Skip to main content
An icon of a telephone receiver
Sign In
NEW! Advisories Try For Free

Monthly Threat Brief: November 2023

Posted:
12/20/2023
| By:
Bryson Medlock

This is the first installment of a new Monthly Threat Brief series, which will be published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of November. For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports.

November 2023 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources as well as from any security incident escalated by ConnectWise SOC Services™. These IOCs are used for automated threat hunting as well as data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data in 2024.

23-DMDG-1503-figure1.png

Figure 1: Summary of IOCs collected in November 2023

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by ConnectWise SOC Services. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® Techniques for October—provided for comparison—and November 2023.

23-DMDG-1503-figure2.png

Figure 2: Top 10 MITRE ATT&CK Techniques observed in October 2023

23-DMDG-1503-figure3.png

Figure 3: Top 10 MITRE ATT&CK Techniques observed in November 2023

Solarmarker/Jupyter

Solarmarker, also known as Jupyter, Polazert, and Yellow Cokatoo, is a family of malware known for infostealing and its backdoor capabilities. Solarmarker is an infostealer known for stealing passwords and credit card information from its victims' browsers. It also has command and control (C2) capabilities, such as file transfer and remotely executing commands.

Solarmarker is primarily distributed by convincing users to download a malicious file using SEO poisoning (T1608.006). Some recent incidents involve downloading an LNK file (T1204.002) that executes malicious Powershell (T1059.001).

Recent versions of Solarmarker have been using an Autodesk installer. Most of the initial files downloaded include some version of "installer-package.exe" though the actual filename may vary.

Often, a user will download Solarmarker attempting to download a non-malicious, legitimate application, such as a PDF editor. The initial dropper will launch a legitimate installer of the application it is masquerading (T1036) as, while the malware installs in the background.

MITRE ATT&CK Techniques

23-DMDG-1503-table1.png

IOCs

23-DMDG-1503-table2.png

Coming soon: Trojanized advanced IP scanner

Toward the end of November, the CRU observed several incidents stemming from a malvertising campaign distributing a trojanized version of the advanced IP scanner installer, a free network scanning tool that we see many MSPs use to map networks. Read the malvertising report here.

New ConnectWise SIEM signatures

New CW SIEM detection signatures added in November 2023 include:

  • [O365] Atypical Travel Alert

Technique detected: [T1078] Valid Accounts

Description: Microsoft Entra ID P2 Required. This event notification identifies atypical travel patterns in Office 365, as reported by Microsoft. This could indicate unauthorized access or compromised credentials. Resolved alerts are not included in this event notification.

  • [O365] Unusual volume of External File Sharing

Technique detected: [T1567] Exfiltration: Exfiltration Over Web Service

Description: Defender for Office 365 P2 required. This event notification identifies an unusually high volume of files shared externally through Office 365, compared to baseline behavior, as reported by Microsoft.

  • [O365] Unusual Volume of File Deletion

Technique detected: [T1485] Data Destruction

Description: Defender for Office 365 P2 required. This event notification identifies when a user has deleted an unusually large volume of files, as reported by Microsoft.

  • [CRU][Windows] Possible Ghost Task - Scheduled Task Registry Keys Set by Suspicious Process

Technique detected: [T1053.005] Scheduled Task/Job: Scheduled Task

Description: This alert triggers on activity around stealthy scheduled task creation as seen with tools like GhostTask. Normally, when scheduled tasks are created in Windows, several corresponding registry keys and values are created in the "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache" registry key.

Typical means of creating scheduled tasks also create an auditable event, but research has shown that attackers can create scheduled tasks for persistence without generating those event logs by directly creating and manipulating these registry keys. The "SD" value located in the "Tree" subkey provides a security descriptor for the task that controls who the task is visible to, and attackers may either delete this value or set the value to a security descriptor with permissions that hide the task from users.

In normal activity, "svchost.exe" would be the only process that would be interacting with these registry keys. This event notification attempts to alert on possible stealthy task creation by looking for manipulation of these registry keys by processes other than "svchost.exe" or other common, verified software. Investigate by verifying the trustworthiness of the process manipulating the registry and tracing its previous activity. Review the task name, visible in the key path, for suspicious values. Review activity following shortly after for suspicious processes.

  • [O365][MDI] User and IP address reconnaissance (SMB)

Technique detected: [T1049] System Network Connections Discovery

Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which SMB session enumeration is detected against a domain controller. If this is expected, the source host can be whitelisted within MDI. If this is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts

  • [O365][MDI] Suspected brute-force attack (Kerberos, NTLM)

Technique detected: [T1110] Brute Force

Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which a host was seen brute forcing or password spraying. If this is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-brute-force-attack-kerberos-ntlm-external-id-2023

  • [O365][MDI] Suspicious communication over DNS

Technique detected: [T1572] Protocol Tunneling

Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which anomalous DNS traffic is observed, which could indicate exfiltration, command and control, or other malicious activity. If this traffic is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/exfiltration-alerts

Related Blog Posts

<< Back to All Blog Posts
11/01/2023
9 min read
Unveiling LOLBins: Living off the land binaries
By: Al Calleo
LOLBins are legitimate systems tools that are being exploited by attackers due to their stealthy nature. Gain insight into the use of LOLBins and learn proactive measures you can take to avoid being compromised.
Read the blog
security general icon
Cybersecurity
11/08/2023
9 min read
Unveiling LOLBins: Living off the land binaries part 2
By: Al Calleo
Dive into Part 2 of our LOLBins blog series and gain insight into commonly abused binaries, how they’re leveraged to avoid detection, and why it’s essential to monitor LOLBins for compromise indicators.
Read the blog
security general icon
Cybersecurity
12/27/2023
12 min read
Examining MITRE techniques in malicious incidents: part 1
By: Diara Dankert
In part one of our MITRE ATT&CK series, you’ll learn all about two common cyberthreat techniques, spearphishing attachments and malicious file execution, and how to defend against them.
Read the blog
security general icon
Cybersecurity

Recommended