Weekly Intelligence

May 29th Weekly Attack Surface Attribution Intelligence


This week there were 11 distinct vulnerabilities being discussed across the dark web. Of those, three vulnerabilities can be found in Mitre’s ATT&CK framework. These vulnerabilities can be tied to 36 different Advanced Persistent Threat groups based off of known group tactics, techniques, and procedures (TTPs).

These vulnerabilities currently impact 452,135 distinct instances of deployed technology across the global internet. The majority of these identified vulnerable infrastructure are located in China.


The greatest attack likelihood out of these vulnerabilities is the CVE-2019-0708 (BLUEKEEP) vulnerability which affects multiple Microsoft Windows products. CVE-2019-0708 is a remote code execution vulnerability that exits in Remote Desktop Services. There are two Metasploit exploits for this vulnerability.

In analyzing the TTPs used by the threat actors in the ATT&CK framework, we uncovered 36 specific APT (Advanced Persistent Threat) groups which leverage various TTPs impacting these vulnerabilities.

A close up of a fan

Description automatically generated

For many of these threat actors’, the country of origin is unknown; however, this week the top countries of origin that could be identified are China, Iran and Russia.

A picture containing black, sitting, open, large

Description automatically generated

A survey of global internet infrastructure identified 452,135 instances of deployed infrastructure that are potentially susceptible to these vulnerabilities (CVE-2019-0708, CVE-2020-0796, CVE-2020-13485).

The majority of these vulnerabilities can be found in China, the United States, and Taiwan.

Supply Chain Attack Threats

Of all the groups in action this week, the Chinese Elderwood group was the most active in targeting supply chain operations. This group is most famous for their reported cyber-attack against Google in 2009, known as Operation Aurora. Elderwood primarily leverages spearphishing attacks against supply chain partners, vendors and managed service providers in an effort to gain an initial access into the organization.

Once internal access is accomplished the group then targets remote file copy methods to move malicious files from the compromised supply chain member to the target organization.

Organizations should take extra precautions with monitoring those supply chain partners that use Remote Desktop Protocol (RDP) services to connect to their organization. Our review of dark web forums and Elderwood’s behavioral patterns for attacking an organization indicate that the BLUEKEEP vulnerability (CVE-2019-0708) is likely being used by Elderwood to compromise supply chain actors.

A screenshot of a social media post

Description automatically generated
A close up of a map

Description automatically generated

About Cybeta

Cybeta is a cybersecurity data science firm focused on developing advanced analytics for early indications and warning of potential or emerging cyber-attacks. Our flagship product, Threat Beta, has been independently verified and validated to provide accurate forecasting of future breach exposure.

Cybeta works with various data providers as well as through our own deployment of network sensors to provide a continuous stream of near-real time data for our analytics and prediction engine. By providing corporate executives and government officials with advanced insights into future attack potential, we are enabling organizations to make the shift towards an active defense cybersecurity strategy.

About Our Newsletter

In an effort to further our mission of enabling organizations to take on an active defense cybersecurity strategy, our newsletters is the result of our analytic work which culls dark web forums; collects, aggregates and analyzes internet infrastructure data, vulnerabilities, weaknesses and exploits deployed around the world.

Each week our newsletter will present our findings of which vulnerabilities and exploits were being discussed by hackers, nation states, cyber criminals and information security researchers across the dark web. We map this data to the tactics, techniques and procedures (TTPs) we see in the Mitre ATT&CK framework datasets. 

Where and when it is available, we will also present where we have uncovered these specific vulnerabilities, while not drawing attention to the specific organization owning the vulnerable infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Cybeta Sentinel will use the information you provide on this form to be in touch with you and to provide updates and marketing.