When the alarms in the category of Suspicious network activities are classified, as can be expected, the most events are seen as potential scanning activity and access to blacklisted IPs. In addition, legal actions taken by system and network administrators are also seen under this category from time to time. For such actions, our analyst team directly contacts the customer and analyzes the feedback, determines those with false/positive status and makes improvements regarding the rules.

APT 28

It has been determined that the APT28 cyber threat group targets cloud services and corporate networks and uses brute force password attempts as an entry vector.

It has been determined that threat actors, who perform Brute Force attacks especially on cloud systems, use this information for purposes such as privilege escalation and evasion of security systems after obtaining the login information of the system. It has also been observed that threat actors exploit vulnerabilities such as CVE 2020-0688 and CVE 2020-17144 in Microsoft Exchange systems. Threat actors targeting many sectors and organizations also use fileless attack (Fileless Malware) techniques in their attacks. Threat actors target not only cloud services but also in-house email servers.

In order to avoid being exposed to these attacks, it is recommended to use a reliable Anti-Virus/Anti-Malware solution, keep the systems and programs used up-to-date and use 2FA.

Spyware Provider: Candiru

A new Israeli-affiliated company named Candiru, which provides spyware specifically to governments, has been identified. The spyware provided to governments by Candiru has been reported to have the ability to monitor devices, computers and cloud systems with IOS, Android, and MacOS operating systems.

More than 750 websites have been identified on the internet that appear to be media companies and non-governmental organizations associated with Candiru’s Spyware software. However; It has been observed that at least 100 people with ties to Turkey, Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Armenia and Singapore were targeted in the campaign in question. Targets include human rights defenders, dissidents, journalists, activists and politicians. As a result of the analysis conducted by security researchers, it has been determined that the spyware exploits two privilege escalation vulnerabilities coded CVE-2021-31979 and CVE-2021-33771 that affect Windows operating systems.

In order not to be the target of such malware campaigns, it is recommended to use up-to-date versions that fix vulnerabilities, not to open e-mails and attachments from unknown parties, not to click on suspicious links, and to use security solutions that will facilitate taking precautions and actions against possible attacks.

HiveNightmare

A 0-day vulnerability that could expose administrator passwords has been identified for Microsoft Windows 10. (Reference Link)

The vulnerability, known as HiveNightmare or SeriousSAM, was first identified in the unreleased Windows 11 beta version, but Windows 10 has been found to be vulnerable to the vulnerability.

HiveNightmare allows a user without administrative privileges to access the Windows Security Account Manager (SAM) database, which contains all important passwords and keys. Threat actors who successfully exploit this vulnerability can access the SAM, SYSTEM and SECURITY Registry files and elevate their privileges.

Microsoft has released a number of workarounds for the vulnerability that allow threat actors to install programs, modify data or create new accounts with full user rights.

Workarounds published by Microsoft;

Access to the %windir%system32config content should be restricted. In this context, users need to run the command sequence “icacls %windir%system32config. /inheritance:e” on Powershell or Command Prompt.

“If there are backup copies created with the Volume Shadow Copy Service (VSS) service, they should be deleted and System Restore points should be removed.

To protect against phishing attacks;

Security teams should follow new phishing techniques
Cyber ​​security awareness so that users think before clicking on links
An EDR solution for protection in terms of policies
Regular cyber intelligence feed
And multiple authentication is recommended for all authorization mechanisms.

According to Microsoft’s page dedicated to the vulnerabilities, it is a remote code execution (RCE) vulnerability in the Windows print spooler software that occurs when the software module that manages a system’s print jobs improperly processes files.

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. The attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.

Lockfile Ransomware Family

LockFile is reported to be a newly discovered ransomware. It uses a technique called interleaved encryption to bypass security by design. This technique is reported to work by not encrypting the file from the beginning, but only parts of it. LockFile exploits recent vulnerabilities such as ProxyShell and PetitPotam to establish itself on Windows servers.

To protect against these situations:

Performing health checks on SIEM at certain periods
Performing dynamic asset management and providing input to SIEM
Updating and enriching detection rules on SIEM with current indications
Operating the detection mechanism as a process
is recommended.

BlackMatter Ransomware

BlackMatter is a new ransomware group that has learned from the mistakes of the Revil and DarkSide groups and is charting its course. The group stated in an interview with Recorded Future that it is interested in targeting companies that make over $100 million in transactions, but that it targets healthcare, public institutions and critical infrastructure as a sector.

It is believed by authorities that the same group is behind the Darkside ransomware, which is known to be behind large-scale attacks such as Colonial Pipeline. Because when it is examined technically, there is an idea that they use the same encryption routines. BlackMatter’s own claim is that it completes the puzzle through Revil, Darkside, and Lockbit.

New ZLoader Variant

It has been found that users who visit search engines like Google to download the TeamViewer remote desktop software are directed to malicious links that drop the ZLoader malware onto their systems.

The infection chain begins when a user clicks on an ad displayed by Google on the search results page and is directed to the fake TeamViewer site controlled by the threat actor. The user is then tricked into downloading a fraudulent but signed derivative of the software (“Team-Viewer.msi”). The fake installer acts as a first-stage reducer that aims to compromise the machine’s defenses and ultimately download the ZLoader DLL payload (“tim.dll”) and other payloads.

. Some IoC information regarding the ZLoader installer and other findings detected during the campaign are listed below. It is recommended to block IoC findings from security devices.

FileHash-SHA256:

a0c97cd4608d62e2124087ecd668c73ec3136c91
f1b54e107bf40024ef8ee6d992d1b5e3c1d0e065
a0c97cd4608d62e2124087ecd668c73ec3136c91
84ebf306662c017d5691de87af25f76691f1098a
f2611ae855ea0999e09eb9bfa51b326d94eec303
5e68c3243ebed0edb107dd33d293274210171219
a9e5618aee8c37c8cf8257be901bdd9cf277c042
42f1d5711e5f5e67680043ba11b16da4709cfa1e
58745d445b5d3cb55fa7295fb6c2d4c4745548ec
3a80a49efaac5d839400e4fb8f803243fb39a513
d533e609324db8736bed96d638c2b4cd997f5802
dc945e57be6bdd3cc4894d6cff7dd90a76f6c416
0cf72cc488c2c972e880ef79f7ed5a17ea0d24dd

URL:

hxxp://teamviewerindirme.fastforişvekişiselkullanıcımızhizmetimizağustos.alightindarkplacesbook.com/
hxxps://team-viewer.site/index.php
hxxps://team-viewer.site/download/Team-Viewer.msi
hxxps://zoomvideo.site/download/Zoom.msi

The investigations show that many cybersecurity incidents benefit from the lack of regular update and patch activities. In order to prevent such situations and keep your systems stable;

It is recommended that you take simple precautions such as regularly transferring updates and patches to the systems
Managing update and patch activities through a central system
Performing all these activities in accordance with change management principles..