Threat Intelligence Content Updates

Threat Intel Content Update: 10/30/24

Written by Tidal Cyber | Oct 30, 2024 4:00:00 PM

Salt Typhoon, Exploit Public-Facing Web App, PowerShell, Data Encrypted for Impact

 

Threat Objects & Tags

New object & Technique Relationships for China-backed espionage group Salt Typhoon, which gained recent attention for reports of its targeting of U.S. telecom companies.

  • Few technical details were reported about the group’s recent attacks, but we published two Campaigns for groups thought to overlap with Salt Typhoon: GhostEmperor & FamousSparrow. Interested users should use these objects in Threat Profiles (Groups do not inherit Campaigns' Techniques in Threat Profiles).

  • Custom weightings could be applied based on the recency of each Campaign (our approach) and/or users' confidence in the overlap between threat clusters reported by different vendors:

  • Surface additional Techniques related to other, similar groups by visiting the Groups List page (“Groups” in the lefthand nav menu) and filtering on metadata like Attribution Country == China, Motivation == Cyber Espionage, and Observed Sectors == Telecommunications. Use Groups' References tabs to evaluate groups likely active more or less recently (each of the Groups published by Tidal (Source == Tidal Cyber) were added in 2024, and others like Volt Typhoon, Aquatic Panda, & APT41 have been updated within the past year.

Threat Profiles: Monthly updates to Tidal’s curated “Major & Emerging Ransomware & Extortion Threats” and “Tidal Trending Techniques” Threat Profiles

  • A large relative increase in reporting volumes generally last month means that many commonly observed Techniques (e.g. Exploit Public-Facing Web App, PowerShell, Data Encrypted for Impact) appear in this month’s Trending Techniques update - a great opportunity to double-check coverage against even mainstay attacker behaviors!