cell phone numbers, and learn personal details to convince targets to take a specific action. The team discussed a DFIR investigation where John from the bank fraud division placed phone calls to two targeted employees that ultimately resulted in 11 fraudulent wire transfers totaling $1.9 million. The exploit used reconnaissance tactics and many of the classic signs of social engineering. Clients need to recognize these classic signs and stay vigilant.

Alert volume

The security operations center (SOC) handles a large volume of alerts. During the first three weeks of September, the SOC team worked through approximately 11,000 individual alerts across all client environments! Less than 10% of the alerts resulted in escalations. The team discussed how it minimizes the volume of alerts and reviewed the preventative controls clients can use to minimize their risks.

Team members rely on feedback loops with clients. First, they raise a finding in the Scope tickets. Then, they follow up or, in an escalation, include a question to confirm what they re seeing, such as: Is this something we can expect to see for this user? Or is this application permitted in your environment? The answer from the client allows the team to fine-tune its detection rules. Once the team tunes the alerts, it knocks down the volume, allowing time to focus on meaningful escalations and detections and conduct in-depth hunting and analysis. 

The team also relies on log information; improvements in its rule logics and tactics, techniques, and procedures; and rule logics enhancements by third-party vendors of endpoint detection and response (EDR) solutions and antivirus software. 

Clients can help minimize the alert volume in numerous ways:

• Patch management. Keep applications and software up to date, maintain an asset inventory, run periodic vulnerability scans, and adhere to a patching schedule.

• Identity and access management. Identify which employees need access to what assets and make sure that access is only given to those employees. 

• Endpoint protection. Make sure that the endpoint protections, such as EDR software, antivirus protection, BitLocker, and FileVault, are up to date. 

• Network security. Implement firewall policies and set up segment critical system networks to keep critical systems within the network separate from each other. 

• Data protections. Employ data loss prevention, access control, and secure backups. 

• User training. Offer ongoing user awareness training to all employees to reduce their risks of error when interacting online.

• Secure configurations. Disable unused ports and protocols and close doors and windows that are not needed.

• Application security. Create a list of approved applications, including versions, and keep those approved applications up to date.

Notable vulnerabilities

Approximately 3,600 vulnerabilities were newly disclosed in August — a dropoff from recent months — and 18 of those disclosed vulnerabilities were actively exploited. Eight proof-of-concept codes were released on the internet, making the information available for threat actors to use to exploit vulnerabilities. As a trend in August, the team saw a combination of end-user applications showing up in vulnerability scans, new vulnerabilities impacting Chromium-based browsers, vulnerabilities on lesser-known products like 7-Zip, and automated scanning tools being maliciously used to search for vulnerabilities.

During Microsoft Patch Tuesday in August, 107 reported vulnerabilities were addressed. Of those 107, 13 vulnerabilities were critical, and there was one zero day that was a privilege elevation vulnerability. Multiple patches were released for the affected products. The team briefly discussed two of the critical vulnerabilities:

• Citrix NetScaler and Gateway appliances. This memory overflow vulnerability exploited preauthentication remote code execution on specific versions of NetScaler ADC and Gateway appliances. The vulnerability allows threat actors to drop a web shell to access the device and allow for persistence. Then, they can move laterally, exfiltrate data, and possibly execute a full network compromise. Patching is required since a workaround is not available.

• WinRAR. This path traversal vulnerability allows threat actors to hide and deploy malicious files as it incorrectly handles the ../ in file names. The exploit, used by Russian group RomCom, starts with a phishing email from a supposed job applicant that includes an RAR attachment disguised as a resume. Once the email recipient opens the attachment, a malicious shortcut file is placed in the Windows startup folder. Then, other files are placed in temporary directories where they’re unlikely to be found. Execution chains of this vulnerability were first observed in mid-July, including the Mythic command-and-control agent, SnipBot backdoor, and RustyClaw downloader, all of which involved the LNK file.

During Microsoft Patch Tuesday in September, 84 reported vulnerabilities were addressed, a downturn from previous months. Of those 84, eight were critical vulnerabilities, and two were zero-day exploits. One zero day was a Windows Server Message Block privilege elevation vulnerability. The other zero day was a denial-of-service vulnerability on Newtonsoft.json, a product that interacts with the SQL server. Microsoft released patches for the zero days and critical vulnerabilities, including Microsoft Office, Windows Graphics Component, and Hyper-V.

New asset inventory module

The team is always working to improve the process and, starting in October, will add a new asset inventory module in Scope. An asset inventory is the foundation for proactive threat exposure management and will be offered as part of the standard services at no cost. The module provides a centralized, accurate, and risk-rated view of all known assets to help organizations prioritize by asset risk.

At launch, the service will be available to clients in the eVMP program and clients with access to CrowdStrike and SentinelOne consoles. The team will integrate with a handful of data providers that will pull in the data, and clients also will be able to manually upload and edit their own asset details, in bulk or individually, to keep the inventory accurate and complete. 

In the module, clients will see key details, such as asset name, data provider, and risk score, and can click on any asset for deeper context. The drill-down views connect alerts, tickets, and vulnerabilities to an asset to allow clients to see the asset’s history, related risks, and patterns over time. The risk score page includes the components that make up the Risk Score — a proprietary risk scoring mechanism that is calculated using alerts, vulnerabilities, observed threats, and known defenses to give clients a clear, prioritized sense of which assets pose the greatest exposure for the organization.

Following launch, the team will continue to add functionality for sidecar agents, motor data sources, analysis workflows, and other automation. The team welcomes feedback from clients on the new module.

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.