Threat Research

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Securonix

Remote-work security can be as strong as in-office security when proper controls are in place, and simply returning to a physical office is not a guaranteed fix for cybersecurity gaps. The piece highlights how legitimate remote-management tools like AnyDesk and TeamViewer can be abused for initial access or command and control, argues for universal MFA and modern credential strategies, and cites high-profile threats and supply-chain incidents to illustrate ongoing risk. Hashtags: #Lapsus$ #RockstarGames #GTA6 #APT31 #AnyDesk #xzUtils

Keypoints

  • Security should be consistent across locations; returning to an office does not inherently fix security gaps.
  • Use app-based MFA universally and prefer passkeys or physical tokens over text passwords.
  • Remote management tools (e.g., AnyDesk/TeamViewer) can be legitimate but are frequently repurposed for initial access or surveillance by adversaries.
  • Adopt 1–2 approved remote management solutions and ban others; use detection rules as a backup.
  • The APT31 case shows extensive espionage activity with thousands of malicious emails and sanctions against entities linked to the group.
  • A silent Linux backdoor risk existed via supply-chain updates to xz Utils (CVE-2024-3094); downgrading software was advised.
  • There is a significant backlog of vulnerabilities in national inventories (NVD/NIST), underscoring ongoing defensive gaps.

MITRE Techniques

  • [T1021] Remote Services – AnyDesk/TeamViewer used to gain initial access or spy on user actions. ‘AnyDesk was observed in all ransomware and pre-ransomware engagements [. . .], underscoring its role in ransomware affiliates’ attack chains.’
  • [T1566.001] Phishing – Campaign involved more than 10,000 malicious emails. ‘The campaigns involved more than 10,000 malicious emails, sent to targets in multiple continents, in what it called a “prolific global hacking operation.”’
  • [T1195] Supply Chain – Malicious code hidden in updates to xz Utils; CVE-2024-3094. ‘The malicious code was hidden in two updates to xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems.’

Indicators of Compromise

  • [SHA-256] context – a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91, 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241, and 3 more hashes
  • [MD5] context – 7bdbd180c081fa63ca94f9c22c457376, a5e26a50bf48f2426b15b38e5894b189, and 3 more hashes
  • [File name] context – c0dwjdi6a.dll, RemComSvc.exe, and 3 more files

Read more: https://blog.talosintelligence.com/threat-source-newsletter-april-4-2024/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint