Threat Thursday

Threat Thursday: July 2024

Written by SCYTHE | Jul 31, 2024 4:00:00 AM

In this July edition of Threat Thursday, we get into the evolving landscape of cyber threats, focusing on three significant actors: APT29, SharpDragon, and the revamped CloudFox V2. APT29, a Russian state-sponsored group, continues to execute sophisticated cyber espionage tactics, leveraging vulnerabilities in Microsoft Exchange and employing advanced evasion techniques to remain undetected. SharpDragon, a Chinese threat actor, targets government entities to facilitate lateral movement into trusted organizations, using methods like malicious payloads in digitally signed Microsoft .Net assemblies. Meanwhile, the updated CloudFox V2 introduces new features for auditing cloud security, emphasizing the importance of robust defenses against threats that exploit common security tools. 

New Threat Releases


APT29 Update

APT29, a Russian state-sponsored threat actor, remains a significant concern due to its sophisticated cyber espionage activities. Noteworthy for their involvement in major incidents like the Microsoft breach and SolarWinds supply chain attack, APT29's actions highlight ongoing threats to various sectors, including government, technology, and finance. We thought providing an update on APT29 was crucial for understanding their evolving tactics and enhancing organizational defenses against such advanced persistent threats. 

The team at SCYTHE has updated its threat emulation for APT29, incorporating new tactics observed over the past few years. This includes methods like exploiting Microsoft Exchange vulnerabilities, conducting reconnaissance through email systems, and exfiltrating data via PowerShell commands. They also use tactics to evade detection, such as blocking EDRs like CrowdStrike and Microsoft Defender.

Targeting Techniques:

  • APT29 has been exploiting vulnerabilities in Microsoft Exchange servers and leveraging these to gather sensitive data. Their methods include creating mailbox export requests to duplicate and exfiltrate emails.
  • APT29 employs sophisticated methods to remain undetected, such as clearing evidence of their activities and modifying audit policies to hinder detection.
  • They have been observed setting up scheduled tasks hidden within system folders, making it difficult for standard detection methods to identify their presence.

Watch below!

 

CloudFox V2 Updates

Threat actors are increasingly leveraging common security tools and open-source resources to execute their behaviors, prompting a need for organizations to test their defenses. We are providing an update to the now-dated CloudFox threat, introducing new features and capabilities. SCYTHE introduced a revamped threat campaign using a customized CloudFox binary, an open-source tool for auditing cloud security. CloudFox, designed for penetration testers, helps identify exploitable attack paths in cloud infrastructures like GCP, AWS, and Azure. The campaign involves setting up and running CloudFox with appropriate IAM configurations and assessing the impact of potential unauthorized access to cloud environments. We also provide detection strategies and cleanup steps for mitigating risks associated with the threat, emphasizing the importance of proper security measures and vigilance against suspicious activities.

Want to learn more about what SCYTHE's Empower offering can do for you? Reach out to us here.

 

REGISTER: for all upcoming workshops and Threat Thursday Live

Register today! 🦄