Focus Mode
Threat Research

Securonix Threat Labs Monthly Intelligence Insights – October 2024

Securonix

Summary:

The October 2024 Monthly Intelligence Insights report from Securonix Threat Labs highlights significant cybersecurity threats, including the critical FortiJump vulnerability (CVE-2024-47575) in FortiManager, the ClickFix malware campaign targeting Google Meet users, and various ransomware groups such as Keygroup777 and Meow. The report emphasizes the importance of patch management, network segmentation, and monitoring for unusual activities to mitigate these threats.
#FortiJump #ClickFix #RansomwareThreats

Keypoints:

  • Identified 6,108 TTPs and IoCs, 158 emerging threats, and 71 potential threats in October 2024.
  • CVE-2024-47575 vulnerability allows remote, unauthenticated access to FortiManager systems.
  • ClickFix malware campaign uses fake Google Meet pages to distribute infostealers.
  • Ransomware groups like Keygroup777, Meow, and Dark Angels continue to target high-value sectors.
  • Resurgence of Bumblebee malware and emergence of PerfCtl malware targeting corporate networks and Linux servers.
  • Multiple APT groups, including Transparent Tribe and CerenaKeeper, are actively targeting government and defense sectors.
  • Recommendations include applying patches, limiting access, and implementing strong data loss prevention measures.

    • MITRE Techniques:

  • Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services to gain unauthorized access.
  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Data Encrypted for Impact (T1486): Encrypts data to disrupt access and demand ransom.
  • Credential Dumping (T1003): Collects credentials from compromised systems to facilitate lateral movement.
  • Application Layer Protocol (T1071.001): Uses application layer protocols for command and control communications.
  • Phishing (T1566): Uses deceptive emails to trick users into executing malicious payloads.
  • Remote File Copy (T1105): Transfers files from a remote server to a compromised system.

    • IoC:

  • [domain] googiedrivers[.]com
  • [file name] Launcher_v1.94.dmg
  • [file hash] CVE-2024-47575
  • [tool name] Bumblebee
  • [tool name] PerfCtl
  • [email] [email protected]
  • [others] 59,000 exposed devices tracked by Shodan

    • Full Research: https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-october-2024/

    Tags: LATERAL MOVEMENT, IMPACT, CVE, LINUX, TOOL, GOVERNMENT, PATCH, CREDENTIAL