Threat Intelligence Content Updates

Threat Intel Content Update: 10/1/24

Written by Tidal Cyber | Oct 1, 2024 4:00:00 PM

Vanilla Tempest, Vice Society, Azure Storage Explorer & AzCopy, Flax Typhoon, Raptor Train, Void Banshee APT, OilRig

Threat Objects & Tags

    • Vanilla Tempest, a ransomware actor overlapping with “Vice Society”, recently found to be targeting U.S. victims with INC Ransomware

    • Legitimate utilities abused by ransomware actors for cloud data theft: Azure Storage Explorer & AzCopy

    • New Tags & Relationships added for Chinese espionage actor Flax Typhoon to reflect the group’s recently reported use of a massive IoT botnet dubbed Raptor Train

    • Campaign by the Void Banshee APT that featured zero-day exploits of two vulnerabilities in legacy web browser components

    • 2 newly identified backdoors (Spearal Veaty) used by Iranian espionage actor OilRig

Threat Profiles:

  • Monthly “Tidal Trending Techniques” curated Threat Profile update. Several well-worn techniques, such as Acquire Infrastructure: Domains, Archive via Utility, and Exfiltration to Cloud Storage, saw especially high reporting volumes last month and made it into this month’s update. This provides an opportunity to reconfirm defensive measures around even popular attacker methods, or to close gaps if you haven’t recently addressed these particular behaviors.

  • Updated the Red Canary Top Techniques curated Threat Profile with the 10 Techniques from the team’s first-ever “midyear update” to its annual Threat Detection Report. Email Hiding Rules (T1564.008) was newly added to the shortlist, while Cloud Accounts (T1078.004) and Email Forwarding Rule (T1114.003) saw especially large increases in observations.

  • Curated a new Red Canary Top Threats profile, featuring objects reflecting the 10 groups & software highlighted in the midyear update (3 MITRE-sourced objects and 7 objects authored by Tidal’s Adversary Intelligence team). The profile can be added to user tenants on request.