CTI Roundup: Cisco Talos Q2 IR Trends Report, New GenAI Scams on the Horizon

This week, CTI provides key takeaways from Cisco Talos’ latest IR trends report covering the second quarter of 2024. Next, CTI investigates a recent warning from Microsoft which details how ransomware groups are exploiting a VMware ESXi authentication bypass vulnerability. Finally, CTI looks at Palo Alto’s latest report which dives into how domain registration and network attacks associated with terms related to GenAI have started to evolve.

1. Cisco Talos releases its Q2 IR trends report

Cisco Talos released its latest IR trends report, covering various themes and observations from their engagements during the second quarter of 2024. The report reveals that business email compromise (BEC) and ransomware remain top threats, together accounting for 60% of their engagements.

Increased targeting of the technology sector

The technology sector was targeted in 24% of engagements during the second quarter, making it the top area of focus for threat actors — ahead of retail, healthcare, pharmaceuticals, and other verticals.

Cisco Talos discovered a 30% increase in engagements impacting the technology sector when compared to the first quarter. They also point out that threat actors may see organizations within the technology sector as “gateways into other industries and organizations given their significant role in supplying and servicing a wide range of sectors.”

BEC surge continues

Unsurprisingly, BEC continues to be quite prominent. This aligns to the fact that the use of valid credentials was found in 60% of engagements for the quarter, a 25% increase from the last quarter.

Ransomware trends

Cisco Talos observed ransomware across 30% of their engagements during the second quarter, representing a 22% increase from the previous quarter.

In addition, Cisco Talos observed the Mallox and Underground Team ransomware groups for the first time. This was in addition to previously seen ransomware families like Black Basta and BlackSuit.

Cisco Talos notes that 80% of the ransomware engagements “lacked proper MFA implementation on critical systems, such as virtual private networks (VPNs), playing a role in allowing adversaries to gain initial access.”

On the rise: Network device targeting

In addition to an increase in ransomware attacks, Cisco Talos saw an increase in network device targeting which accounted for 24% of their engagements. This activity includes tactics like password spraying, vulnerability scanning, exploitation, and more.

Initial vectors

The use of valid but compromised accounts was the top way threat actors gained initial access in the second quarter.

This was up 25% from the previous quarter. The next top initial access method was the exploitation of public-facing applications.

Security weaknesses

The top two security weaknesses include vulnerable or misconfigured systems and a lack of MFA. These two weaknesses have appeared in many trend reports over the last several quarters. Vulnerable systems directly correlate to the high number of successful exploitations.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Many of the items mentioned in this report are ongoing trends from previous quarters, like vulnerable systems and a lack of MFA being top security weaknesses.

What’s most interesting is that the technology sector was the most heavily targeted in their engagements. As the report mentions, threat actors are increasingly targeting technology firms to gain access to other organizations. This trend aligns with the increase in supply chain attacks that have been occurring.

2. Ransomware groups target ESXi flaw

Microsoft has issued a warning indicating that ransomware groups are actively exploiting a VMware ESXi authentication bypass vulnerability.

The recently patched flaw is being used to gain elevated permissions and carry out infection chains that result in malware and Black Basta ransomware deployments.

About CVE-2024-37085

CVE-2024-37085 was discovered by Microsoft researchers and patched in ESXi 9.0 U3 on June 25.

The vulnerability, if exploited, enables a threat actor to create an “ESX Admins” group and add a new user, thus having full admin privileges to the hypervisor.

Microsoft took a closer look at the vulnerability and found that “VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default.”

Increased targeting of ESXi hypervisors

Microsoft, along with many others, has noticed an increase in ransomware actors targeting ESXi hypervisors over the last several months.

What’s more, there are several ransomware actors that are now selling ESXi encryptors. Microsoft notes that the number of IR engagements they’ve done that involved ESXi hypervisors has more than doubled in the last three years.

Storm-0506 deploys Black Basta ransomware

Microsoft shared an example of an incident from earlier this year in which an organization was infected with Black Basta ransomware that was deployed by an actor tracked as Storm-0506. The actor exploited the vulnerability for privilege elevation to the ESXi hypervisors.

• This attack began with a QBot infection.
• The actor then moved on to exploit a Windows CLFS vulnerability from last year to elevate privileges on that device.
• Other tools were used to steal domain admin credentials to laterally move to four other domain controllers.
• After installing various mechanisms for persistence, attempting to brute force RDP connections, and messing around with Microsoft Defender, the actor then created the “ESX Admins” group in the domain.
• A new user was then added to this new group, quickly followed by encryption of the ESXi file system.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Microsoft notes that attacks targeting ESXi hypervisors are on the rise. This is something researchers have seen across the threat landscape for the past several months, if not more, and is something that is likely to continue in the near future.

Microsoft has identified three different tactics that actors are using to exploit this VMware ESXi vulnerability and have shared various mitigation and protection strategies that are worth exploring.

3. Scammers exploit GenAI in domain registration and network attacks

Palo Alto recently took a deep dive into the evolution of domain registration and network attacks associated with terms related to GenAI.

The organization analyzed registered domains containing words related to GenAI to uncover patterns and carried out a few case studies that outline several different attack types leveraging these domains.

GenAI-related domain registration

Palo Alto observed roughly 225 GenAI-related domains being registered every single day since November 2022. Not all newly registered domains (NRD) are malicious or suspicious, so Palo Alto has done their best to try to differentiate between the two. Domains in the “suspicious” category include those used for C2, ransomware, malware, phishing, and grayware.

Upon taking a closer look at the domains being registered, Palo Alto found a few textual patterns. They split these patterns up based on the keywords, finding that more than 72% of the domains use keywords associated with popular AI apps. The most abused keyword was overwhelmingly “gpt.”

GenAI-related DNS traffic

Palo Alto also looked at the traffic to these domains to understand the impact. What they found was a general upward trend for traffic overall related to GenAI, 35% of which appears to be directed toward suspicious domains.

Network abuse case study

Palo Alto outlined various ways that a threat actor could take advantage of the general interest in GenAI via these newly registered domains.

One way is through the delivery of potentially unwanted programs (PUPs). In one campaign Palo Alto observed 13 registered domains that contained the word “chatgpt” and all followed a similar naming pattern. Visitors to the domain were directed to a proxy service that asked the user to register and purchase credits to continue.

These domains are also being used for general spam distribution and monetized domain parking. With monetized domain parking, a threat actor will register domains they believe will be popular and generate traffic. Then they link the domains to monetized parking platforms. This converts each visit to revenue.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are known for launching attacks around trending topics — and gen AI the latest example. This trend is likely to continue as the AI/LLM topic continues to evolve.

Palo Alto notes that the “high suspicious percentage of these new domains underscores the necessity for proactive detection against network attacks leveraging GenAI-related keywords.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.