There’s always plenty of news on cyber threats to discuss, and this month was no exception. On this month’s SANS Threat Analysis Rundown, we covered everything from Generative AI to Bengal cats. Read on to find out what we discussed, and check out the video for the full discussion.
First, we started with some good news – five individuals were charged by the US Department of Justice with compromising victims using SMS phishing. While the indictment doesn’t identify the threat group name, the individuals were likely aligned with the group known as SCATTERED SPIDER based on the description of a “loosely organized financially motivated cybercriminal group” as well as the victim industries and tactics, techniques, and procedures (TTPs) used. Though this is good news, it doesn’t mean this group has gone away, as other members may be using similar TTPs to target victims. For organizations who want to try to identify domains registered by this group or similar adversaries, a blog by Wiz discusses how to identify many of these malicious domains. This blog is helpful because it provides examples of queries on URLscan, a helpful free tool to try to identify malicious infrastructure.
Next up, we discussed Generative AI, a hot topic in the industry. A report from HackerOne revealed that almost half of surveyed professionals said GenAI was the most concerning IT risk to their organization. Many analysts speculate about how adversaries are using GenAI, so it’s helpful to look at sources who have visibility into this. For example, OpenAI recently published a report on threat actor use of AI that they have disrupted. This report helps ground us in what adversaries have done with AI, which was found to largely focus around using Large Language Models (LLM) to inform or enhance reconnaissance, research, development, and social engineering. In a bit of “fun” AI news, researchers created an “AI grandma” to answer scammers’ calls and waste their time!
While many of us are ready to be done with ransomware, unfortunately, it remains a persistent threat. Recently, as reported by CyFirma and BleepingComputer, Black Basta ransomware operators have been socially engineering victims into installing Remote Monitoring and Management (RMM) tools AnyDesk and Quick Assist. If these tools aren’t authorized in your environment, detecting on their installation (or even better, preventing it outright) could be effective in mitigating this threat. Separately, researchers at SentinelOne published a helpful report breaking down what it means to have ransomware in the cloud, which is helpful for defenders to use as a reference for what they should consider trying to gain visibility into to prepare for a potential cloud ransomware incident.
In vulnerability news, while I still believe the cybersecurity community panics about zero-days too often, two trend reports showed a trend worth paying attention to. Both CISA and Mandiant found that in 2023, adversaries exploited more zero-day vulnerabilities to compromise enterprise networks compared to previous years. Though this suggests adversaries are upping their game, the good news is that a defense-in-depth strategy to detect along multiple phases of an intrusion chain remains a solid approach, even in the face of zero-days.
Other notable reports included:
- A report from Sekoia on Chinese state-sponsored cyber threats that provided a helpful breakdown of government agencies affiliated with threat groups
- A report from Sophos on users searching for information about Bengal cats who were hit with Gootloader malware through Search Engine Optimization
- A report from Cisco Talos on a new stealer called PXA that steals information like cryptocurrency wallets, passwords, and information from messaging apps
- A report from ESET on APT trends over the past six months, including North Korean actors abusing legitimate cloud services
- A blog from SANS FOR589 co-authors Sean O’Connor and Will Thomas, as well as Anastasia Sentsova and Margo Lychak, on the role of women in Russian cybercrime
To close out, for anyone interested in more threat intelligence content, I highlighted the upcoming SANS Cyber Threat Intelligence Summit coming in January 2024 – check out the agenda and register here!
.png "CTI_Blog_part_1_(1).png")
