A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.
Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569.
"Observed DEV-0569 attacks show a pattern of continuous innovation, with

A developing threat activity cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.

Microsoft, which spotted the updated malware delivery method in late October 2022, is tracking the group under the name **DEV-0569**.

"Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," the Microsoft Security Threat Intelligence team said in an analysis.

The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The malware downloader, a strain referred to as BATLOADER, is a dropper that functions as a conduit to distribute next-stage payloads. It has been observed to share overlaps with another malware called ZLoader.

A recent analysis of BATLOADER by eSentire and VMware called out the malware's stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains.

Alternatively, phishing links are shared through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations' websites.

"DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network," the tech giant noted.

"The management tool can also be an access point for the staging and spread of ransomware."

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

The use of Google Ads to deliver BATLOADER selectively marks a diversification of the DEV-0569's distribution vectors, enabling it to reach more targets and deliver malware payloads, the company pointed out.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as Emotet, IcedID, Qakbot.

"Since DEV-0569's phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists," Microsoft said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

The company emerges from stealth with an automated security remediation product identifies and remediates cloud misconfigurations.

Some of the most common issues in cloud security involve misconfigured systems. Cloud servers may be mistakenly configured to allow anyone on the Internet to access the data. The firewall rules may have inadvertently created a hole big enough for a threat actor to slip through. These kinds of issues trip up enterprises on a regular basis because securing cloud infrastructure is labor-intensive and security operations rely heavily on manual processes to manage the complex environment.

Enter OpsHelm, a cloud security startup which came out of stealth with its automated security remediation product on Thursday. The product monitors the IT environment looking for cloud misconfigurations and makes it possible to fix the issues in a seamless way. The tool integrates with common enterprise communications tools such as Slack or Microsoft Teams and informs the security operations team of the issues as they are found. The team can address the issues and the tool learns what actions should be taken so that it knows how to handle the situation the next time that issue comes up.

"Companies attempt to solve this problem with enhanced visibility into their cloud infrastructure, yet this isn't enough--they are still stuck doing the time-consuming triage and remediation with their limited team resources," Andrew Peterson, co-founder and CEO of Signal Sciences and an investor in the company, said in a statement.

The company says OpsHelm can detect and fix common cloud issues such as misconfigurations, overly permissive firewall rulesets, potential data exposures, unmanaged resources in Infrastructure as Code (IaC), credential sprawl, and unsecured assets exposed to the Internet.

"For example, if S3 buckets are routinely exposed when you stand up new programs, you can eliminate all exposed S3 buckets in seconds and ensure that any new ones are instantly locked down the second they are exposed," Bill Gambardella, OpsHelm CEO and co-founder, wrote on the company's blog. Gambardella was previously COO at Leviathan Security Group and previously ran security at Sprout Social. Other members of the founding team include OpsHelm CTO Kyle McCullough, who was a platform engineer at Sprout Social; COO Bob Bregant and founding engineer Lee Brotherson.

At the moment, OpsHelm integrates with Google Cloud Platform and Amazon Web Services. Support for Microsoft Azure is “coming soon.” Currently in public beta, general availability is expected early next year, the company says.

New Startup OpsHelm Tackles Cloud Misconfigurations

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

DEV-0569 Ransomware Group Remarkably Innovative, Microsoft Cautions

IOBit IOTransfer V4 is vulnerable to Unquoted Service Path.

    # Exploit Title: IOTransfer V4 - Unquoted Service Path
    # Exploit Author: BLAY ABU SAFIAN (Inveteck Global)
    # Discovery Date: 2022-28-07
    # Vendor Homepage: http://www.iobit.com/en/index.php
    # Software Link: https://iotransfer.itopvpn.com/download/
    # Tested Version: V4
    # Vulnerability Type: Unquoted Service Path
    # Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197
    # Step to discover Unquoted Service Path:
    
    C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
    
    IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
                          Auto
    
    C:\>sc qc IOTUpdaterSvc
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: IOTUpdaterSvc
            TYPE : 10 WIN32_OWN_PROCESS
            START_TYPE : 2 AUTO_START
            ERROR_CONTROL : 1 NORMAL
            BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe
    
    
    LOAD_ORDER_GROUP :
            TAG : 0
            DISPLAY_NAME : IOTransfer Updater
            DEPENDENCIES :
            SERVICE_START_NAME : LocalSystem
    
    C:\>systeminfo
    
    OS Name: Microsoft Windows Server 2019 Standard Evaluation
    OS Version: 10.0.17763 N/A Build 17763
    OS Manufacturer: Microsoft Corporation

CVE-2022-37197: Offensive Security’s Exploit Database Archive

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Australia's Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for November 11 to 18

With the proliferation of interconnected third-party applications, new strategies are needed to close the security gap.

Earlier this year, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021. Not only are these attacks increasing, but the level at which they are penetrating systems and the techniques attackers are using are also new. Attackers are now taking advantage of access granted to third-party cloud services as a backdoor into companies' most sensitive core systems, as seen in recent high-profile attacks on Mailchimp, GitHub, and Microsoft. A new generation of supply chain attacks is emerging.

**Rise of App-to-App Integrations**

As the vast majority of the workforce has gone digital, organizations' core systems have been moving to the cloud. This accelerated cloud adoption has exponentially increased the use of third-party applications and the connections between systems and services, unleashing an entirely new cybersecurity challenge.

There are three main factors that lead to the rise in app-to-app connectivity:

*   **Product-led growth (PLG):** In an era of PLG and bottom-up software adoption, with software-as-a-service (SaaS) leaders like Okta and Slack
*   **DevOps:** Dev teams are freely generating and embedding API keys in
*   **Hyperautomation:** The rise of hyperautomation and low code/no code platforms means "citizen developers" can integrate and automate processes with the flip of a switch.

The vast scope of integrations are now easily accessible to any kind of team, which means time saved and increased productivity. But while this makes an organization's job easier, it blurs visibility into potentially vulnerable app connections, making it extremely difficult for organizational IT and security leaders to have insight into all of the integrations deployed in their environment, which expands the organization's digital supply chain.

**Third-Party Problems**

There is some acknowledgement of this problem: the National Institute of Standards and Technology (NIST) recently updated its guidelines for cybersecurity supply chain risk management. These new directives consider that as enterprises adopt more and more software to help run their business, they increasingly integrate third-party code into their software products to boost efficiency and productivity. While this is great recognition, there is another whole ecosystem of supply chain dependencies related to the mass amount of integrations of core systems with third-party applications that is being overlooked.

For companies whose internal processes are irreversibly hyperconnected, all it takes is an attacker spotting the weakest link within connected apps or services to compromise the entire system.

Businesses have to determine how best to manage this kind of scenario. What level of data are these apps gaining access to? What kind of permissions will this app have? Is the app being used, and what is the activity like?

Understanding the layers in which these integrations operate can help security teams pinpoint their potential attack areas. Some forward-looking chief information security officers (CISOs) are aware of the problem but only seeing a fraction of the challenge. In the era of product-led growth and bottom-up software adoption, it's difficult to have visibility into all the integrations between an organization's cloud applications, as the average enterprise uses 1,400 cloud services.

**Closing the Security Gap**

The risks of digital supply chain attacks are no longer confined to core business applications or engineering platforms — these vulnerabilities have now expanded with the proliferating web of interconnected third-party applications, integrations, and services. Only new governance and security strategies will close this expanding security gap.

There needs to be a paradigm shift within the market to protect this sprawling attack surface. In doing so, the following would need to be addressed:

*   **Visibility into all app-to-app connections:**Security teams need a clear line of sight not only into systems that connect to sensitive assets, but into
*   **Threat detection:**The nature of every integration — not just the standalone applications — need to be evaluated for risk level and exposure (e.g., redundant access, excessive permissions).
*   **Remediation strategies**_:_ Threat prevention strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface.
*   **Automatic, zero-trust enforcement:**Security teams must be able to set and enforce policy guardrails around app-layer access (e.g., permission levels, authentication protocols).

The good news is that we are starting to see a shift in the industry's mindset. Some businesses are already taking the initiative and putting processes in place to stay ahead of a potential service supply chain attack — like HubSpot, which just released a message to help eliminate potential risks associated with the use of API keys. GitHub also recently introduced a fine-grained personal access token that offers enhanced security to developers and organization owners to reduce the risk to data of compromised tokens.

Ultimately, the digital world in which we live is only going to become more hyperconnected. In parallel, the industry needs to further its understanding and knowledge of these potential threats within the supply chain, before they cascade into more headline-making attacks.

The Next Generation of Supply Chain Attacks Is Here to Stay

Threat hunting is the process of looking for malicious activity and its artifacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization's infrastructure, extending their access while waiting for the right

Threat hunting is the process of looking for malicious activity and its artifacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization's infrastructure, extending their access while waiting for the right opportunity to exploit discovered weaknesses.

Therefore it is important to perform threat hunting to identify malicious actors in an environment and stop them before they achieve their ultimate goal.

To effectively perform threat hunting, the threat hunter must have a systematic approach to emulating possible adversary behavior. This adversarial behavior determines what artifacts can be searched for that indicate ongoing or past malicious activity.

**MITRE ATT&CK**

Over the years, the security community has observed that threat actors have commonly used many tactics, techniques, and procedures (TTPs) to infiltrate and pivot across networks, elevate privileges, and exfiltrate confidential data. This has led to the development of various frameworks for mapping the activities and methods of threat actors. One example is the MITRE ATT&CK framework.

MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). It is a well-documented knowledge base of real-world threat actor actions and behaviors. MITRE ATT&CK framework has 14 tactics and many techniques that identify or indicate an attack in progress. MITRE uses IDs to reference the tactic or technique employed by an adversary.

**The Wazuh unified XDR and SIEM platform**

Wazuh is an open source unified XDR and SIEM platform. The Wazuh solution is made up of a single universal agent that is deployed on monitored endpoints for threat detection and automated response. It also has central components (Wazuh server, indexer, and dashboard) that analyze and visualize the security events data collected by the Wazuh agent. It protects on-premises and cloud workloads.

Figure 1: Wazuh security event dashboard

**Threat hunting with Wazuh**

Threat hunters use various tools, processes, and methods to search for malicious artifacts in an environment. These include but are not limited to using tools for security monitoring, file integrity monitoring, and endpoint configuration assessment.

Wazuh offers robust capabilities like file integrity monitoring, security configuration assessment, threat detection, automated response to threats, and integration with solutions that provide threat intelligence feeds.

**Wazuh MITRE ATT&CK module**

Wazuh comes with the MITRE ATT&CK module out-of-the-box and threat detection rules mapped against their corresponding MITRE technique IDs. This module has four components which are:

a. **The intelligence component of the Wazuh MITRE ATT&CK module**: Contains detailed information about threat groups, mitigation, software, tactics, and techniques used in cyber attacks. This component helps threat hunters to identify and classify different TTPs that adversaries use.

Figure 2: Wazuh MITRE ATT&CK Intelligence

b. **The framework component of the Wazuh MITRE ATT&CK module**: Helps threat hunters narrow down threats or compromised endpoints. This component uses specific techniques to see all the events related to that technique and the endpoints where these events happened.

Figure 3: Wazuh MITRE ATT&CK framework

c. **The dashboard component of the MITRE ATT&CK module**: Helps to summarize all events into charts to assist threat hunters in having a quick overview of MITRE related activities in an infrastructure.

Figure 4: Wazuh MITRE ATT&CK dashboard

d. **The Wazuh MITRE ATT&CK events component**: Displays events in real-time, with their respective MITRE IDs, to better understand each reported alert.

Figure 5: Wazuh MITRE ATT&CK events

**Wazuh rules and decoders**

Wazuh has out-of-the-box rules and decoders to parse security and runtime data generated from different sources. Wazuh supports rules for different technologies (e.g., Docker, CISCO, Microsoft Exchange), which have been mapped to their appropriate MITRE IDs. Users can also create custom rules and decoders and map each rule with its appropriate MITRE tactic or technique. This blog post shows an example of leveraging MITRE ATT&CK and Wazuh custom rules to detect an adversary.

**Security Configuration Assessment (SCA) module**

The Wazuh SCA module performs periodic scans in endpoints to detect system and application misconfigurations. It can also be used to scan for indicators of compromise, like malicious files and folders that have been created by malware. Analyzing software inventories, services, misconfigurations, and changes in the configuration on an endpoint can help threat hunters detect attacks underway.

Figure 6: Wazuh SCA dashboard

**Integration with threat intelligence solutions**

Due to its open source nature, Wazuh provides an opportunity to integrate with threat intelligence APIs and other security solutions. Wazuh integrates with open source threat intelligence platforms like Virustotal, URLHaus, MISP, and AbuseIPDB to name a few. Depending on the integration, relevant alerts appear in the Wazuh dashboard. Specific information, such as IP addresses, file hashes, and URLs, can be queried using filters on the Wazuh dashboard.

**File integrity monitoring**

File integrity monitoring (FIM) is used to monitor and audit sensitive files and folders on endpoints. Wazuh provides an FIM module that monitors and detects changes in specified directories or files on an endpoint's filesystem. The FIM module can also detect when files introduced to endpoints match hashes of known malware.

**Wazuh archives**

Wazuh archives can be enabled to collect and store all security events ingested from monitored endpoints. This feature assists threat hunters by providing them with data that can be used to create detection rules and stay ahead of threat actors. Wazuh archives are also helpful in meeting regulatory compliance where audit log history is required.

**Conclusion**

The MITRE ATT&CK framework helps to properly classify and identify threats according to discovered TTPs. Wazuh uses its dedicated MITRE ATT&CK components to display information about how security data from endpoints correspond to TTPs. The threat hunting capabilities of Wazuh help cybersecurity analysts to detect apparent cyber attacks as well as underlying compromises to infrastructure.

Wazuh is a free and open source platform that can be used by organizations with cloud and on-premises infrastructure. Wazuh has one of the fastest-growing open source community in the world, where learning, discussions, and support is offered at zero cost. Check out this documentation to get started with Wazuh.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Threat hunting with MITRE ATT&CK and Wazuh

The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022.
"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information

The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022.

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," U.S. cybersecurity and intelligence authorities said in an alert.

Active since June 2021, Hive's RaaS operation involves a mix of developers, who create and manage the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs).

In most cases, gaining a foothold involves the exploitation of ProxyShell flaws in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus engines and data backups as well as delete Windows event logs.

The threat actor, which recently upgraded its malware to Rust as a detection evasion measure, is also known to remove virus definitions prior to encryption.

"Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

According to data shared by cybersecurity company Malwarebytes, Hive compromised about seven victims in August 2022, 14 in September, and two other entities in October, marking a drop in activity from July, when the group targeted 26 victims.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft