Attackers may exploit CVE-2024-7344 to bypass UEFI Secure Boot and deploy a malicious bootkit, achieving persistence and potentially exfiltrating sensitive data or disrupting system operations.
Fake Security Information and Event Management (SIEM) with Honey data
Deploy a decoy SIEM that collects and displays fabricated security events and alerts. This can be used to mislead attackers, waste their time, or gather information about their attempts to tamper with or evade security monitoring systems.
Decoy Web Application Firewall (WAF) with Alerting Capabilities
Create a decoy WAF that mimics a legitimate one but triggers alerts or performs deceptive actions in response to specific attack patterns. This can be used to identify attackers, disrupt their activities, or gather information about their techniques.
Fake Firewall with Permissive Ruleset
Deploy a decoy firewall with an intentionally permissive ruleset that allows most traffic to pass through. This can be used to lure attackers into a false sense of security, allowing you to observe their activities and gather intelligence on their tools and techniques.
Engage Report: Console Chaos – Fortinet FortiGate Firewall Exploitation
- Threat actors scan for publicly exposed FortiGate firewall management interfaces.
- They exploit a probable zero-day vulnerability (later identified as CVE-2024-55591) to gain unauthorized access.
- Threat actors establish
jsconsolesessions, often spoofing IP addresses like loopback addresses or public DNS resolvers. - They make various configuration changes, create new admin accounts, and enable SSL VPN access.
Engage Report: Codefinger Ransomware Targeting AWS S3 Buckets
- The attacker, dubbed “Codefinger”, obtains valid AWS keys with read and write permissions to S3 buckets.
- The attacker utilizes the Server-Side Encryption with Customer Provided Keys (SSE-C) feature.
- They encrypt the bucket’s data using their own AES-256 key, which is not stored by AWS.
- Only an HMAC of the key is logged in AWS CloudTrail, insufficient for data recovery.
- The attacker sets a 7-day lifecycle policy to delete the files, increasing pressure on the victim.
Abusing SSE-C services with Ransomware
The threat actor is exploiting compromised AWS keys to manipulate cloud storage objects and encrypt S3 bucket data for ransom.
Double-Tap Campaign by UAC-0063
The threat actor is conducting a spearphishing campaign to deliver malicious attachments, maintain persistence, and establish command and control.
Engage Report: Double-Tap Campaign – Espionage in Central Asia
- A malicious macro in the initial Word document creates a second blank document and weaponizes it with another malicious macro.
- The second macro creates a scheduled task named “SettingsService Dispatch” using
RegisterTaskDefinition. - This task executes an HTA file containing the HATVIBE backdoor every four minutes using
mshta.exe.
Engage Report: APT32 GitHub Poisoning Attack
- The attacker, suspected to be the OceanLotus group (APT32), created a GitHub account and disguised it as a security researcher from a leading Chinese FinTech company.
- The attacker forked various security tool projects on their homepage to reduce victims’ vigilance.
- The attacker published two malicious poisoning projects, containing plugins for the commonly used Chinese red team tool Cobalt Strike, with new exploit functions.
- The attacker embedded a malicious
.suofile into a Visual Studio project. - When the victim compiles the Visual Studio project, the Trojan will execute automatically.