CONTENTS
This month’s edition of the Threat Pulse from NCC Group’s Threat Intelligence Team contains a summary of observed ransomware attacks around the globe, a continuation of last month’s inaugural theme of AI with an examination of how to defend against AI-assisted attacks, an insight to some of the great work being carried out by the TI team in the form of an exploration of the emerging issue of brute force attacks against VPNs, a Spotlight piece by the Tactical Threat Intelligence team on the evolution of criminality with regards to AI’s emergence, a threat hunt done in collaboration with NCC’s Security Operations Centre (SOC). The ransomware scene has evolved significantly from last month’s reporting. Not only have we seen the introduction of several new and interesting actors, but also the reemergence of LockBit 3.0 to their previously well- established position at top of the pack of most prominent actors. This, however, is not to be taken at face value; though their activity levels have returned to what we would ordinarily expect, there is speculation within the cybercriminal and security commentator communities that they are artificially inflating their attack count in order to appear unperturbed by their recent interactions with law enforcement. We have also observed a continuation of attacks levied against organisations in South America and Africa which last month we linked to a potential new trend of sophisticated actors using the region as a proving ground for new malware before deploying it against targets in Europe and North America. This month’s Spotlight piece on AI and the continuation of last month’s theme are similar in scope. The Spotlight discusses the criminality element of the cybercrime landscape after the advent of AI; it is being increasingly utilised in a similar manner to how we’re seeing in the non-criminal landscape i.e. through the use of chatbots on forums which use LLMs to assist users in finding answers to their questions. It also can be used to assist in actively malicious use cases such as to assist and speed up network scanning, or to write better phishing emails. EXECUTIVE SUMMARY
SECTION 1 Ransomware Insights...................................................... 4
The Intelligence Insights piece pivots from this angle and focuses on how to defend against AI-assisted attack methodologies. Though AI can indeed be a tool to help malicious actors carry out their nefarious campaigns, it can also be used by defenders to protect their digital estates. Beyond that though, traditional defensive measures such as; proactive network and vulnerability scanning, updating and patching software and firmware in a timely manner, and, most importantly, training staff to identify common security threats, can and do go a long way to mitigate the threat caused by cybercriminals of all types whether they are using AI assisted tools or not. The Intelligence Insights section was expanded this month to include an examination of the rise of brute force attacks against VPN services. Brute force attacks are when attackers utilise every possible combination of characters, words, or phrases in order to get hold of encrypted information or gain valid credentials. Though typically not thought of as a sophisticated attack methodology, they can require immense levels of computational power to conduct and so could be carried out by actors with large botnets at their disposal. Further, despite a lack of perceived sophistication, this does not mean that they are not capable of achieving the desired ends of an attacker. Since March 2024 there has been an increase in brute force attacks against a range of VPN services and originating from both the TOR browser as well as a range of proxy services. These attacks do not currently appear to be targeting a specific industry or region, but IP addresses released by CISCO which were included in observed attacks have been linked to the activity of APT 29, a Russian state-sponsored threat group, in the past. This month’s threat hunt examined a phishing campaign that, although after being spotted in August 2023, was first reported on the 29th of April 2024. Our Global SOC did see a number of detections on the back of some of the IoCs we provided, and we were able to uncover further IoCs as a result. This month we dig into some additional potentially malicious IP addresses that were discovered by pivoting from suspicious domains.
SECTION 2 Intelligence Insights: Malicious Use Cases of AI.......... 6
SECTION 3 VPN Brute-Force Attacks................................................8
SECTION 4 This Month’s Threat Hunt - IcedID & Dagon Locker.....10
SECTION 5 Threat Spotlight . .............................................................. 12
2
3
Made with FlippingBook flipbook maker