Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

PICUS LABS MONTHLY  #October 2020

PicusLabs_October2020

OCTOBER'S THREAT: RYUK RANSOMWARE

Return of the Ryuk Ransomware

Ryuk has been one of the most proficient ransomware threat actors. The threat group grew a little quiet earlier in the year, but that seems to have changed in the past couple of weeks, with incidents like what happened at UHS hospitals.

 

You can test the effectiveness of your security controls against the Ryuk ransomware campaigns with '714922 Ryuk Ransomware Attack Scenario" in Picus Threat Library. You can also validate your defenses against Ryuk malware samples with threats 312355, 424348, 727882, 551628, 269817, 588030, 507789, 230239, 675517, 247255, 429456, 591155, 304959, 204994, 506926, and 166962 in Picus Threat Library.

OCTOBER'S THREAT ACTORS  

MuddyWater

  • Picus Threat ID: 231391, 574050, 532705, 360493, 265593
  • Aliases: Seedworm, TEMP.Zagros
  • Target Regions: Europe, Middle East, North America
  • Target Industries: Telecommunication, Government, Oil
  • Malware: Covicli Backdoor, PowGoop Loader, SSF.MX Backdoor

     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater. For more information, check the blog post Earth Vetala Campaign of MuddyWater APT Group

 

Jointworm

  • Picus Threat ID: 833829, 833829, 833829, 833829
  • Target Regions: Europe, UK, Asia
  • Target Industries: Finance
  • Malware: PhantomOCX

ATTACK SCENARIOS

Lazarus (APT38) Threat Group PowerRatankba Attack Scenario


Picus Threat ID: 690370

 

ACTIONS

1. Query System Information

ATT&CK Technique: T1082 System Information Discovery

ATT&CK Tactic: Discovery

 

2. Execute a Keylogger uses GetAsyncKeyState()

ATT&CK Technique: T1056 Input Capture

ATT&CK Tactics: Credential Access, Collection

 

3. Capture ScreenShot using PsTools

ATT&CK Technique: T1113 Screen Capture

ATT&CK Tactic: Collection

...

12. C2 Communicate Over HTTPS Port 443

ATT&CK Technique: T1043 Commonly Used Port

ATT&CK Tactic: Command and Control

 

     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by Lazarus. For more information, check the blog post Lazarus (Hidden Cobra) Group Employs HTA Embedded BMP Files

Ryuk Ransomware Scenario

Picus Threat ID: 714922

 

ACTIONS

1. Gather Information about Target Domain

ATT&CK Technique: T1018

ATT&CK Tactic: Discovery

 

2. Disable Defender Features

ATT&CK Technique: T1562 Impair Defenses

ATT&CK Tactic: Defense Evasion

3. Gather Trusted Domains via Nltest Command

ATT&CK Technique: T1482 Domain Trust Discovery

ATT&CK Tactic: Discovery

...

14. File Exfiltration with Encryptor.exe

ATT&CK Technique: T1486 Data Encrypted for Impact

ATT&CK Tactic: Impact

Atomic Attacks

Process Injection with Process Herpaderping Method

  • Picus Threat ID: 548266
  • ATT&CK Technique: T1055 Process Injection
  • ATT&CK Tactics: Defense Evasion, Privilege Escalation

Spearphishing Attachment Attack by using Hot Manchego

  • Picus Threat ID: 827559
  • ATT&CK Technique: T1566 Phishing
  • ATT&CK Tactic: Initial Access

Wuauclt.exe OS Binary (Lolbas) used in Signed Binary Proxy Execution Technique

  • Picus Threat ID: 574776
  • ATT&CK Technique: T1218 Signed Binary Execution
  • ATT&CK Tactic: Defense Evasion

MALICIOUS CODE

Covicli Backdoor Malware

  • Picus Threat ID: 668690, 201911, 409211, 721511, 704112
  • Signature ATT&CK Technique: T1573 Encrypted Channel
  • Target Regions: Europe, Middle East, North America
  • Target Industries: Telecommunication, Government, Oil
  • Threat Group: MuddyWater (Aliases: Seedworm, TEMP.Zagros)

Egregor Ransomware

  • Picus Threat ID: 372862, 260828, 701507
  • Signature ATT&CK Technique: T1486 Data Encrypted for Impact
  • Target Regions: ALL
  • Target Industries: Logistics, Entertainment, Real Estate, Media

SLOTHFULMEDIA RAT

  • Picus Threat ID: 772071, 691496
  • Signature ATT&CK Technique: T1082 System Information Discovery
  • Target Regions: ALL
  • Target Industries: ALL

WEB APPLICATION ATTACKS

Ruby on Rails MemCacheStore and RedisCacheStore Remote Code Execution (RCE)

  • Picus Threat ID: 352514
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2020-8165
  • Affected Product: Ruby on Rails

Cisco ASA and Firepower Arbitrary File Deletion

  • Picus Threat ID: 842421
  • OWASP Top 10: A5 - Broken Access Control
  • CVSS 3 Base Score: 9.1 Critical
  • CVE: CVE-2020-3187
  • Affected Product: Cisco ASA and Firepower

SharePoint Server DataFormWebPart CreateChildControls RCE

  • Picus Threat ID: 592989
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 7.8 High
  • CVE: CVE-2020-16952
  • Affected Product: SharePoint Server

VULNERABILITY EXPLOITATIONS

Google Chrome V8 Engine Null Pointer Information Leak

  • Picus Threat ID: 894631
  • CVE: CVE-2020-1571
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Windows Setup

Win32k Denial of Service Vulnerability 

  • Picus Threat ID: 790051
  • CVE: CVE-2020-1510
  • CVSS 3 Base Score: 5.5 Medium
  • Affected Product: Windows win32k Component

Windows Kernel Information Disclosure 

  • Picus Threat ID: 682305
  • CVE: CVE-2020-16938
  • CVSS 3 Base Score: 5.5 Medium
  • Affected Product: Windows Kernel

 

SIGMA RULES

Bypass User Access Control via Modifying Software Registry Value

  • Picus Sigma ID: 3789
  • Technique: T1112 Modify Registry
  • Tactic: Defense Evasion

Credential Access using Obtaining Debug Privileges by Mimikatz via PowerShell

  • Picus Sigma ID: 8537
  • Technique: T1003 OS Credential Dumping
  • Tactic: Credential Dumping

Windows Firewall Configurations Discovery via Netsh Tool

  • Picus Sigma ID: 6642
  • Detected Technique: T1518.001 Security Software Discovery
  • Tactic: Discovery10 Critical MITRE ATT&CK Techniques
Emerging Threat Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Learn More
Emerging Threat Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign
Learn More
fortimanager
Emerging Threat CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained
Learn More
cisa-alert-aa24-290a
Emerging Threat Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A
Learn More
Emerging Threat CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure
Learn More
emerging-threat
Emerging Threat CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows
Learn More
RansomHub-Ransomware
Emerging Threat RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A
Learn More
pioneer-kitten-ransomware
Emerging Threat Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations
Learn More
north-korean-APT-group
Emerging Threat Andariel: North Korean APT Group Targets Military and Nuclear Programs
Learn More