Threat Intelligence News from LevelBlue SpiderLabs November 2024

November 2024

Latest Headlines

Increased Fog and Akira Ransomware Activity Linked to SonicWall SSL VPN

Throughout October, there has been a significant increase in Fog and Akira ransomware intrusions targeting SonicWall SSL VPN users across various industries. The attacks appear opportunistic rather than targeting specific sectors. All affected devices lacked patches for CVE-2024-40766.

Initial access involved VPN logins from VPS hosting IPs, with rapid progression to data encryption and exfiltration, often within hours. Shared infrastructure was observed across multiple intrusions. Defenders are advised to prioritize firmware updates, monitor for suspicious VPN logins, maintain secure offsite backups, and watch for post-compromise activities on endpoints.

LevelBlue SpiderLabs latest blog: Ngioproxy

In August 2018, Check Point published a report and deep analysis on a new multifunctional proxy server botnet named Ngioweb. The proxy service was being loaded by the banking malware family Ramnit. In their report, Check Point reported that the first sample was observed in the second half of 2017.

LevelBlue SpiderLabs has recently identified systems infected with Ngioweb trojan being sold as residential proxy servers in the Nsock webpage. In almost all cases, systems targeted were IoT (Internet of Things) devices that had known published vulnerabilities, some with public proof of concepts available. See LevelBlue SpiderLabs’ most recent blog to learn more.

Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions

EDRSilencer, a red team tool designed to interfere with endpoint detection and response (EDR) solutions, has been discovered being abused by threat actors. It leverages the Windows Filtering Platform to block EDR traffic, concealing malicious activity.

The tool dynamically identifies running EDR processes and creates filters to block their outbound communication, preventing telemetry and alerts from reaching management consoles. During testing, it effectively disrupted various EDR products, including those not in its hardcoded list.

This tool represents a significant shift in tactics, enhancing the stealth of malicious activities and increasing the potential for successful attacks. Organizations must adapt their security posture to counteract these sophisticated evasion techniques.

Tracking, Detection & Hunting Capabilities

The team has identified the following malware/threat actors as the most active during the month of October. October’s malware trends continue to be very similar to previous months, with a main relevant inclusion:

• BugSleep: This remote access trojan, initially reported in early June by multiple security researchers and sometimes referred to as MuddyRot, allows access to a reverse shell for threat actors as well as file input and output capabilities. Since their initial report it has become more prevalent after initial access to maintain C2 and provide an avenue for exfiltration.

The LevelBlue trackers have identified over 1600 new IOCs for the different families it tracks. The busiest trackers during the month of October have been:

USM Anywhere Detection Improvements

In October, LevelBlue SpiderLabs added or updated 52 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

• New rules related to System Compromise for EDRSilencer and attempts to block EDR traffic locally on endpoints.

• Improvements to Fortinet detections to provide coverage for fgfm daemon vulnerability.

• Several rules for phishing detections in O365 and Proofpoint.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily.

LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more.

Learn more about OTX, its benefits, and how you can join.

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members.

In October, 139 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Evasive Panda scouting cloud services

• FortiManager fgfmd vulnerability indicators

• Lazarus APT steals cryptocurrency and user data via a decoy MOBA game.