The Uptycs threat research team regularly monitors the latest malware tactics, techniques, and procedures (TTPs) using our threat intelligence sources and systems. Organizations can use this bulletin to evaluate and form a more robust detection and protection posture against the latest threats in Windows, Linux, and macOS platforms.
According to the latest Quarterly Threat Bulletin, Q2 2023 we saw a significant increase in the sophistication and complexity of threats faced by organizations globally. Threat actors and ransomware groups continue to evolve their tactics, techniques, and procedures (TTPs) to evade detection and gain unauthorized access to sensitive data.
In Q2 2023, several prevalent malware campaigns targeted Windows, Linux, and macOS systems. RedLine, AgentTesla, and SnakeKeylogger were the most commonly used malware to target Windows platforms. Mirai and Gfagyt were the most seen Linux-based malware, while Bundlore continues to be widely used on macOS. It is vital for organizations to invest in robust endpoint protection and implement a multi-layered security approach to combat these attacks.
Threat actors continue to abuse system utilities to evade detection, execute code, and maintain persistence on compromised systems. In Q2 2023, the LOLBin—rundll32.exe—was the most abused utility for Windows malware. Additionally, crontab was the most abused utility in Linux, while OpenSSL and curl were prevalent utilities leveraged by Shlayer and Bundlore on macOS. Security teams must monitor the use of these utilities and restrict access when necessary.
Ransomware Activity
Ransomware remains one of the most significant threats to organizations globally, with LockBit identified as the most active ransomware group in Q2 2023, followed by BlackCat and Clop ransomware. FIN7, Lazarus Group, Earth Longzi, APT28, and Kimsuky were other notable threat actors. These groups are highly skilled and use custom malware to evade detection and gain unauthorized access to corporate networks. It is essential to implement a robust backup strategy and test disaster recovery plans regularly to mitigate the impact of a ransomware attack.
Vulnerabilities Exploited
Several critical vulnerabilities were actively exploited during Q2 2023, including CVE-2023-35708, CVE-2023-35036, and CVE-2023-34362 in MOVEit Transfer software. The Cl0p ransomware group exploited these vulnerabilities, allowing them to gain unauthorized access, escalate privileges, and potentially deploy ransomware or other malicious actions.
Other key vulnerabilities/exploits on Windows included Win32k Elevation of Privilege, OLE Remote Code Execution, Secure Boot Security Feature Bypass, and Pragmatic General Multicast (PGM) Remote Code Execution. While on Linux, Use-After-Free in Netfilter nf_tables and Apache RocketMQ Remote Code Execution were notable vulnerabilities. It is critical to keep software and systems updated to patch vulnerabilities promptly.
Download the Full Q2 2023 Bulletin
Download the full Quarterly Threat Bulletin for a more detailed look at the TTPs discussed and specific recommendations from the Uptycs Threat Research Team.