fbpx
Share on:

It’s award season! Time to recognize the cliffhangers that keep us on the edge of our seats, the head-scratching mysteries, and the whodunits that have us glued to our screens late into the night wondering what’s hiding in the dark. Movies? No. This isn’t about the good, just the bad and the ugly: cyberattacks. It’s time for the first annual Blumira Awards—no tuxedo required. 

In 2023, Blumira collected 8.3PB of logs from 7,121 customers and detected 60,104 cyberthreats. The Blumira Awards nominating committee did a lot of work identifying this year’s contenders and choosing the winners – but it’s possible they’d still be sorting through the data if they were using any other SIEM. That’s because Blumira stacks evidence into relevant findings. While the platform detected 59,427,008 pieces of evidence, the data was consolidated into 393,424 findings (alerts), significantly reducing alert fatigue for users. 

Some of the threats we detected represent high levels of creativity, while others showed the tenacity of villains who are committed to their craft. The Blumira Awards shine a spotlight on threats that displayed exceptional nastiness, stealth, staying power, and ingenuity. This year’s awards recognize outstanding contributions in eight categories, including Worst Picture, Most Stealthy, Small-Time Indie, Feature Short, Noir Chiller, and the Blumira Gotcha Award as well as the Lifetime Achievement Award and Rookie of the Year. 

There will be no red carpet, no after parties, and no statuettes. However, our hope is that these awards bring extra attention to all of the winners and nominees. In reality the Blumira Awards belong to those who are working every day to detect and thwart cyberattacks. So feel free to raise a glass in their honor.

Trophy with "Worst Picture" written on it, with a surprised hedgehog standing to the right.

Worst Picture 

Our first award goes to 2023’s most malicious cyberthreat. Contenders in the Worst Picture category stand out for being exceptionally capable of inflicting costly and time consuming damage. We present to you the digital equivalent of an action blockbuster with an unlimited pyrotechnic budget. These hits were big, and only fast detection was going to prevent them from being a flaming disaster. The envelope please! 

The nominees for Worst Picture are:

  1. Cobalt Strike – 365 findings in 7 organizations
  2. CVE-2023-23397: Microsoft Outlook Privilege Escalation – 295 findings in 55 organizations
  3. Potential IIS Webshell Activity – 749 findings in 39 organizations

And the award goes to… Potential IIS Webshell Activity, a sophisticated technique that involves the manipulation of the Internet Information Services (IIS) web server. Once inside, the web service process known as w3wp.exe is exploited to spawn unauthorized child processes like cmd.exe or powershell.exe. From Exchange vulnerabilities to the MoveIt vulnerability, attackers have been using this technique to exploit different vulnerabilities in IIS. 

Potential IIS Webshell Activity is considered especially damaging because it allows attackers to maintain persistent access and control over the compromised servers, enabling them to execute arbitrary commands, steal sensitive information, and further penetrate the network. If not detected quickly, it could result in significant data breaches, extended periods of downtime for affected systems, and potentially severe financial and reputational damage to the targeted organization.

Congratulations to Potential IIS Webshell Activity, a particularly nasty cyberthreat that was nonetheless thwarted by Blumira SIEM+XDR. Detecting and containing this year’s Worst Picture nominees is a testament to the dedication of every user, network administrator, and security expert working to protect our digital world.

Trophy with "Most Stealthy" written on it, with two ninja hedgehogs on either side.

Most Stealthy

The nominees in this category weren’t easy to track down. Their ability to disguise their presence within a customer environment put the ingenuity of Blumira cyber threat detection to the test. Each nominee demonstrated remarkable cunning that allowed them to lurk in the shadows of digital domains. But we found them, and it’s time they get the spotlight they deserve. The envelope please!

The nominees for Most Stealthy are:

  1. Kerberoast attack behavior –  8 findings in 8 organizations
  2. SYSVOL Enumeration of Saved Credentials – 32 findings in 6 organizations
  3. Honeypot Anonymous FTP Authentication Attempt – 850 findings in 155 organizations

And the award goes to… SYSVOL Enumeration of Saved Credentials. This sneaky technique involves attackers targeting the SYSVOL folder on Windows domain controllers where Group Policy Objects (GPOs) are stored. This directory can sometimes contain scripts or configuration files with embedded credentials used for automatic deployment or maintenance tasks. Attackers are using this technique to extract plain text passwords, hashed passwords, and other sensitive information which can be used to escalate privileges and move laterally within a network. 

What makes SYSVOL Enumeration of Saved Credentials difficult to detect is the legitimate access patterns to the SYSVOL folder; since administrators and systems regularly access this folder for genuine configuration and policy application purposes, malicious activity can easily blend in with normal operations. Because of its stealth, it’s able to bypass conventional security measures and maintain undetected presence within an environment, potentially leading to unauthorized access to sensitive areas and data exfiltration over time.

While we’re in awe of the remarkable stealth shown by this year’s winner, the Blumira SIEM+XDR was able to detect SYSVOL Enumeration of Saved Credentials in an average of 18 seconds. Cybercriminals will no doubt continue to perfect their cloaking devices, a reminder to every cybersecurity professional that we must remain ever vigilant.

Small-Time Indie 

The Small-Time Indie award goes to a cyberthreat for niche audiences. Blockbuster threats often get all the publicity, allowing some of these limited-release attack techniques to fly under the radar. We want to make sure they get the attention they deserve. Because you don’t need to be a big-budget production to cause big-time disruption. The envelope please! 

The 2024 nominees for Small-Time Indie are:

  1. Cisco IOS: CVE-2023-20198 – Web UI Privilege Escalation Vulnerability – 6 findings in 6 organizations
  2. AWS GuardDuty EC2 Medium Impact Network Anomaly – 32 findings in 8 organizations
  3. Fortigate: SSL-VPN pre-auth RCE CVE-2022-42475 – 12 findings in 7 organizations

And the award goes to… Cisco IOS: CVE-2023-20198 – Web UI Privilege Escalation Vulnerability. This small-time vulnerability involves a security flaw within the web-based management interface of Cisco IOS and IOS XE Software that allows authenticated, remote attackers to escalate their privileges on an affected device. Attackers are using this technique to gain elevated privileges that they were not authorized for, enabling them to execute commands, modify configurations, or potentially access sensitive information that should be restricted. 

What makes the CVE-2023-20198 vulnerability difficult to detect is the exploitation of legitimate functionalities of the web UI by authenticated users, making the malicious activities blend in with normal user actions and thus, harder to identify as anomalous. Because of its stealth, it’s able to subvert security controls and provide attackers with increased capabilities within the network, potentially leading to a full compromise of the affected system.

This year’s Indie award winner can now emerge from the shadows into the bright light of day and be recognized for the nasty little threat it is. A testament to cybersecurity teams everywhere who know that every anomaly deserves a serious look.

Feature Short

The Feature Short category honors bite-sized cybersecurity threats that come and go in a flash. While they make their appearance with all the fanfare of a serious detection, these threats are so easily resolved, they can be gone as quickly as an unnamed background character in a scifi. A Feature Short is the detection that can be resolved within moments of detection. Let’s see who the winner is. The envelope please! 

The nominees for Feature Short are:

  1. Potential Cleartext Password on Local System – 4,820 findings in 607 organizations
  2. RDP Connection from Public IP – 4,800 findings in 48 organizations
  3. Duo User Account Lockout – 2,600 findings in 115 organizations

And the award goes to… Potential Cleartext Password on Local System, the detection of files that may contain passwords. With only a staggering 10.6% false positive rate, let’s make this quick—this threat can be resolved simply by addressing the suspect file.

Potential Cleartext Password on Local System reminds us that some threats can be a flash in the pan with a comprehensive solution like Blumira SIEM+XDR. Experts at Blumira provide vital knowledge and support to help users understand how to handle different types of threats.

Trophy with "Noir Chiller" written on it, with a detective hedghog and a police hedgehog standing on either side.

Noir Chiller

Put on your fedora and grab your flashlight because we’ll be out on the mean streets for this next award category. The Noir Chiller award goes to attackers who strike in the dead of the night—or on weekends—while the city sleeps. These techniques are used by cybercriminals who are hoping to gain the advantage of time so they can creep around in the shadows of a vulnerable network. Meet this year’s night owls and weekend warriors. The envelope please!

The nominees for Noir Hit of the Year are:

  1. Anomalous Server Path Access – 895 findings in 14 organizations
  2. Failed Attempt at Single Factor Powershell Authentication – 562 findings in 34 organizations
  3. Password Spraying – 3,990 findings in 188 organizations

And the award goes to… Password Spraying. Password spraying refers to a brute force attack method where attackers use a common password (or a list of common passwords) against many user accounts before moving on to another password to avoid account lockouts. Attackers are using this technique to gain unauthorized access to multiple accounts across a network without triggering security mechanisms designed to lock out users after a few failed login attempts. 

What makes password spraying difficult to detect is its low-and-slow attack pattern, which mimics legitimate login attempts across the user base over extended periods, thereby evading detection by traditional account lockout policies and anomaly detection systems. Because of its stealth, it’s able to compromise accounts with weak or commonly used passwords, eventually leading to unauthorized access to sensitive systems and data, often without raising immediate alarms.

The Noir Chiller award is becoming a challenging category for threats to compete in as automated solutions like Blumira SIEM+XDR make it increasingly difficult for off-hours attacks to go undetected. This group of detections can cause a lot of noise, making it seem like the entire internet is trying to break down your door. However, Blumira resolves 84% of them with Dynamic Blocklist functions, meaning it’s not something you’ll need to hear about every time.  We congratulate this year’s winner for keeping up in what looks to be a dying genre.

Trophy with "GOTCHA" written on it. Hedgehog in a suit and sunglasses stands to the left, with another hedgehog taking a photograph on the right.

Gotcha Award

The Gotcha award recognizes extremely fast detection of suspicious activity. Like the story of an actor who goes from restaurant work to stardom overnight, these honorees got noticed as soon as they arrived in town. This year’s winner of the Gotcha Award certainly had no intention of gaining notoriety so quickly, but now we’re ready to welcome them to center stage. The envelope please!

The nominees for the Gotcha Award are:

  1. Microsoft 365: Malicious URL Click Alert – 1,210 findings in 289 organizations
  2. Advanced IP Scanner – 2,140 findings in 447 organizations
  3. COMSPEC Service Execution – 23 findings in 6 organizations

And the award goes to… Advanced IP Scanner, an action-packed tale of deception, mistaken identity, and lightning reflexes. The plot involves a user accidentally downloading malicious software, believing it to be a legitimate network scanning tool. But Blumira was able to alert security in under two minutes that something was amiss. As the intruder began reconnaissance and lateral movement across the network, the security team was already working on their response. 

Congratulations to Advanced IP Scanner, the winner of this year’s Gotcha Award, for reminding the cyber world of the incredible value of early threat visibility. Quick action on this threat enabled internal security to minimize damage, and allowed Blumira to alert customers to look out for this threat on their systems. 

Trophy with "Lifetime Achievement" written on it. A hedgehog in a tuxedo stands to the left, and a hedgehog in a dress stands to the right.

Lifetime Achievement Award

Some cyberthreats feel like they’ve been around since the advent of the computer. Others keep re-emerging like undead zombies. The Blumira Lifetime Achievement Award recognizes threats that never seem to go away, even when we keep yelling at the screen, “No! Don’t go into that room!” These are threats that should be routine to detect and address for those who know what they’re looking for, but this year’s nominees may well be with us again next year. The envelope please!

The nominees for Lifetime Achievement are:

  1. Null session activity – 1,580 findings in 206 organizations
  2. Net recon commands – 205 findings in 40 organizations
  3. Suspected RDP Over Reverse Tunnel – 331 findings in 101 organizations

And the award goes to… The Null Session; logging into a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system. Once an attacker has made a NetBIOS connection using a null session to a system, they can walk away with a popcorn bucket full of information including a list of all the usernames, groups, shares, permissions, policies, and services using the Null user account. Cybersecurity experts have been seeing Null Session exploitation year after year, and the recommended solution is always the same: “Disable your null sessions to reduce your attack surface!” 

Null Session is nothing if not persistent. Winning the Lifetime Achievement award requires tenacity and a belief that there’s always an opportunity to exploit a tried-and-true vulnerability. While Blumira is always on the lookout for newest and freshest threats, this award winner reminds us that old techniques never seem to go out of style.

Trophy with "Rookie of the Year" written on it, with a hedgehog in a baseball uniform standing next to it.

Rookie of the Year

And finally, we’re thrilled to announce the 2023 Blumira Rookie of the Year. This award goes to the most exciting new cybersecurity threat. These previously unknown contenders exploded onto the scene with a staggering number of new findings, clearly on a quest to make a name for themselves. Rookie of the Year is shaping up to be one of our most popular award categories as attackers continue to innovate new ways of breaking into every shape and size of digital environment. The envelope please!

The nominees for Rookie of the Year are:

  1. Emerging Threat – CVE-2023-21554 QueueJumper – Accepted External Connection to mqsvc.exe – 43 findingsin 8 organizations
  2. Emerging Threat – 3CX Desktop App – Compromised Hashes – 74 findings in 4 organizations
  3. Emerging Threat – MOVEIt Indicator of Compromise – 21 findings in 6 organizations

And the award goes to…QueueJumper, one in a series of vulnerabilities in Windows Message Queuing (MSMQ). By exploiting this vulnerability on a server where MSMQ is enabled, an attacker can use TCP port 1801 to execute code remotely and without authorization — effectively taking over the server.

Congratulations to our up-and-coming star, CVE-2023-21554 QueueJumper – Accepted External Connection to mqsvc.exe, who reminds us of the need to continually tune our detections so we can catch the very latest in threat activity.

# threat hunting, awards, detections

Security news and stories right to your inbox!