Monthly Threat Brief: November 2023
This is the first installment of a new Monthly Threat Brief series, which will be published by the ConnectWise Cyber Research Unit™ (CRU).
In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of November. For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports.
November 2023 stats
The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources as well as from any security incident escalated by ConnectWise SOC Services™. These IOCs are used for automated threat hunting as well as data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data in 2024.
Figure 1: Summary of IOCs collected in November 2023
The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by ConnectWise SOC Services. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® Techniques for October—provided for comparison—and November 2023.
Figure 2: Top 10 MITRE ATT&CK Techniques observed in October 2023
Figure 3: Top 10 MITRE ATT&CK Techniques observed in November 2023
Solarmarker, also known as Jupyter, Polazert, and Yellow Cokatoo, is a family of malware known for infostealing and its backdoor capabilities. Solarmarker is an infostealer known for stealing passwords and credit card information from its victims' browsers. It also has command and control (C2) capabilities, such as file transfer and remotely executing commands.
Solarmarker is primarily distributed by convincing users to download a malicious file using SEO poisoning (T1608.006). Some recent incidents involve downloading an LNK file (T1204.002) that executes malicious Powershell (T1059.001).
Recent versions of Solarmarker have been using an Autodesk installer. Most of the initial files downloaded include some version of "installer-package.exe" though the actual filename may vary.
Often, a user will download Solarmarker attempting to download a non-malicious, legitimate application, such as a PDF editor. The initial dropper will launch a legitimate installer of the application it is masquerading (T1036) as, while the malware installs in the background.
MITRE ATT&CK Techniques
Coming soon: Trojanized advanced IP scanner
Toward the end of November, the CRU observed several incidents stemming from a malvertising campaign distributing a trojanized version of the advanced IP scanner installer, a free network scanning tool that we see many MSPs use to map networks. Read the malvertising report here.
New ConnectWise SIEM signatures
New CW SIEM detection signatures added in November 2023 include:
- [O365] Atypical Travel Alert
Technique detected: [T1078] Valid Accounts
Description: Microsoft Entra ID P2 Required. This event notification identifies atypical travel patterns in Office 365, as reported by Microsoft. This could indicate unauthorized access or compromised credentials. Resolved alerts are not included in this event notification.
- [O365] Unusual volume of External File Sharing
Technique detected: [T1567] Exfiltration: Exfiltration Over Web Service
Description: Defender for Office 365 P2 required. This event notification identifies an unusually high volume of files shared externally through Office 365, compared to baseline behavior, as reported by Microsoft.
- [O365] Unusual Volume of File Deletion
Technique detected: [T1485] Data Destruction
Description: Defender for Office 365 P2 required. This event notification identifies when a user has deleted an unusually large volume of files, as reported by Microsoft.
- [CRU][Windows] Possible Ghost Task - Scheduled Task Registry Keys Set by Suspicious Process
Technique detected: [T1053.005] Scheduled Task/Job: Scheduled Task
Description: This alert triggers on activity around stealthy scheduled task creation as seen with tools like GhostTask. Normally, when scheduled tasks are created in Windows, several corresponding registry keys and values are created in the "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache" registry key.
Typical means of creating scheduled tasks also create an auditable event, but research has shown that attackers can create scheduled tasks for persistence without generating those event logs by directly creating and manipulating these registry keys. The "SD" value located in the "Tree" subkey provides a security descriptor for the task that controls who the task is visible to, and attackers may either delete this value or set the value to a security descriptor with permissions that hide the task from users.
In normal activity, "svchost.exe" would be the only process that would be interacting with these registry keys. This event notification attempts to alert on possible stealthy task creation by looking for manipulation of these registry keys by processes other than "svchost.exe" or other common, verified software. Investigate by verifying the trustworthiness of the process manipulating the registry and tracing its previous activity. Review the task name, visible in the key path, for suspicious values. Review activity following shortly after for suspicious processes.
- [O365][MDI] User and IP address reconnaissance (SMB)
Technique detected: [T1049] System Network Connections Discovery
Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which SMB session enumeration is detected against a domain controller. If this is expected, the source host can be whitelisted within MDI. If this is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts
- [O365][MDI] Suspected brute-force attack (Kerberos, NTLM)
Technique detected: [T1110] Brute Force
Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which a host was seen brute forcing or password spraying. If this is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-brute-force-attack-kerberos-ntlm-external-id-2023
- [O365][MDI] Suspicious communication over DNS
Technique detected: [T1572] Protocol Tunneling
Description: Microsoft Defender for Identity required. This is an alert from Microsoft Defender for Identity in which anomalous DNS traffic is observed, which could indicate exfiltration, command and control, or other malicious activity. If this traffic is not expected, the source host should be isolated from the network. https://learn.microsoft.com/en-us/defender-for-identity/exfiltration-alerts