Startling statistics from CrowdStrike reveal that a staggering 68% of detections in the past three months were not malware-related.
This amounts to over 65,000 potential intrusions, equivalent to approximately one potential intrusion every eight minutes, every day of the year.
In a concerning trend, adversaries take an average of just one hour and 32 minutes to move laterally from an initially compromised host to another host within the victim's environment. Furthermore, in 36% of these intrusions, the adversary manages to expand their reach to additional hosts in under 30 minutes.
Today, most ransomware operators engaged in big game hunting (BGH) have added data leaks to their arsenal, combining data encryption with the threat of exposing stolen information to extract payments from victims. Some adversaries have even established dedicated leak sites (DLSs) to publicly disclose victim details and release pilfered data. However, INDRIK SPIDER deviates from this trend by not utilizing data extortion methods.
Comparing attack attempts year over year, the telecommunications and retail industries witnessed attacks more than doubling in numbers. The professional services industry experienced an increase of over 90%, while both the government and academic sectors faced attacks rising by over 80%.
Common initial access techniques employed against the telecommunications industry include spear phishing, vulnerability exploitation, use of legitimate credentials, and supply chain compromise. Once access is gained, adversaries often exploit services or leverage system-native tools like Windows Management Instrumentation (WMI) and various command and script interpreters to advance their operations.
WICKED PANDA, a China-nexus adversary, utilizes an array of remote access tools such as Cobalt Strike and their custom software like Winnti, ShadowPad, or RouterGod to carry out their intrusions. The LightBasin cluster employs diverse tools, including a utility known as sun4me, which serves as an encrypted payload utilizing a key derived from the victim's environment. This payload is decrypted by a tool called STEELCORGI. The versatile sun4me boasts features such as:
Our threat hunting methodology involves adopting unique methods, standards, and practices to detect and neutralize even the most sophisticated threats. Through proactive threat hunting, anomaly detection, statistical and behavioral analysis, our expert threat hunters have consistently delivered secure environments for our clients.
Here's a glimpse into our human-led threat hunting methodology, which systematically uncovers threats at scale:
With each new threat we encounter, UltraViolet Cyber extracts valuable insights that drive continuous advancements in automated detections and human-led threat hunting.
Our experts specialize in identifying malicious screen capture activity, such as writing image files to disk, deploying file compression and archival utilities, and detecting anomalous traffic to unknown external hosts that may indicate potential data exfiltration. Proactive investigation of lateral movement activity, complemented by contextual system events, enriches our threat hunters' insights.
Our mission is to expose advanced interactive threats and provide actionable contextual threat intelligence through our shared factory operations. UltraViolet Cyber collaborates with fully and co-managed security teams worldwide, delivering real-time alerts that enable security responders to swiftly and effectively combat live threats. However, finding a threat is only half the battle—defenders must rapidly contain and remediate the threat to minimize any potential damage.
Finding it challenging to detect threats, whether they come from known adversaries, insider sources, or external attackers? Our team diligently monitors the evolving threat landscape, continuously analyzing new attack types, critical vulnerabilities, and the behaviors of cybercriminals and adversaries.
To achieve seamless security, organizations must prioritize robust patch management, implement robust user and password controls, enforce stringent privileged access management practices, and exercise caution with all externally accessible services.
Vigilance and swift action are crucial, as adversaries persistently seek new avenues to breach organizations and can rapidly move laterally. Defenders must remain vigilant around the clock, ready to respond within minutes when threats emerge.
Additionally, remote access should be closely monitored. The use of legitimate, non-native remote access tools like TeamViewer, AnyDesk, or VNC (and its variants) by eCrime actors has become increasingly prevalent. Defenders should implement strict restrictions and conduct regular audits on the usage of such tools, even for authorized purposes.