Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
First released in 2007 under the names QakBot or Pinkslipbot Qbot is a Trojan horse used to form a botnet. Botnets are characterized by a network of infected machines connected to the Internet that communicate with one or more C&C servers, generally enabling the launch of large-scale coordinated attacks, such as distributed denial of service (DDOS).
In the case of Qbot, segments of the network of compromised machines were offered to other groups of malicious actors via illegal trading platforms. The network was then used as an initial infection vector, in particular for ransomware operators, who then bypassed the first infection stage and were able to concentrate on remote deployment of the malicious code, maximizing financial gains over a shorter period of time. Malware operators who have collaborated with Qbot include Conti, ProLock, REvil and Black Basta.
During its sixteen long years of activity, Qbot has mainly been distributed via phishing campaigns, but it has also been used as a payload by other malware such as Emotet. Besides providing direct access to compromised companies, Qbot also enabled the theft of Windows credentials, making it easier for attackers to infiltrate networks, steal banking data and, of course, facilitate the deployment of other payloads.
On August 26, an international operation led by the USA and European countries, including Germany and France, dismantled the network of Qbot-infected machines by redirecting their traffic to servers under FBI control, thus preventing them from communicating with the fifty or so malicious servers operated by the attackers. This operation freed over 700,000 captive machines worldwide.
However, the dismantling of the Qbot network does not necessarily imply the disappearance of the group of attackers behind the malware, and it is not out of the question that they may reappear, perhaps under a new name.
DEFINITION OF THE MONTH
Over the past few weeks, several vulnerabilities have been published that share a common characteristic: their potential to be exploited to carry out Remote Code Execution (RCE) attacks .
When a RCE is implemented, an attacker can remotely inject and execute malicious code on the targeted system. This intrusion gives him the ability to take control of the system, access sensitive data, compromise other connected systems, or cause other types of damage.
Sometimes, no credentials are required to exploit the vulnerability. These are known as unauthenticated RCEs, meaning that the attacker can exploit the flaw remotely without needing to authenticate or provide credentials. This characteristic makes these types of RCE particularly dangerous, as an attacker can potentially exploit the vulnerability remotely without any access restrictions, thus greatly facilitating his attack. It’s this category of RCE in particular that has impacted Ivanti products, on which we focused last August, as well as Juniper products, for which we wrote a dedicated blog post.
The consequences of these attacks are often devastating. Attackers can use these vulnerabilities to install cryptominers, deploy malware and/or ransomware to extort funds, or spy on and steal confidential data. These incidents lead to operational disruption, significant financial losses and threaten information confidentiality, with serious repercussions for targeted organizations.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.