Threat Intelligence News from LevelBlue SpiderLabs October 2024

October 2024

Latest Headlines

Ransomware attacks expanding to hybrid cloud environments

Microsoft has observed Storm-0501 conducting multi-stage attacks targeting hybrid cloud environments. Storm-0501 is a financially motivated group that has been active since 2021, and they act as a ransomware-as-a-service (RaaS) affiliate, deploying multiple ransomware payloads globally.

The group reportedly compromises on-premises networks and then moves laterally to cloud environments, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and the deployment of ransomware.

Their recent campaign targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. As Storm-0501 pivots from on-premises to cloud environments, they are particularly focused on exploiting Microsoft Entra Connect Sync accounts and cloud session hijacking.

Quad7 operations

A report by Sekoia, Solving the 7777 Botnet Enigma: A Cybersecurity Quest, provides insights into the latest tactics and infrastructure used by the 7777 botnet (Quad7).

The 7777 botnet was originally reported a year ago, seemingly targeting multiple high-value targets, where they installed and maintained backdoors in their systems. In addition, the operators appear to regularly introduce new backdoors and are exploring alternative protocols to enhance the stealth of their botnets and evade tracking efforts.

Sekoia has identified the botnet operators compromising several brands of SOHO routers and VPN appliances, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear, using zero days in their arsenal. Without adequate interception capabilities, monitoring the Quad7 botnets' evolution may become increasingly challenging in the future.

New Vulnerabilities in CUPS Exposes Devices

Reports published in the last week of September identified new vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-4717) for the CUPS printing component of UNIX (and UNIX-like) systems. CUPS is a modular printing system for UNIX-like computer operating systems that enables a computer to act as a print server. It is typically not well defended. By chaining together this group of vulnerabilities, adversaries could potentially achieve remote code execution (RCE).

The publication of the vulnerabilities quickly led to a spike in scanning activity in the CUPS associated ports. Most of the activity associated with this exploit appears to be benign, however it appears threat actors are using it to identify the total vulnerable devices worldwide.

According to Shodan, a search engine designed to map and gather information about internet-connected devices and systems, the total number of CUPS services exposed to the Internet as of the publishing of this article is more than 75,000.

Tracking, Detection & Hunting Capabilities

The LevelBlue SpiderLabs research team has identified the following malware and threat actors as the most active during the last month. September’s malware trends continue to be very similar to previous months, with the following malware standing out:

• Lumma Stealer: This infostealer has been available through a malware-as-a-service (MaaS) model on Russian-speaking forums since at least August 2022. Per our statistics, this is not a prevalent threat across our customers, but Lumma Stealer is consistently in the top ten of the most active malware, leading to a blog published about it every few months. During the month of September, Google among others, have written about it.

The LevelBlue adversary tracking systems have identified over 3,200 new IOCs for the different families it tracks. The busiest trackers during the month of September have been:

USM Anywhere Detection Improvements

In September, LevelBlue SpiderLabs added or updated 71 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

• New rules related to anomalous user behavior for Okta, O365, G Suite, RDP and more

• New alerts identifying malicious activity observed in AWS web application firewalls (WAF) for multiple attack types

• New alerts in the Cloudflare Enterprise ruleset, used to identify scanning activity and exploit attempts

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily.

LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more.

Learn more about OTX, its benefits, and how you can join.

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members.

In September, 117 new pulses were published by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Storm-0501: Ransomware Attacks Expanding to Hybrid Cloud Environments

• LummaC2: Obfuscation Through Indirect Control Flow

• European Banks Already Under Attack by New Malware Variant

• A Glimpse Into the Quad7 Operators’ Next Moves and Associated Botnets

• LummaC2 Malware and Malicious Chrome Extension Delivered

• Russian Military Cyber Actors Target US and Global Critical Infrastructure

• APT Lazarus: Eager Crypto Beavers, Video Calls and Games

• The Emerging Dynamics of Deepfake Scam Campaigns on the Web2