This April edition of NCC Group’s Threat Intelligence Team’s monthly Threat Pulse report contains a summary of observed ransomware attacks around the globe, an introduction to Artificial Intelligence (AI) and the types of threats it can present as well as how it can be used to bolster security teams’ defences, a threat hunt done in collaboration with NCC’s Security Operations Centre (SOC), and finally a threat spotlight on a recently discovered and constantly evolving mobile malware written by the Strategic Intelligence Team. The ransomware scene has managed to both match expected behaviours but also to buck expected trends. The scale of activity we have observed follows the pattern we saw in 2023; a slow start to the year in January, monthly increases for the rest of Q1, followed by a dip in activity in April. Beyond that though, the scale of activity is still, in general, greater than it was last year as we expected to see, and which realistically we expect to see again next year. The Industrials and Consumer Cyclicals sectors were once again the first and second-most targeted sectors, while North America and Europe were, as expected, the two most targeted regions around the globe. In a surprising turn of events however, LockBit 3.0 was not the most prominent threat group for the month and had fewer than half of the observed attacks they did in March. Instead, Play was the most active threat group, followed shortly after by Hunters. Artificial Intelligence is an emerging set of technologies which has gripped the imagination of many. It has the ability to be used by cybercriminals and security teams alike and can either be responsible for a paradigm shift in the cyber threat landscape or be used simply as just another tool in the arsenal of malicious threat actors and defenders alike. EXECUTIVE SUMMARY
We have outlined some of the ways it can be used both for good and ill, and will be expanding on these in the next two issues of the monthly Threat Pulse; treating AI as a theme for Q2. The threat hunt this month, in collaboration with NCC’s SOC, focused on the exploitation of a CVSS 10.0 critical vulnerability (CVE-2024-3400), affecting the PAN-OS software found in Palo Alto Network Firewalls. The malicious C2 IP identified by Palo Alto themselves was found to be the Indicator of Compromise (IoC) responsible for most hits against our EDR, SIEM, and Network Monitoring clients. This IP address was first reported on the 9th of July 2023, and as recently as the 5th of May 2024, with activity picking up significantly in March which is when the exploitation of CVE-2024-3400 was first reported. This implies that, not only was this IP first utilised for malicious activities within the last year, but that abuse is still taking place at the present. The Threat Spotlight is research about Vultur Android malware conducted by our Tactical Intelligence Team. First spotted in March 2021, it was one of the first Android banking malware families to include screen recording capabilities and contains features such as keylogging and interacting with a victim’s device screen. Vultur mainly targets banking apps for keylogging and remote control. A more comprehensive look, including: an overview of the infection chain; execution flow; and an assessment of new features including obfuscation capabilities, can be found in the blog post.
2
Made with FlippingBook Ebook Creator