|
|
|
|
LevelBlue Labs
Threat Intelligence News
|
|
|
The LevelBlue Labs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue Labs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.
|
|
|
|
|
|
Latest Threat Intelligence News
|
|
|
|
|
|
|
Salt Typhoon Hacks of Telecommunications Companies
|
|
|
|
A Chinese cyber-espionage group named Salt Typhoon has reportedly compromised multiple telecommunications companies, including T-Mobile, AT&T, Lumen and Verizon. The breach was part of a large-scale campaign that targeted US telcos and around 150 companies, mostly located in the DC area, whom have already been notified by the FBI. The breach allowed Chinese hackers to spy on political figures and tap into the US law enforcement wiretapping system. The New York Times reported that the victims were alerted by Microsoft due to unusual activity on their networks. This activity included data on Salt Typhoon servers that was traced back to nodes within US telecom networks.
|
|
|
|
Palo Alto vulnerabilities exploited in the wild
|
On November 8, Palo Alto Networks disclosed CVE-2024-0012, a RCE vulnerability in PAN-OS. This vulnerability enables unauthenticated attackers with access to the management web interface to gain administrative privileges. On November 18, Palo Alto disclosed CVE-2024-9474, a lower-severity PAN-OS flaw enabling privilege escalation under certain conditions. Combining both vulnerabilities allow attackers to first gain admin access through CVE-2024-0012, then exploit CVE-2024-9474 to escalate privileges or further exploitation. Unit 42 has detected limited exploitation activity involving CVE-2024-0012.
In addition, two critical vulnerabilities reported last month are being actively exploited. The CVE-2024-9463, a severe OS command injection vulnerability with a critical rating of 9.9, and CVE-2024-9465, a SQL injection vulnerability rated at 9.2. If exploited, these flaws could result in the exposure of sensitive data. Attackers could also gain unauthorized access to systems, enabling them to execute malicious code
|
|
|
|
|
|
Tracking, Detection & Hunting Capabilities
|
|
|
|
|
|
The team has created a new tracker this month, which happens to be in this month’s most active malwares during the last month:
|
- RaccoonO365: RaccoonO365 is an Adversary in the Middle (AiTM) Phishing kit that emerged at the beginning of 2024. This AiTM Phishing kit is specialized in supplanting O365 applications to steal credentials. It targets Microsoft O365 and Outlook users, aiming to bypass MFA protections and steal session cookies through advanced phishing techniques. The service is offered via Telegram and includes phishing templates, dynamic URL generation tools, and session cookie theft functionality, primarily focusing on business and cloud-dependent enterprises. Morado cybersecurity company published a blog about this malware during this month.
|
|
The LevelBlue trackers have identified over 1,400 new IOCs for the different families it tracks. The busiest trackers during the month of December have been:
|
|
|
|
|
|
|
USM Anywhere Detection Improvements
|
|
|
|
|
|
In November, 81 USM Anywhere detections were added or improved. Here are a few examples of improvements and new elements created:
|
- Several new rules related to Anomalous User Behavior for Okta, O365, Anomalous logins and more.
- New alerts in the CrowdStrike Falcon Detection ruleset, to identify brute force activity and generic alerts.
- New alerts in the Trend Micro Vision One ruleset, to identify command line injection and exploit attempts.
|
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
|
|
|
|
|
|
|
|
LevelBlue Labs Open Threat Exchange
|
|
|
|
|
LevelBlue Labs Open Threat Exchange (OTX) is the world’s largest open threat intelligence community, made up of 450K threat researchers who publish threat information from 140 different countries on the OTX platform, which our LevelBlue Labs team enriches and consumes. You can go here to find out more about the new pulses or to sign up to be part of the community.
|
|
|
|
|
The LevelBlue Labs team is continuously creating new Pulses in OTX based on what they are seeing in the wild. In November, 111 new Pulses were created by the Labs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:
|
|
|
|
|
|
|
|
|
|
|
|
LevelBlue Labs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world.
Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.
|
|
|
|
|
|
|
|
|
