One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2103278 |
| Date de publication | 2020-10-06 14:00:00 (vue: 2020-12-15 21:05:33) |
| Titre | Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More |
| Texte |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities, and XDSpy. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Grindr Fixed a Bug Allowing Full Takeover of Any User Account
(published: October 3, 2020)
Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.
Recommendation: If your account has been breached, you can reset the password using the reset link sent to the associated email address.
Tags: Browser, Exposed tokens, Grindr, Sensitive Info
XDSpy: Stealing Government Secrets Since 2011
(published: October 2, 2020)
Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery |
| Envoyé | Oui |
| Condensat | “backdoor “cve “trojan “xddown “xdspy ‘pstree ‘sudo 0968” 2011 2019 2020 ability access according account across active activity actor adb addition additional address advanced aes affected against all allow allowing also analysis analysts android announced anomali anti antivirus any anyone app appear appears application applications apt apts arbitrary archive are around asia associated att&ck att&ck: attached attachment attachments attack attacker attacks attempts august automated avoided backup based bazarbackdoor bearing been before begin begun being believe believed best blacktech bleeping blindingcan both botnet bouimadaghene bounty breached bridge briefing briefing: broker browser brute bug business businesses but called campaign campaigns can capabilities capture carefully case cautious channel charts check china chinese clicking clicks client cobalt code collection command companies company comprehensive compromised computer configuration configured confirmed connections consock” construction contain content continuity control could country create currently custom cyber dalwit” darkhotel data debug decrypt decrypted defense deleted deobfuscate/decode deploying depth detection different directory discovered discovery discuss discussed dll domino downloader dubbed dynamic eastern educate educated electronics email emails emotet employed employees enable encrypt encrypted encryption engineering ensure eset espionage europe european evade even executed execution exfiltrate exfiltration exploit exploitation explorer exposed f’ facing fail fake families figure file files finance find/ finding fixed focus folder followed following force form friday from full furthermore gain gaining gang generate glimpse golang government governments grep grindr group groups hard hardcoded has have health hijacked hit hiv horse hospitals host how identified identify iframes imitating impact important incident including infected infection info information infrastructure initial install intelligence interface internet interplanetary intezer investigated ioc iocs ipfs ipstorm ipstorm’s issued iteration japan javascript jpcert/cc key kill know known knows late layer layering lazarus leaked legacy leveraging lgbt library line link links linux loader local location logs machine machines magazine mainly make making malicious malware masquerading may mechanisms media messages mitre modifications modified modify monday more name nearby network networking new news night nine nomri not now nsfw obfuscate obfuscated observed obtain october opened opening operates operation operator organisations other others over owner/user page’s palmerworm palmerworm: parameters password passwords payload persistence persistent phishing pictures pkill place plain plan platform plugins possibly potential prevention previously privileges processes program protocol provide provided provides public published: ransomware rar rc4 received recently recommendation: redundancy registry related released remote removable reported requires researcher researchers resemblance reset response return reverse risks root running ryuk safe safety same samples scheme screen secrets sectors security seen senders sensitive sent september service service’ services shared shell should shown signing similarity since software solution some spam spearphishing sponsored spread ssh ssids standard started statement status stealing stop stored stories storm storm’ story strike such summarize summary sunday sure suspicious symantec system systemctl t1005 t1020 t1025 t1027 t1033 t1036 t1041 t1059 t1071 t1082 t1083 t1112 t1113 t1116 t1119 t1140 t1190 t1192 t1193 t1203 t1486 tags: taiwan; takeover targeting targets tested them these threat threats time token tokens topics: tracking traffic trending trickbot trusted type uhs unable uncertain unfortunate universal unknown unless unseen upload use used user users’ uses using usually utc+2 utc+3 variance variants various vendors version victim victims |
| Tags | Ransomware Malware Vulnerability Threat Medical |
| Stories | APT 38 |
| Notes | ★★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.