Welcome to the pilot issue of our weekly newsletter!

The week was marked by significant ransomware events that impacted organizations of all sizes globally, with a prevalence of adversarial activities targeting North America. Vectors of the initial attacks reportedly exploited vulnerabilities, including the 'CitrixBleed' flaw, as well as recently disclosed bugs in Atlassian Confluence, Veeam, and SysAid solutions.

Moreover, distributed denial-of-service (DDoS) operations appear to have escalated. This week, there were reports of various disruptive events impacting Cloudflare, as well as the main Russian bank Sberbank, although reports for the latter referred to events occurring in late October.

Cyberwarfare in connection to the ongoing conflict in the Middle East involved various destructive events attributable to Iran-nexus wiper attacks against Israeli organizations. New intelligence surfaced also in relation to the conflict in Ukraine; there were reports of new tactics, techniques, and procedures (TTPs) ascribed to Russia-linked disruptions of Ukrainian operational technology.

Threat Landscape Updates

Here we delve into the threat landscape across regions providing highlights on the main security events of the week

Google C2 RAT POC - A public POC provides capability to establish a covert C2 channel via Google Calendar. There are reports of the POC being subject of underground chatter with potential to be implemented in attacks in the wild

BlueNoroff - Jamf discovered a post-exploitation implant linked to the DPRK-sponsored BlueNoroff - a segment of the Lazarus Group - campaign dubbed "RustBucket." The latter targets macOS crypto users, exchanges and financial services for financial gain

Sberbank - Russian financial services giant Sberbank was impacted by a DDoS attack - Interfax reported on 9 November. The events occurred last 30 October, peaking at 1M RPS targeting the bank's website with subsequent downtime

Chinese Espionage - Telemetry of malware infrastructure reportedly linked to China-sponsored threat actors reveals inbound connections originating from 24 government organizations in Cambodia - Palo Alto Unit 42 reported. Such organizations may have been compromised as part of a long-term espionage campaign

Russian Cyber Warfare - Mandiant / Google Cloud research indicates Russian GRU-linked Sandworm evolved TTPs to target industrial control systems (ICS) and operational technology (OT) in the context of the cyberwarfare in Ukraine. The actor has been observed extensively relying on Living-off-the-Land techniques to disrupt targeted SCADA systems, prior to deploying a Caddywiper instance for destructive purposes

Iran-Nexus Agrius - Palo Alto Unit 42 reported increased offensive activity against Israeli educational organizations. The attacks were attributed to Iran-linked Agrius. The attacks are aimed at information stealing and destructive actions. The initial vector of compromise is consistent with exploitation of vulnerabilities in internet-facing web servers

APT35 - Crowdstrike examined a number of events occurring in October 2023 and argued Iran-nexus APT35 (a.k.a. Imperial Kitten) has been escalating activities across the Middle East, particularly against Israeli organizations in the transportation, logistics, and technology sectors. Attacks involve social engineering, particularly with job recruitment-themed phishing lures. The actor deploys IMAPLoader, a piece of malware capable of fingerprinting victim systems using native Windows utilities and acting as a downloader for additional malware

SysAid Vulnerability - CVE-2023-47246 came under active exploitation with subsequent deployment of the Cl0p ransomware. Microsoft attributed the events to a group they track as "Lace Tempest," whose activities overlap with TA505 / FIN11

CPU-Z - MalwareBytes Labs discovered that versions of CPU-Z software were trojanized via the RedLine information stealer and distributed via abused Google ads; users receiving the payload are being directed to an attacker-controlled Windows news-themed site

Anonymous Sudan - A large DDoS event impacted Cloudflare's website, resulting in users being diverted to a Google-themed page. Anonymous Sudan, believed to be a Russia-nexus group, claimed the attack via their Telegram channel

BlazeStealer - Checkmarx examined a campaign to distribute a novel information stealer - dubbed "BlazeStealer" - via malicious Python packages. The malware abuses a Discord bot in the infection process. The United States, China, and Russia are the most targeted countries

Threat Watch

Here we examine primary threat streams emerging during the week and provide insights into meaningful developments, major vulnerabilities, security recommendations and monitoring of underground activities

Ransomware Watch

Here we provide insights into ransomware trends focusing on the most active actors and targeted countries and industries

After making headlines with the Boeing hack, LockBit has remained consistently the most active ransomware operation group throughout the week, affecting numerous organizations globally. Other groups including Play, BlackCat and Cactus have been active on a lower yet still significant scale. The ransomware landscape has also witnessed a number of events attributed to Hunters International, believed to be a rebranding of Hive ransomware operation.

Our monitoring data indicate that the United States (US) is the most impacted country worldwide, with Germany and the United Kingdom following with a considerable distance in confirmed event count. Despite the prevalence of North America and Europe, events have been reported across all continents. In such a geographically diversified threat landscape, headlines are made in China with the ransomware compromise of the state-owned Industrial and Commercial Bank of China (ICBC). Moreover, LockBit claimed to have compromised the US-based subsidiary of Aten, a Taiwan-headquartered technology multinational.

The two events described above are aligned with a global trend where technology companies and financial services are consistently the most frequent targets of ransomware attacks. Interestingly, beginning on 11 November, there have been reports of a BlackCat ransomware event impacting the technology and security giant Dragos, Inc, with the actor threatening to leak data within 24 hours (at the time of writing). Alongside technology and financial services, this week there was a spike in events impacting private and state-owned healthcare in North America and Europe, as well as a number of leisure service providers in Germany.

From a risk prevention perspective, it is critical to take into consideration the prevalent TTPs that have been observed during the week. Reported attack vectors include attempts to exploit critical vulnerabilities (referenced above) in the Veeam ONE suite and Atlassian Confluence Data Center and Server. Remediation of these vulnerabilities appears to be a meaningful risk mitigation step.

Weekly monitoring cut-off time: 12 November 2023, 6 AM CET