One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2103280 |
| Date de publication | 2020-09-29 14:00:00 (vue: 2020-12-15 21:05:33) |
| Titre | Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware |
| Texte |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cyber Espionage, FinSpy, Magento, Taurus Project and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
(published: September 25, 2020)
Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware
Magento Credit Card Stealing Malware: gstaticapi
(published: September 25, 2020)
Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132
T |
| Notes | ★★★★★ |
| Envoyé | Oui |
| Condensat | “cve “gstaticapi “inetinfo “predator “server “smb 0688 11510 1472 1472” 2018 2019 2020 365 ability about access according account accounts achieved active activists activity actor actors adapt add added addition addressing administrators adult advertised advisory affected after agency all allowed allows also always amnesty android any appears application applied apply apt apts arabia are assets att&ck att&ck: attached attack attacker attackers attempt attempts audio audio/video australia authoritarian back backdoor backup based been before begins being believed believes best billing binary both breach breached briefing briefing: bring browsed browser browsers bulletin but byod campaign campaigns can capabilities capture card case channels charts check checked cisa client clients code collection command commented communication company compressed compromised computer conf” configuration connected connection constant contacted control controller copied create creating credential credentials credit critical cryptocurrency custom customer cve cyber cybersecurity dark data date default defense deletion deployed depth designed desktop details detect detection developer device devices directories directory discover discovery discuss discussed dissidents distributed document domain download downloaded downloads drive dropper dubbed dumped earlier easily educated egypt either element email employ employee’s employees encoding enforcement enforces ensure espionage established exchange exe” exfiltrated exfiltrating exist exploit exploitation exploited exploits explorer extensions external facing fail fake fallout february federal figure file files find finspy first fix flash focus follow following forum found from ftp furthermore gain gained gaining german glimpse government governments gstaticapi hackers handle has hashes have header hit hooking host how identified identify important incident including incorporate infected infection infections information infrastructure initial injection input inside installed intelligence interface international internet ioc iocs issue iteration java javascript july keep keeping kernel keylogging kickstarting kit known laden later latest law layer layering legitimate like likely line linux list loading local log login logind logon logs long mac macos macro made magazine magento maintenance malicious malspam malvertising malware malware: malwarebytes managed manipulation many march may mechanisms microsoft mitre mobile mobile's modify modules monitored months much must naming need network new newer news not now observed occurs office once one ons open opening operating operations order other own pages particularly patch patched patches payment peripheral persistence personal place planning player policies possible potential powershell predator prevent prevention primarily private process processes products project protocol provide provided proxy pslist public published: query recommendation: record redundancy reformatted registry related released releases remediated remote remotely reported require researchers response restore retrieval revealed reviewed risks root routed run safe safety said sale samba samba’s samples saudi scanned schannel schannel” scheduled script scripts second secure secured security september server servers services setting share shared sharepoint shares shell should similar similarities site sites software sometimes soon sources spearphishing spreading spring spy spyware staged standard steal stealer stealing stories string successful such sucuri summarize summary system systems t1002 t1005 t1010 t1012 t1016 t1037 t1039 t1053 t1055 t1056 t1059 t1071 t1074 t1076 t1078 t1090 t1098 t1107 t1112 t1114 t1120 t1132 t1133 t1136 t1179 t1190 t1212 t1215 tags: taken targeted targeting task taurus technical terminal than theft them these thief thief” threat threats through today tool topics: traffic trending turn unauthenticated unnamed unpatched update updates upkeep urges url use used user user& |
| Tags | Data Breach Malware Vulnerability Threat |
| Stories | APT 19 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.