|New Threat Detection Added||3 (BunnyLoader Malware, Earth Lusca APT, and Apache ActiveMQ CVE-2023-46604)|
|New Threat Protections||9|
|New Ransomware Victims Last Week||104|
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
Cybersecurity experts found a new and worrisome threat known as BunnyLoader on underground forums. This malicious tool does some concerning things like downloading harmful software, stealing your web browser login information, and more. What's alarming is that BunnyLoader uses a keylogger to record what you type and a clipper to watch your clipboard, so it can replace cryptocurrency wallet addresses with ones controlled by bad actors. After collecting this sensitive information, BunnyLoader neatly packages it into a ZIP file and sends it to a Command-and-Control server. This sneaky program, written in C/C++, is being sold on the dark web for $250. It is important to note that BunnyLoader is always getting updated and improved to avoid getting caught by security systems while carrying out its actions like downloading harmful software, recording keystrokes, stealing data, and taking remote commands.
Rule Set Type:
|Execution T1047/T1059 - Persistence T1547.001 - Privilege Escalation T1547.001 - Defence Evasion T1027/T1036/T1497 - Discovery T1010/T1016/T1018 - Collection T1005 - Command-and-Control T1071/T1095|
|Threat name:||Earth Lusca APT|
A cyber threat group called Earth Lusca APT has been found targeting countries in Southeast Asia, Central Asia, Latin America, and Africa. They are mainly interested in government agencies involved in foreign affairs, technology, and telecommunications. Their focus has shifted to exploiting vulnerabilities in their target's exposed servers. Notably, they are using new and unknown vulnerabilities (0-day) in these servers. They are using a malicious program called SprySOCKS Trojan, which can perform various standard actions like gathering system information, creating a virtual connection, checking network connections, creating a proxy, and transferring files. It also supports basic file operations like listing, deleting, renaming, and creating directories.
Rule Set Type:
|Initial Access T1190 - Execution T1059 - Collection T1005 - Command-and-Control T1090|
|Apache ActiveMQ CVE-2023-46604|
Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialised class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Rule Set Type:
|Execution T1059 - Privilege Escalation T1068|
Known exploited vulnerabilities (Week 1 - November 2023)
F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
F5 BIG-IP Configuration Utility SQL Injection Vulnerability
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
Updated Malware Signatures (Week 1 - November 2023)
A stealer malware that collects sensitive information from victim machines, encrypts it and exfiltrates it to its Command-and-Control server.
Also known as Zbot and is primarily designed to steal banking credentials
A malware dropper that is designed to download additional malware on an infected machine.
A Microsoft Word-based malware which is used as a dropper for second-stage malware.
A malware that is used to send spam emails, conduct click frauds and cryptomining.
This malicious software installs and runs cryptocurrency mining applications.
|New Ransomware Victims Last Week:||104|
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 104 new ransomware victims or updates in the few past victims from 19 distinct industries across 24 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.
LockBit3.0, a specific ransomware, has affected the largest number of victims (24) updates spread across various countries. Play and Blackbasta ransomware groups updated 19 & 13 victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.
|Name of Ransomware Group||Percentage of new Victims last week|