SNOCC Quarterly Threat Update
Q2 2023

Each quarter, the managed security team at Nexum shares insights from our first*defense® Security and Network Operations Command Centers (SNOCC). Nexum has been managing and monitoring the security environments of our customers since 2005. Therefore, we’re uniquely positioned to get an overall view of the threat landscape and observe attacks firsthand. Nexum will never publicly disclose specific, sensitive information; however, we can share observations and thoughts that might help your defense.

—

Hello from the front line! In our last post from Q1, we talked briefly about how quickly the scanning started for the ProxyShell/ProxyLogon vulnerability variants after they were disclosed. We did not discuss how much of that scanning was not actually high-risk attackers.

Context is King

The context of who or what is sending or receiving traffic is critical to understanding the risk. There are a lot of organizations out there routinely scanning the Internet, both good guys and bad. Research scanners such as BinaryEdge, Stretchoid, Rapid7, Project 25499, Shadowserver, Censys.io, Shodan.io, and Recyber, among others, cause a large amount of unnecessary noise that has relativity low risk. We are big fans of blocking these scanners in dynamic address block rules at the top of our customers’ rule bases. We facilitate this with our managed services clients by providing curated research scanner block lists as part of our standard service.

Detection Challenges: The Obscurity of ISO, WSF, RUST, and GO

Over the last few months, there has been an interesting development with the increasing use of Disk Image Files (ISO) and Windows Scripting Files (WSF) (the ISO term comes from the ISO 9660 standard for CD-ROM media but has evolved to include the same format on non-optical platforms). For years, bad actors have used archive files (like ZIP), obfuscation, and embedding to hide malicious code from security tools. ISO files are now routinely used to transport malicious files between the Internet and end-user computers. We recommend that customers ensure their devices can scan the contents of the ISO and consider blocking them if there is no legitimate business use.

We’ve seen another trend emerge with malicious obfuscated WSF files embedded in other files. OneNote email attachments are distributed with contents that trick users into downloading and running the WSF file. Blocking the download of these files and blocking the execution tools, such as the Microsoft Office Suite, from completing or creating child processes is recommended.

Versions of Qakbot/QBot are using a PDF with a download button that makes a user think they are downloading a ZIP file, but they are, in fact, downloading a WSF file that performs further execution, like execution of PowerShell commands that install malware.

Malware developers have significantly increased their progress in coding languages such as RUST and GO, as the industry’s reliance on signature-based detection is bypassed by using languages that are not in everyday use. The more obscure the language or file type, the more likely it remains undetected with traditional security controls. A defense in depth approach is necessary to give the best chance of stopping this malicious code. Advanced endpoint protection ensures the code does not execute, starting with endpoint hardening. Network-based tools, such as strong email and web security, limit the code from getting to an endpoint in the first place.

Contact Nexum

This arms race between the good and bad guys continues. The team at Nexum is here to discuss these threats with you in more detail. Use our Talk to an Expert form to contact us.