Threat Intelligence Content Updates

Threat Intel Content Update: 8/6/24

Written by Tidal Cyber | Aug 6, 2024 4:00:00 PM

Andariel/APT45, Microsoft Threat Intel’s Q2 2024 trends roundup, Match Legitimate Name or Location, Exploitation for Client Execution, Rundll32, Debugger Evasion, and Software Packing

Threat Highlights

  • New Tag: NSTR

  • New Campaign & Metadata Updates - Andariel/APT45: Following major new reports (Mandiant, CISA) on this North Korean state-sponsored group. All 22 Techniques featured in the Campaign are newly associated with Andariel. The group has evolved from mainly carrying out destructive attacks to targeting defense-adjacent entities for espionage purposes, with some activity being funded by ransomware. CISA’s advisory emphasized that Andariel techniques pose an “ongoing threat to various industry sectors worldwide”.

  • New Content and more than a dozen object updates derived from Microsoft Threat Intel’s Q2 2024 trends roundup, which focused on recent ransomware & cybercrime activity. Prominent, established groups like Scattered Spider have recently adopted new ransomware payloads, while newer operations (Fog ransomware) have burst onto the cybercrime scene.

  • Updated Threat Profile: Monthly update to Tidal Trending Techniques: Several of the top 10 techniques this month (e.g. Match Legitimate Name or Location, Exploitation for Client Execution, Rundll32, Debugger Evasion, and Software Packing) were referenced in recent reporting on malicious loaders & versatile remote access trojans (RATs) - specifically, the initial execution phases for these malware, which are specifically designed to evade defenses and give actors a solid foothold within a victim environment.

Defense Highlights

  • New Integrations available

  • Proofpoint Email Security - Get Configuration

  • Microsoft Azure WAF - Get Capabilities

  • Wiz CNAPP - Get Capabilities

  • Palo Alto Networks Next Gen Firewall - Get Capabilities

  • New Vendors & Products

  • Azure Services and Products are now available in the product registry.

  • Mimecast mappings are now available in the product registry.

  • Updated Vendors & Products

  • MDE mappings have been updated with additional capabilities. The "Microsoft Defender for Endpoint (Eric Mannon)" product has been deprecated, and we suggest Enterprise users use the "Microsoft Defender for Endpoint (Integration)" product stub to support future integration points.

  • SIGMA analytics were updated to the latest, and ATT&CK platform mappings were refined for Cloud specific rules.

  • New Tags

  • Integration Type: New tag family to easily find products that have an integration available