One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2562365 |
| Date de publication | 2021-03-30 17:07:00 (vue: 2021-03-30 18:05:31) |
| Titre | Anomali Cyber Watch: Malware, Phishing, Ransomware and More. |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google removes privacy-focused ClearURLs Chrome extension
(published: March 24, 2021)
Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
(published: March 24, 2021)
Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: |
| Envoyé | Oui |
| Condensat | $50 'yuuuuu44 ‘data ‘hafnium ‘various 000 100 2018 2020 2021 21st 22314 22321 25917 25918 25922 26855 26857 26858 27065 27101 27102 27103 27104 27422 27426 27428 27430 365 400 abuse accellion accellion's access accessed accesses according account accounts acer acknowledged active activity actor actors added addition addressed administrative advantage affected after agency all allegedly allowing allows already also always amazon america amongst analyse analysis analyst anomali anti antivirus any api appear appeared appliance application applications applied apply appspot are aren't around associated att&ck att&ck: attached attachments attack attackers attacks attempt attributed authors automation available avoid avoided awake aware back backup balances bank banking based basic because been before behavior behind being believed belonging better blackkingdom bleeping block bootkit both breached breaches browser brute business but bypass bypassing campaign campaigns can capabilities carefully carry case cato cause channel charts check chrome cisa cl0p claiming clearurl clearurls client clop cloud cmd collection collectively com' command comment: common communicating communications compact companies company complexities comprehensive compromise compromised compromising computer computers condition conference configuration confirmed consequences contain continuity control controls conventional copy corporation cost could create credential credentials criminals critical crucial currently customers cve cyber cybersecurity daily damage dangers data day deactivate dearcry december default defense deletion deliver delivery demanded denial deobfuscate/decode deploy depth destruction detect detected detection devices did difficult directories directory disabling discover discovered discovery discuss discussed documents doejocrypt domains done downloads dozen drive dropped dsquery dubbed dumping dutch early easily east educate electric email emails employed employees encrypt encrypted endpoint energy engaged ensure escalation estimated even every everyone’s examine exchange exe executable execute execution exfiltration expanded exploit exploitation exploited exploiting exploits extension extensions extent failsafe fake falling family far figure file files filtered fin11 finance financial find firefox firewalls first flagged flaws focused following force found four fox free from functionality furthermore gain gained game gang gateways ge's ge’s general generate giant giving glimpse global going good google google’s group groups guarantee guardicore guessable habits hackers had hafnium harvesting has have help heuristic hidden hide his honeypots host how however hundreds hutchins hyperlinks identified identify iis illustrates images immediately impact impacted important incident incident’ included including incorporate indicates indicator indicators industrial infect infection information infrastructure inhibit injection innovating install instrumentation integrated intelligence interaction interface investigation ioc iocs it's iteration its kind kits labs landing large latest layer layered leaked learning least legal legitimate lemonduck less life like likely line lives login logs longer machine machines made magazine mail mailgun maintenance majority making malicious malware malwaretechblog management manipulation manufacturer manufacturing many march marcus masquerading match may measures mechanisms message meter methods microsoft middle million mitigate mitre modern modify monitor monolithic more most much multiple names net network networks new news nor north not note noted notifications now obfuscated observed office often oil old once ones ongoing only open opened opening operation operations order organisation organisations other others out outlook over owa own pages paid part party password passwords past patch patched patches perfectly permission persistence personal phishing place plan plant platform policies posing possible potential potentially power |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.