Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
On March 29, 2023, an alert was issued indicating that 3CX Desktop , a widely used IPBX business phone application, was observed making anomalous requests including beaconing to a C2 and loading malwares.
This attack, which illustrates the consequences of a supply chain attack allowing a “cascading” intrusion with a high return on investment for an attacker, took place in several steps:
The identified entry point being a compromised installer or update embedding malicious DLLs loaded via a method called DLL-Sideloading.
Within hours, detection rules were made available, and on the publisher’s side, the compromised application was made inaccessible for download and users were advised to uninstall the software in favor of the web interface.
Since the initial announcement, investigations have continued and have provided a number of answers:
• Although already mentioned in the initial findings, the attribution has been confirmed as the work of a North Korean group identified by the security firm Mandiant under the reference UNC4736.
• The course of the attack has been reviewed. The thesis of an initial breach within 3CX had been advanced, however the origin seems to be more distant. The attack has been traced to the X Trader software published by Trading Technologie in a report dated April 21. Thus, although this attack has already officially affected 2 critical infrastructures in the energy
DEFINITION OF THE MONTH
Fuzzy hashing is a technique used, among other things, for malware detection. It is a family of algorithms used for hashing different parts of a file: similar parts of two different files have common partial checksums which results in respective final checksums with similarities. The postulate of Fuzzy hashing is that a small change in the file results in a small change in the checksum. This is particularly interesting to facilitate the detection of similar files and thus potential threats such as documents, certificates, phishing pages, emails and malware.
Fuzzy hashing can be used to detect threats in many ways:
• Presence of a data in another one
• Tracking and detection of modified copies or versions of a file
• Similarities in the use of memory/network resources
There are several different types of algorithms for this process, including :
• ssDEEP which uses “trigger points” to determine the blocks to be calculated. The number of trigger points remains the same regardless of the file size which ensures a constant final checksum size.
• TLSH which breaks the file into several segments of fixed size and measures the difference between each pair of segments. The distances are then used to calculate the final value.
• ImpHash which differs from Fuzzy hashing stricto sensu by using the names of the imported modules and functions, and their order to compute the checksum of a binary file.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.