One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2496898 |
| Date de publication | 2021-03-17 18:03:00 (vue: 2021-03-17 19:05:31) |
| Titre | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
| Envoyé | Oui |
| Condensat | “cve 100 2017 2020 2021 22986 22986” 22987 22991 22992 2495 2496 2506 2506” 2507 25681 25682 25683 25684 25685 25686 25687 5753 5902 6500u 88's ability about access account across activity actor actors addition additional additionally adwind affected affecting against alerting alienbot alientbot all allow allows also america analyst announced anomali another any api app appear appears apple application applications applied apt apt34 apts arabia arbitrary architectures are around aspect assess assessment: asset att&ck att&ck: attached attack attackers attacks attempt attempting august auth authorized avoid avoided aware azerbaijan backdoor bahrain banker banking based been behind being believed below beneficial best big bits blog both bring browser browser's browsers bug byod bypassing cache called campaign can capabilities cases central certificate cgi channel charts check china chinese chrome claims clast82 client code collection command commands comment: company company's completes compromise compromised computers concept connection content continue continues control controls copy core correcting could cpu cpus create credentials critical crucial crypto custom customers cve cves cyber daemon dangerous dangers data dearcry defence defense deletion demonstrate demonstrates denial density depth detect detecting detection developed developers device devices difficult directories directory disabling discovered discovery discuss discussed disrupting diverse dns dnsmasq documents doesn't done dos download downloaded downloads dropper dropping dubbed early earth ease easily east email emails emphasises encoding encrypted end endpoint endpoints engine engineering ensure enterprise evaluation examined exchange execute execution exercises exfiltration existing expanded exploit exploitation exploited facing figure file files finance firmware flaw following fortune found four frec frequently from furthermore gear glimpse google google: government group hackers hardware has have help hidden history hosted how impact importance important impossible improper include included including incorporate increase infect information initial injection install installation installations installs integrated intel intelligence interface invalidate involves ioc iocs iranian israel iteration its itself javascript jobs kitten last layering lead leading leak led legitimate leverages likely line link linked linux listed locally located locations logs magazine mainly maintenance make malicious malware malware's management manarequest manufacturing many march masquerades masquerading may means measures mechanisms memory methods micro microchip microsoft middle militarychina miner mirai mitre mobile modern monitoring month more most mrat muddywater multiple named nas nation needed network networking networks new newly news north not notes notifications obfuscated obtain official often once one onehub only onto open operated operating operations order organization organizations other over overview own part particular particularly passwords patch patches performing period peripheral permissions phishing pioneer place play poc point poisoning policies policy polkit popular port possible possibly potential practicality pre prevent previous prior problem procedures process proof proper properly protect protections protocol provide provided provider proxy public publicity published published: qnap query ransomware rce recent recently recommended redxor regarding registry related released relevant rely remain remediate remote remoteutilities reported reports request research resolver resourced review reviewed risk robust root rootkit round run safety saudi scheme scripting second secrets securing security seem sense series servers service services set sharing shells should shows side site social software solution some soon sophisticated source sources spearphishing spectre speculative spreading spy staff stages standpoint state stop store stores stories story strain successfully such summarize summary suspected syste |
| Tags | Ransomware Tool Vulnerability Threat Guideline |
| Stories | Wannacry APT 41 APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.