CTI Roundup: CVEs on the Rise, TimbreStealer Malware, and a New Phishing Report

In this week’s roundup, CTI looks at the latest Cyber Threat Index report from Coalition, offering insights into internet security, cyber risk trends, and vulnerabilities. Next, CTI investigates an ongoing phishing campaign that is targeting victims located in Mexico with tax-related lures. Finally, CTI wraps up with an overview of Proofpoint’s annual State of the Phish threat report for 2024.

1. Researchers predict a 25% rise in CVEs

Coalition has released its latest Cyber Threat Index report for 2024, offering insights into recent internet security, risk trends, and vulnerabilities.

Among the key findings, the company predicts there will be a 25% increase in common vulnerabilities and exposures (CVEs) in 2024. Coalition foresees roughly 2,900 monthly vulnerabilities, up from an average of 2,321 in 2023.

About Coalition’s honeypot data

Coalition maintains several honeypots that contain multiple vulnerabilities. They purposely run outdated software, giving them a glimpse into what threat actors are going after.

While Coalition has observed a significant amount of benign traffic going to their honeypots, they have also reported a decent amount of malicious traffic. RDP traffic specifically grew in 2023 with a 59% increase in unique IP addresses scanning for RDPs.

Internet exposed services

Coalition routinely examines the riskiest exposures on the public internet. The company found that open ports remain one of the top risks. Further, port 7547 was the highest scanned in 2023.

Threat actors were observed scanning for certain web services like Apache, Nginx, and IIS and observed exploiting misconfigured remote management tools. Unsurprisingly, threat actors also looked for exposed databases.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Coalition’s findings further support the need for timely patching — a need that is growing more and more important every year.

The company is forecasting an increase in CVEs for 2024. But while it’s important to understand the risk that vulnerabilities pose, it’s equally as important to understand that they are not the only threat facing organizations today.

2. TimbreStealer spreads through phishing emails

A phishing campaign is actively targeting victims in Mexico with financial-related lures. The campaign has been going on since at least 2023 年 11 月 and seeks to distribute a previously unknown malware called TimbreStealer. The threat actor leverages sophisticated obfuscation techniques and makes use of geofencing to single out users of interest.

About the campaign

In this campaign, phishing emails direct victims to a compromised site that hosts a malicious payload. The emails aim to convince victims to execute malicious content.

The campaign is currently only targeting users located in Mexico and does so with the help of geofencing techniques. With this technique, any user trying to access the malicious site that is not located in Mexico will be served a blank PDF document instead of the true malicious document.

What is TimbreStealer?

TimbreStealer is a newly identified information stealer that uses a range of techniques to evade detection and maintain persistence. Some of these techniques include bypassing conventional API monitoring, leveraging the Heaven’s Gate technique, and using custom loaders. Cisco Talos believes that because these features are somewhat sophisticated, the threat actor behind the malware must be skilled.

• After the initial layer is extracted, the malware will perform a check to see if the system is worth targeting and if it is being executed in a sandbox.
• It will then extract many submodules that are embedded in the payload. Of note, Cisco Talos goes into great technical detail about the different layers of malware in their report.
• What’s interesting about this malware is that it executes calls to a function that is used to remove System Restore points on the device. According to Cisco Talos, this activity is usually typical of ransomware malware, but they have yet to observe ransomware activity on the infected devices.

Researchers found several strings within functions that are responsible for scanning files and directories on the victim’s machine. The malware was also found to embed the SQLite library that is needed for different browsers’ credential storage files.

TimbreStealer will scan directories looking for files, but the exact purpose of this action is not yet known. The scanned folders include things related to AdwCleaner, Avast Scanner, 360 Antivirus quarantine, and more. They also identified a set of strings like “.Spotlight-V100” and “.fseventsd” that are related to macOS.

The malware leverages WMI and registry keys to collect information from the victim’s machine. The collected information includes OS information, SMB BIOS information, hardware information, network domain information, and application data.

Previous associated campaign

Cisco Talos has observed the suspected threat actor carrying out new campaigns since at least 2023 年 9 月. In 2023 年 9 月, the actor was distributing a variant of Mispadu, which is a banking trojan. This previous campaign used compromised sites to ultimately deliver a .url file to execute an externally hosted file. The file used a WebDAV file path, and all WebDAV servers were geofenced to only allow connection from IPs in Mexico.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Based on the findings from Cisco Talos, this threat actor was previously distributing the Mispadu banking trojan before pivoting to this new TimbreStealer malware. Outside of the change in malware, the rest of the TTPs remained relatively similar.

That said, it would not be surprising to see this actor pivot yet again to another malware in the near future. Even though this campaign is tailored to target users located in Mexico, it is using a very common phishing theme for this time of year: taxes.

If nothing else, this activity reminds us to be vigilant during tax season and be on the lookout for tax-related lures.

3. Proofpoint releases its 2024 State of the Phish report

Proofpoint has released its annual “State of the Phish” threat report for 2024. The report is based on a survey of 7,500 end users and 1,050 security professionals across several countries coupled with Proofpoint’s own data collected from their products, threat researcher, and simulated phishing messages.

The report highlights how “people are a key part of any good defense, but they can also be the most vulnerable.”

Key findings from Proofpoint’s report

Proofpoint detected and blocked 66 million business email compromise (BEC) attacks on average per month. Their report also reiterates that ransomware is rising, and that Microsoft is still the top impersonated brand.

An interesting statistic shared by Proofpoint comes from their survey of end users and states that “71% of working adults admitted to taking a risky action, such as reusing or sharing a password, clicking on links from unknown senders, or giving credentials to an untrustworthy source. And 96% of them did so knowing that they were taking a risk.”

Security awareness trends

Although 99% of surveyed organizations have a security awareness program, many do not actually drive behavioral change. One of the biggest drivers of this has to do with the topics that are addressed in security awareness training sessions, as they do not often cover the full spectrum of risk.

Proofpoint is also noticing an upward trend in organizations training specific roles/departments (up to 41% from 28% in the previous year) which is a much more targeted approach to training.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Proofpoint has included a lot of other interesting statistics in its report, making it worth reading. They sum up their findings with one point: “Even the best technical defenses can be undermined if users don’t do the basics, such as avoiding suspicious links, verifying the sender’s identity, setting a strong password, and keeping it to themselves.”

In short, training and awareness programs are critical and cannot stay stagnant. They need to be updated regularly with the most up-to-date threats so that users know what to look out for and understand the potential risks. Further, targeted/tailored security awareness training is crucial in taking your organization’s program to the next level.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.