Skip to the main content.
Contact Us
Contact Us

4 min read

Cyber Threat Intelligence Briefing - November 6, 2023

Picture of The PacketWatch Intelligence Team The PacketWatch Intelligence Team : Nov 6, 2023 12:24:05 PM

Threat Intel Vulnerability Management Ransomware Zero-Day Biweekly Briefing
Cyber Threat Intelligence Briefing - November 6, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights Microsoft's latest Octo Tempest and ALPHV/BlackCat research, Google Registry selling .ing or .meme domains, and a vulnerability roundup of six CVEs to watch for.

Microsoft Research: Octo Tempest and ALPHV/BlackCat

1Microsoft recently published extensive research on the financially motivated threat actor they labeled as Octo Tempest.

The group, also referred to as 0ktapus, Scattered Spider, and UNC3944, was originally observed in early 2022, and has since evolved and enhanced its tactics, techniques, and procedures (TTPs) to become very aggressive and very dangerous.

In mid-2023, Octo Tempest became an affiliate of the notorious ransomware-as-a-service (RaaS) group ALPHV/BlackCat.

They have expanded their victimology to include gaming, natural resources, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.

They are also known to target Windows, Linux, and VMware ESXi servers, and are a double-extortion ransomware group, meaning they will exfiltrate data and threaten to leak it online as well as encrypt data on the victim network.

One of the most notable TTPs of Octo Tempest is their sophisticated and extremely aggressive social engineering tactics to gain initial access to the victim environment.

They conduct meticulous research on the victim, which combined with their native English-speaking abilities, allows them to impersonate members within the target organization convincingly.

Octo Tempest is known to call the helpdesk or IT personnel and convince them to reset passwords and MFA or install remote monitoring and management tools.  The group has also been observed using aggressive fear-mongering tactics through phone calls and text messages.

The Microsoft report shows text conversations where the threat actor threatens to send shooters to the user's house unless the user divulges their logins.

How To Protect Your Organization

Robust Identity and Access Management (IAM) is critical to defending against a threat actor such as Octo Tempest.  Microsoft's recommendations focus on Azure and Entra ID, but the principles can be leveraged across any platform:

  • Implement role assignments as eligible rather than permanent (make high-privileged roles temporary)
  • Implement the principle of least privilege (only delegate access and permissions that are absolutely necessary)
  • Configure roles to be time-bound (deactivate after a specific timeframe)
  • Require MFA to elevate to the new role
  • Require users to provide justification upon elevation
  • Enable notifications of privileged role elevation to administrators
  • Periodically review roles and permissions

Additionally, as with all social engineering threats, user awareness is crucial.  Users need to be made aware of the types of threats and techniques that are being leveraged by today's threat actors.  Clear policies should be established for verifying user identities over the phone.  

For additional details on Octo Tempest TTPs and remediation steps, see Microsoft's blog here.

Google Registry Now Selling '.ing' and '.meme' Top Level Domains

2-1On October 31, Google Registry announced it had begun an early access period where users can now register domains with either a '.ing' or '.meme' TLD. This will open up to general availability on December 5.

As with all new TLD releases, this adds additional potential for phishing abuse.

Users should be made aware of these TLDs, and administrators should consider blocking them if it is deemed access to their servers is not a legitimate business case.

Vulnerability Roundup

3Cisco IOS XE Web UI

This critical vulnerability, CVE-2023-20198, was addressed in the previous Intel Report.  Since then, this vulnerability has been under active exploitation.  The Cybersecurity & Infrastructure Security Agency (CISA) has released additional guidance on technical details and remediation of this vulnerability which can be found here. IOCs containing IP addresses observed exploiting this vulnerability can be found in Appendix A.

VMware vCenter Server RCE

VMware recently disclosed a new critical vulnerability in vCenter Server that can allow for remote code execution.  The threat actor would need network access to vCenter Server in order to exploit the vulnerability.  So far, this vulnerability has not been observed being exploited in the wild.  However, there are no workarounds for this vulnerability, and the only remediation is to patch to the latest version.  Further details on the fixed version can be found on the VMware Security Advisory here.

Confluence Data Center and Server

Another critical vulnerability, CVE-2023-22518, was disclosed for all versions of on-prem Confluence Data Center and Server.  Per the advisory, Atlassian Cloud sites are not affected. This vulnerability is described as an 'improper authorization' vulnerability, and according to Atlassian, successful exploitation could lead to data destruction attacks.  As of Friday Nov 3, Atlassian has reported this vulnerability being actively exploited in the wild.  Administrators are urged to patch immediately.  If patching is not possible, mitigations and workaround details can be found on the Atlassian advisory here.  

Four New 0-Days in Microsoft Exchange

Last week Trend Micro's Zero Day Initiative (ZDI), disclosed 4 new 0-days in the Microsoft Exchange platform.  Of the 4 vulnerabilities, one can lead to code execution as 'SYSTEM', and the other three are information disclosure vulnerabilities.  All 4 vulnerabilities require the attacker to be authenticated.  Microsoft has made the decision to postpone fixes for these, as they deemed them not severe enough for immediate servicing.  Currently, the best remediation strategy is to implement multi-factor authentication (MFA) to prevent threat actors from gaining access even if they have compromised valid credentials.

F5 BIG-IP RCE

A new unauthenticated remote code execution vulnerability, CVE-2023-46747, was disclosed last week for the F5 BIG-IP configuration utility.  In order to be exploited, the threat actor needs access to the Traffic Management User Interface, which is commonly exposed to the internet.  Proof-of-concept code is already in the wild.  Administrators are urged to patch immediately.  A full list of vulnerable devices and steps for remediation can be found in the F5 advisory here.

Apache ActiveMQ RCE

A critical deserialization vulnerability (CVE-2023-46604) in Apache ActiveMQ allows for unauthenticated remote code execution on vulnerable servers.  This week, researchers at Rapid7 reported the HelloKitty ransomware group is actively exploiting this vulnerability to compromise environments and deploy ransomware.  Proof-of-concept code is also in the wild. Administrators are urged to patch to the latest version as soon as possible.

Related Resources

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.
Table of Contents