Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
In recent weeks Volt Typhoon has been in the news, moving beyond the specialist press and into the mainstream media. At issue was the ability of this threat actor, allegedly backed by China, to target critical US infrastructure against the backdrop of current geopolitical tensions between the two nations.
The distinctive feature of Volt Typhoon’s modus operandi is the absence of malware. The group uses a well-known technique known as “Living-Off the land”, where the attacker uses only legitimate tools, often already present on the various systems, to blend in more easily with legitimate traffic.
The increasing complexity of today’s systems is reflected in the tools used to manage them. It is therefore common for native tools to integrate additional functionalities that are not necessary for the use case initially defined. This is precisely what lies at the heart of this technique. A good example is the `netsh` command, originally used to configure the network, and now used by the player we mentioned, who uses the `portproxy` command to pivot via a machine.
This type of abuse is so common that various IT security-related sites list these utilities and the ways in which they can be misused, such as the LOLBAS (Living Off The Land Binaries And Scripts) project.
At a time when large-scale campaigns are resorting to various malware or post-exploitation frameworks, Volt Typhoon stands out for its intensive use of native tools, reminding us of the need to harden systems and remain vigilant when it comes to supervising administration flows.
DEFINITION OF THE MONTH
Privilege escalation , also known as privilege elevation, is a technique used by attackers to gain higher-level permissions on an application, system or network, in order to perform advanced or specific operations.
When first compromised, the attacker can often gain partial access to the system with limited privileges, but needs elevated permissions to achieve his objectives. Depending on the target and desired tactics, approaches can vary. However, the main methods are to exploit configuration weaknesses, program vulnerabilities or mismanagement of access rights.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.