Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber

At Tidal Cyber, we take the "community" part of Tidal Community Edition seriously. We want the whole community to benefit from work done in the platform. Have you created a great technique set or matrix in Community Edition? Share it!

From now until March 31, we'll be sending Tidal swag to users who share their work on social media. Just tag Tidal Cyber and use #sharedwithtidal in your post, and we'll reach out to get your shipping address to send your swag.

#threatintel #cybersecurity #threatintelligence

Don’t approach your threat profile irrationally – use our #PiDay #TTPs Matrix to slice through the infinite universe of threats and bring more (mathematically) constant focus on the ones that matter most: https://hubs.la/Q01GPxgV0

Whether you’re a freshly-baked analyst/operator or a crusty infosec veteran, the piping hot and fresh content in Tidal’s free Community Edition is sure to ins-pie-re the next step in your threat-informed defense journey!

Our latest matrix features seven timely threats:

PyPI Malicious Packages: A recent report from Sonatype highlighted software supply chain compromises, where four Python packages hosted on the PyPI software registry contained malicious code that could drop malware, delete system utilities, & tamper with files containing authorization keys

AppleSeed: According to the MITRE ATT&CK knowledge base, “AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.”

Raspberry Robin: A highly active worm that spreads through removable media and abuses built-in Windows utilities after initial infection. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware

Chocolatey Backdoor: Last March, Proofpoint identified an attack on French organizations in multiple sectors that used Chocolatey, an open-source package installer, to fetch malicious scripts that delivered the Serpent backdoor (this represents one of the first documented uses of Chocolatey in a cyber campaign)

(Key) LimeRAT: Trellix researchers documented a July 2022 spearphishing campaign targeting government agencies across South Asia, Europe, and North America that ultimately delivered AsyncRAT & LimeRAT. As a special bonus, this set of Pi Day techniques fittingly features T1056.001 (Input Capture: Keylogging)!

Banana Sulfate: This small set derives from Sekoia.io’s investigation into a large and sophisticated but unattributed infrastructure cluster last February
Golden Chickens: Security researchers assess this is a malware-as-a-service provider whose customers include FIN6, Cobalt Group, and the Evilnum APT group.

#SharedWithTidal #threatinformeddefense #threatintel #threatintelligence

The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf

SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns

SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries

Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here

#threatinformeddefense #SharedWithTidal

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

Prioritizing TTPs for ransomware linked to Royal Mail attack

After media reports linking #LockBit ransomware to the attack on the UK’s largest mail delivery service, which halted some delivery operations (https://www.bleepingcomputer.com/news/security/royal-mail-cyberattack-linked-to-lockbit-ransomware-operation/), we revisited our technique set for this #threat and added 20 technique references (including six net-new techniques linked to this malware in our knowledge base). View the data here: https://app.tidalcyber.com/share/bcc36246-50b7-41c0-9e43-57cb07db59ad

LockBit 3.0 emerged in July as the latest variant in this highly active family of ransomware-as-a-service (RaaS). LockBit was likely the single most active #ransomware cluster of 2022, accounting for the most publicly extorted victims last year by far (a very rough approximation for overall activity – more on the nuances of public victim data below)

Considering threats to your industry & immediate peers is a great entry point to building a cyber “threat profile”. Many of the top #RaaS, including LockBit, stand out for the breadth of sectors they’ve victimized – often, if you look hard enough, you can likely find at least one victim in a given vertical associated with a particular RaaS family. It’s therefore usually pertinent to evaluate many of these threats in your profiling efforts and consider taking some steps to reinforce defenses around them

Likely in part due to extra scrutiny, LockBit 3.0 has more linked techniques (57) than any other threat in our Ransomware & Data Extortion Landscape mega-matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a). Orders of magnitude less than the # of associated indicators (see here for just one indication of volume https://valhalla.nextron-systems.com/info/rule/MAL_RANSOM_Lockbit_Jul22_1) but still a fair amount worth prioritizing. A good entry point for this involves gauging the widest gaps between highest-density techniques (those seen most often in your data) and those you’ve determined you are most- or least-defended against. The attached table shows Sigma, Atomic Red Team, & Data Component coverage for select LockBit 3.0 techniques – these and many commercial capabilities can all be easily surfaced, pivoted to, or overlaid in Tidal’s free Community Edition

And while technique counts are usually much smaller than IOC volume, remember adversaries can & and do (increasingly) evolve their TTPs, underscoring the importance of intelligence tracking over time where team resources & bandwidth allow: https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

#SharedWithTidal #threatinformeddefense #RoyalMail

Finally, several recent thoughtful articles/discussions commenting on important nuances to consider when looking to victim extortion/data leak sites to gauge ransomware prevalence: https://www.ohadzaidenberg.com/post/victimology-analysis-and-data-leaks-site
https://www.curatedintel.org/2022/11/the-difficulties-and-dubiousness-of.html
https://twitter.com/uuallan/status/1597950775216394240

Proud to share our second analysis piece, which just went live! BLUF: All the pieces are in place for a serious, near-term uptick in infostealer threats involving higher-value targets, including businesses of all sizes, paralleling the shift among top ransomware groups toward “big-game” targets in years past. Part 1 details our evidence that intent, opportunity, & capability (the components of a “threat”) are all rising, and Part 2 will share our process for using this threat intelligence to drive development of new detections around the TTPs most commonly shared across today’s top stealers.

Despite a little more attention over the past year or so, I’ve sensed for some time that infostealers remain an “underrated” concern relative to the level of threat they pose to organizations, and there has yet to be a broad threat assessment or analysis of common techniques at quite this scale. Entirely based on (a large body of) public reporting, I think we’re able to draw unique insights in this series, and @tidalcyber's Community Edition made it a lot easier to get there.

Despite (what we see as) a rising threat, it’s not all doom and gloom – there are some extremely practical steps defenders can take to really lower the risk profile. Throw a few straightforward detections that we’ve compiled (they’ll come with Part 2, still cleaning up some rules sorry) in place, which cover many flavors of technique implementations associated with a wide range of these threats. Once you’ve set (and ideally validated) this coverage, consider tackling the likely more complex task of reviewing and tuning relevant people- and technology-related mitigations, including around identity & access (where today’s stealers pose some tricky challenges) and policies for responsible device use (to counter trending initial access vectors covered here in Part 1).
#infostealer #RedLine #Raccoon #StealerNoStealing #threatinformeddefense #SharedWithTidal #malware #risk
https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w

@grep_security Thanks for sharing! #SharedWithTidal

Today we’re sharing initial versions of two dashboards that summarize the top attack techniques associated with two major trends from the past year. Both are rich with recent supporting evidence and fill important gaps around timely, aggregated, actionable information related to key threats that we expect will persist (and likely grow) in 2023.

Consider bookmarking both dashboards – we also expect we’ll need to update the groups & malware (and associated techniques) as activity continues into next year.

First is a roundup of #TTP associated with major #infostealer malware. This covers a total of 265 technique references (across 83 unique techniques) associated with 10 credential/info stealers that have been highly active over the past year-plus or emerged in recent months. Some likely familiar names, like Raccoon (and its v2 iteration), RedLine, & Mars, but also many others. The volume of #credentials stolen by malware like these has skyrocketed in recent years, and this vector has contributed to some of the past year’s most high-profile breaches. Many initial infections occur through individual personal downloads, but this is a multi-faceted threat that absolutely creates risk for organizations too. Check out the dashboard in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3

Next is the Data Extortion Ecosystem TTP map. Driven by a few factors, most notably speed, we’ve observed a clear shift among some groups in the #ransom/extortion space toward attacks that feature no actual #ransomware-based encryption, but rather just data exfiltration (and in some cases outright data destruction or manipulation). This combined heatmap covers eight groups & software leading this trend, including some covered recently in U.S. federal government CTI reporting, like LAPSUS$ & Karakurt, but also a few lesser known threats (RansomHouse and…Donut Leaks?). Currently this covers 135 technique references (across 68 unique techniques), but I definitely expect this set to evolve into early next year & beyond: https://app.tidalcyber.com/share/1a265091-97af-4491-bce7-3d94c4935406

Consider these early previews of some of our top #CTI content themes for the first half of 2023 – lots more written analysis to come on these, and if you want the full picture, sign up for our 2023 threat landscape briefing, scheduled for noon ET on January 10! https://hubs.la/Q01v-PN00

#threatinformeddefense #SharedWithTidal

⚠️ Cuba Ransomware resources drop ⚠️

A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today https://www.youtube.com/watch?v=K1a6Mac1-y4

Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) https://www.cisa.gov/uscert/ncas/alerts/aa22-335a

Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: https://www.cisa.gov/stopransomware/stopransomware

According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: https://www.tidalcyber.com/blog/adversary-ttp-evolution-and-the-value-of-ttp-intelligence

(And here’s another piece covering TTP evolution relative to another top malware, QakBot https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps)

In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset https://github.com/joshhighet/ransomwatch

The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: https://app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋

#Cuba Ransomware details from #mitreattack https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4-Cuba

Technique set for Cuba TTPs published in February https://app.tidalcyber.com/share/6fbf994c-d6c9-42fd-8ee9-8954865d6d6f (source: https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware)

Cuba technique set based on CISA’s/FBI’s new alert: https://app.tidalcyber.com/share/11c631bc-be34-463d-9d24-852a6f414b2a

Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: https://github.com/mitre-attack/attack-navigator/blob/master/layers/attack_layers/attack_layers_simple.py

LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: https://app.tidalcyber.com/technique/ab0da102-5a14-42b1-969e-5d3daefdf0c5-LSASS%20Memory

Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

Disable or Modify Tools technique details page: https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6-Disable%20or%20Modify%20Tools

Final Cuba Ransomware technique time series comparison/overlay: https://app.tidalcyber.com/share/7631b2a7-2c0d-49ee-ac12-ca9c92ad4a72

Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: https://app.tidalcyber.com/share/9c1f08a2-b823-4e11-a8a5-01335fb0215e

Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space https://join.slack.com/t/tidalcommunity/shared_invite/zt-1ljrtdtkm-VGi8fa5VYhLma4o1Vu33nA

Catch this and other walkthroughs on the @tidal Cyber YouTube channel https://www.youtube.com/@tidalcyber6071

#cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal

Brush up on #APT41 TTPs in light of the news the China-linked group ran a campaign to steal millions’ worth of U.S. state government COVID-19 relief funds https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636

APT41 is relatively unique among suspected Chinese #APT for carrying out repeated cyber attacks for both #espionage and likely personal financial gain. The recent news isn’t the first to highlight the group’s dual motivations – it has been observed conducting financial operations since at least the mid-2010’s: https://content.fireeye.com/apt-41/rpt-apt41

A few reports from this year give insight into APT41’s recent attack techniques:
Original report on APT41 attacks involving U.S. state government entities from March: https://www.mandiant.com/resources/blog/apt41-us-state-governments
Review of four APT41 campaigns observed last year, published in August: https://blog.group-ib.com/apt41-world-tour-2021
Threat activity details associated with a “new subgroup” of APT41, which seems especially focused on victims in south/southeastern Asia (published last month): https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

ATT&CK’s knowledge base gives a good baseline of APT41 behavior, covering 59 techniques sourced from eight reports published through June 2021 (yellow in my dashboard screenshot). I layered on the 62 techniques referenced in the latter two reports above (blue & purple in my matrix, respectively) for a broader picture that also lets us compare & contrast techniques observed in different series of activity. Links to everything follow:

APT41 profile & techniques: https://app.tidalcyber.com/groups/502223ee-8947-42f8-a532-a3b3da12b7d9-APT41
Technique set for August report: https://app.tidalcyber.com/share/ae8d346d-45d8-4686-b2cd-1a645ffb76dc
“Earth Longzhi” techniques: https://app.tidalcyber.com/share/b60fe3ab-3328-404c-9bc5-1141ec0918c4
Combined heatmap: https://app.tidalcyber.com/share/463e944a-da97-4272-8a38-2caad7124a4a
Search or filter attack Groups by Motivation, Suspected Attribution, and Observed Sectors & Countries: https://app.tidalcyber.com/groups

#CTI #fraud #TTP #threatinformeddefense #SharedWithTidal

Excited to share @tidalcyber's first original #TTP intel analysis piece! I've noticed a steady stream of #QakBot news in my feeds the past few weeks, making it challenging to keep track of what is new, what's already known, and what can be done about this persistent threat.

Breaking up QakBot's TTP evolution into a few smaller chunks helped make better sense of the trends by highlighting distinct techniques observed more over certain recent time periods. We can then turn to a number of great public resources that community members have recently shared, to take measurable steps toward improving defenses in line with these behaviors.

#CTI
#threatinformeddefense #SharedWithTidal

https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

Analyzing #TTP overlap for nine top #ransomware

This originates from analysis of ransomware targeting schools, but most of these families have threatened a range of critical infrastructure & other industries too

Each ransomware covered here has published extortion threats involving a school or university during the past year, and this trend is increasing. I tallied 66 ransomware extortion threats against these #education entities since last October. A few groups dominate (see pie chart), and victim count jumped especially high in recent months for schools (K-12) (see bar chart).

The #malware covered here (and count of associated extortion threats against education entities) are: #ViceSociety (25), #Pysa (8), #LockBit 3.0 (7), #ALPHV / #BlackCat (6), LockBit 2.0 (5), #Hive (4), #BianLian (3), #Quantum, Snatch (2), & #Conti, #REvil, Sabbath, and Stormous (1 each). Also #HelloKitty / #FiveHands, which is used by Vice Society, but no relevant posts were observed.

Visual summary of my analysis: https://app.tidalcyber.com/share/8d9f212a-0312-4c2f-bba5-85ab7c7224c6

Overall the nine ransomware map to 131 unique techniques total, sourced from 30 recent public reports, mainly malware analysis & government advisories ("Show only labelled techniques" gives the best view). The underlines & numbers in the cells indicate number of malware mapped to that technique. Background color gradient represents number of sources referencing it. This tool helps with pivoting to defenses and analytics (think Sigma rules), offensive tests (Atomic Red Team), and data sources (make sure you have proper logging enabled) mapped to the same techniques.
#threatintel #SharedWithTidal