One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2422682 |
| Date de publication | 2021-03-02 15:00:00 (vue: 2021-03-02 15:05:33) |
| Titre | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More |
| Texte |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
| Envoyé | Oui |
| Condensat | $85 “big 000 0005 055a 100 1231 1361 1367 1368 1387 1878 2007 2014 2016 2017 2018 2019 2020 2021 21149 21150 21151 21152 21153 27101 27102 27103 27104 34/oilrig 777 >chinese aa21 ability about accellion accellion’s access account accounts accuse across actions active activities activity actor actors adding additionall additionally addresses adds adfind advanced advisory after against agence agencies agency agricultural air airline alert aligned all alliance allow almost already also although america among analyst analyze anchor annexation announce anomali another anssi anunak any appears appliance application approximately april apt apt28 apt29 apt3 apt31 apt34/oilrig archives are around arsenal artifacts asia associated association att&ck att&ck: attached attack attacker attackers' attacks attempted attempts attribute attribution australasia australia authenticating authorities authors automated autonomously available aviation awareness away babuk babuk’s backed background banking bazarloader bear been before begin begun being believed best better between big binaries bit blank bleepingcomputer bloodhound bodies bokbot both botnet breach briefing brokers browsers brute built but c++ campaign campaigns campbell can canada canadavisa cannot capabilities capture carbanak carbon cases cause chains change charts check china chinese choice cl0p cl0p^ clients cloned clop cobalt code codebase coded cohen collaboration com com/news/security/chinese command comments commonly companies company compilation compromising conducted conducting confident confirm confucius confuses connections consider contact contained content continue continues controlled cooperate copy council credential credentials crimea criminal criminals cross cryptostealer curated customers cve cyber cybercrime cybersecurity d'information danderspritz dangerous darkside data date day ddos decade defense defensive defray defray777 deletion delivering denial deploying des desktop destruction developed development devices dewmode did digest directly directories disabling disconcerting discovered discovers discovery discuss discussed displays disseminate distribute document documents does; double drop dubbed due dumping early easier easily east ecosystem egregor ekans electronic electronics emails embarrassment embedded emotet empire employment empower enables enabling encourages encrypt encrypted end engineer enough enterprise enterprises entire epme equation escalation especially esxi eternalblue eternalromance eternalsynergy evasion events evolve excited exe executive expect expected exploit exploitation exploiting exposure extortion eyes face facing failed fancy far february figure file files fill fin11 finance financially find findings firewall firm five focus followed following force four freely french friendspeak from fta functionality futher gained gaining gains game gang gaps general geographies get glimpse global glupteba godlike12 golang google gopher: gorup gosh government government's greater griffon group group's groups hacked hacker hackers had hard harm has have haven’t havoc heading healthcare hidden high highlight hope hopefully host host’s hostilities how however href= https://www hunting” hyas hypervisor iata identified imitate immigrate immigration immune impact impacted impacting included including increase increased indicates industries industry infection inflict information informative infrastructure initial input inside insider insights intelligence intend interaction interface international intezer introduction investigate investigation investigations ioc iocs iranian issue issued it's iteration iteself its jackpotting: jian joint keys kiteworks koadic language large larger latest launched law lazagne lazyscripter lazyscripter’s lazyscripter: leak leak/ leaked leaking leaks least life like likely limited line link linked loader located locker logs long low luminositylink lunar machine machines macro made magazine malicious malware malwarebytes manage management many masque |
| Tags | Ransomware Malware Threat |
| Stories | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.