Summarizing the data from Talos IR, the following key findings emerge:
- In the third quarter of 2023, the number of threats targeting web applications significantly increased, accounting for 30% of the incidents addressed by Cisco Talos Incident Response (Talos IR), compared to the 8% observed in the previous quarter.
- Threat actors predominantly gained initial access by exploiting public-facing applications, representing 30% of the incidents.
- Ransomware remained a substantial threat, constituting 10% of the incidents. Notably, Talos IR encountered the LockBit and BlackByte ransomware families, along with a new variant, BlackByte NT.
- The primary targets were the telecommunications and education sectors, each comprising 20% of the incidents.
- After acquiring initial access, threat actors utilized tactics such as web injection attacks, web shell deployment, and the utilization of readily available frameworks like Supershell.
- In 25% of engagements, Talos IR observed attackers exploiting scheduled tasks to continually execute malicious code, maintaining persistence on an endpoint.
Nicole Hoffman a researcher at Talos, reports that Talos IR :
“Is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily.”
THREAT ACTORS DEPLOYING WEB SHELLS:
Furthermore, the researchers noted that user-friendly frameworks for deploying web shells offer advantages to advanced threat actors while reducing entry barriers for less sophisticated attackers. Notably, the use of off-the-shelf C2 frameworks like Alchimist and Manjusaka has been on the rise in the past year, and this trend is expected to continue as adversaries seek to enhance their capabilities for web-based attacks.
Additionally Nicole described that:
“We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.”
RANSOMWARE ATTACKS REMAIN A MAJOR THREAT:
Talos IR responded to a LockBit ransomware attacks that initiated with adversaries compromising a contractor account for entry. They proceeded to extract credentials, gain administrator privileges, and avoid detection by disabling security tools and clearing event logs. LockBit established C2 channels and executed ransomware deployment through domain policy modifications using methods like Cobalt Strike and AnyDesk.
THE SHROUDEDSNOOPER – A CUSTOM BACKDOOR:
In the Middle East, the third quarter saw a new APT group, ShroudedSnooper, targeting telecommunications companies. This group introduced two unique backdoor implants called “HTTPSnoop” and “PipeSnoop,” which operate through Windows HTTP kernel drivers, intercepting and executing specific HTTP(S) URLs while disguising themselves as legitimate security software components, making detection challenging for Talos IR.
The reports also highlight that ransomware remains a threat, accounting for over 10% of total IR engagements in the third quarter. Further analysis reveals that core security weaknesses often stem from unpatched or misconfigured applications, such as Remote Desktop Protocol (RDP), lacking Multi-factor Authentication (MFA).
For more information and details on the top observed MITRE ATT&CK techniques, visit the Talos Intelligence Blog.
Put your comments below in the comment section on your thoughts about this.