Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

PICUS LABS MONTHLY #March 2021

PicusLabs_March2021

MARCH'S THREAT: HAFNIUM THREAT GROUP

The Rise of State-Sponsored Threat Groups

HAFNIUM is a state-sponsored group that primarily targets entities in the United States across many industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

 

You can test the effectiveness of your security controls against the HAFNIUM threat group with '719575 HAFNIUM Threat Group Exchange Server Post-Exploitation Scenario" in Picus Threat Library. You can also validate your defenses against malware samples used by HAFNIUM with Picus ThreatID 3719270 and webshell samples with Picus ThreatIDs 510920 and 349535 in Picus Threat Library.

 

     In this article, we analyzed Tactics, Techniques, and Procedures (TTPs) utilized by the HAFNIUM threat actor to understand their attack methods and the impact of this breach.

MARCH'S THREAT ACTORS

HAFNIUM

  • Picus Threat ID: 719575, 3719270, 349535, 510920
  • Target Regions: North America
  • Target Industries: Government, Education, Healthcare

MuddyWater

  • Picus Threat ID: 396146, 843253, 752295
  • Aliases: Seedworm, TEMP.Zagros
  • Target Regions: Europe, Middle East, North America
  • Target Industries: Government, Education, Healthcare
  • Malware: PassDump, RemoteUtilities trojan dropper , RemoteUtilities trojan
     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater. For more information, check the blog post Earth Vetala Campaign of MuddyWater APT Group

Mustang Panda

  • Picus Threat ID: 680904, 312114, 408602, 232031
  • Aliases: Bronze President, TEMP.Hex, HoneyMyte, and Red Lich
  • Target Regions: Asia, Europe, and North America
  • Target Industries: Telecom., aviation, government, NGOs, and think tanks.

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

Atomic Attacks

Windows Kernel Win32k Elevation of Privilege Scenario

  • Picus Threat ID: 671282
  • CVE: CVE-2021-1732
  • ATT&CK Technique: T1134 Access Token Manipulation
  • ATT&CK Tactics: Defense Evasion, Privilege Escalation

Shellcode Execution via EnumChildWindows Callback Function

  • Picus Threat ID: 222204
  • ATT&CK Technique: T1055 Process Injection
  • ATT&CK Tactic: Defense Evasion, Privilege Escalation

Watch our webinar, we dig down into T1055 Process Injection as the no. 1 technique in the Picus 10 Critical MITRE ATT&CK Techniques list.

 

Picus_Webinar_ProcessInjection-min



Credential Dumping via RtlReportSilentProcessExit API Call

  • Picus Threat ID: 611239
  • ATT&CK Technique: T1003 OS Credential Dumping
  • ATT&CK Tactic: Credential Access

For more information on MITRE ATT&CK T1003 Credential Dumping, here is the blog post you can read:
    MITRE ATT&CK T1003 Credential Dumping

 

MALICIOUS CODE

HAFNIUM

  • Picus Threat ID: 372862, 260828, 701507
  • Signature ATT&CK Technique: T1486 Data Encrypted for Impact
  • Target Regions: ALL
  • Target Industries: Logistics, Entertainment, Real Estate, Media

HelloKitty Ransomware

  • Picus Threat ID: 282623
  • Signature ATT&CK Technique: T1486 Data Encrypted for Impact
  • Target Regions: ALL
  • Target Industries: ALL

DEWMODE Dropper used by UNC2546 Threat Group 

  • Picus Threat ID: 728133, 238722, 208936
  • Target Regions: North America
  • Target Industries: Telecommunication

 

WEB APPLICATION ATTACKS

Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-1

  • Picus Threat ID: 520680
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-26855
  • Affected Product: Microsoft Exchange

VMware View Planner Remote Code Execution Vulnerability Variant-1

  • Picus Threat ID: 395919
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-21978
  • Affected Product: VMware

GitLab Path Traversal Vulnerability

  • Picus Threat ID: 673135
  • OWASP Top 10: A5 - Broken Access Control
  • CVSS 3 Base Score: 5.5 Medium
  • CVE: CVE-2020-10977
  • Affected Product: GitLab

VULNERABILITY EXPLOITATIONS

Microsoft Appx Deployment Service Elevation of Privilege Vulnerability

  • Picus Threat ID: 619884
  • CVE: CVE-2019-0841
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Windows Appx Deployment Service

Win32k Denial of Service Vulnerability .EXE File Download Variant-5

  • Picus Threat ID: 859973
  • CVE: CVE-2021-1732
  • CVSS 3.1 Base Score: 7.8 High
  • Affected Product: Win32k Graphics Service

Windows Installer Service Privilege Escalation Vulnerability

  • Picus Threat ID: 740070
  • CVE: CVE-2021-1727 CVSS 3.1
  • Base Score: 7.8 High
  • Affected Product: Windows Installer Service
10 Critical MITRE ATT&CK Techniques

SIGMA RULES

Credential Dumping From Keepass Database

  • Picus Sigma ID: 3985
  • Technique: T1055.005 Process Injection: Thread Local Storage
  • Tactic: Defense Evasion, Privilege Escalation
Our research has found that Process Injection was the most prevalent MITRE ATT&CK technique used by adversaries in their malware. For more information on MITRE ATT&CK T1055 Process Injection, here is the blog post you can check.

Data Collection with 7z.exe via Commandline

  • Picus Sigma ID: 5178
  • Technique: T1560.001 Archive Collected Data: Archive via Utility
  • Tactic: Collection

Credential Dumping via Procdump

  • Picus Sigma ID: 3929
  • Technique: T1003.001 OS Credential Dumping: LSASS Memory
  • Tactic: Credential Access
Emerging Threat Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn More
Emerging Threat Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign
Learn More
fortimanager
Emerging Threat CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained
Learn More
cisa-alert-aa24-290a
Emerging Threat Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Learn More
Emerging Threat CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Learn More
emerging-threat
Emerging Threat CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows
Learn More
RansomHub-Ransomware
Emerging Threat RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A
Learn More
pioneer-kitten-ransomware
Emerging Threat Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations
Learn More
north-korean-APT-group
Emerging Threat Andariel: North Korean APT Group Targets Military and Nuclear Programs
Learn More