One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2631341 |
| Date de publication | 2021-04-13 15:49:00 (vue: 2021-04-13 16:05:30) |
| Titre | Anomali Cyber Watch: Android Malware, Government, Middle East and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
| Envoyé | Oui |
| Condensat | $40 $40m $home/library/mail “cve 1000861 1003000 12812 13379 13379” 2010 2016 2018 2019 2020 2021 2380 300 3088 3976 5326 5591 6207 6287 9563 9922 ability access according accounts action active actively activity actor actors add adding afford after against all allow allows also always america among analysis analyst android anomali any appear apple apple's application applications apps april apt apt34 arbitrary are arsenal att&ck att&ck: attached attachment attachments attack attacked attackers attacks attempts attention authentication authenticator auto automatically available avoid backdoor banking based been before being between both breach broward brute budget bug bugs business but called campaign can can’t capable capital carry case catch caused causing certutil chain change charts chat check chickens china chinese click clicking client cloud cloud: cobalt cobaltstrike coexist collection come command comment: companies' competing complete compromise compromised compromising configuration contacts conti continues continuously control copy core correspondents could county created creating credentials cring critical crm cryptographic cryptojacking cryptomining current custom customized cve cyber cyberattack cyberattacker cybercriminals dangerous data databreaches defense delivering demanded demands deploying depth details detect detection device devices different directory disclosure discovered discovery discretionary discuss discussed disrupted distribute district district's dnspionage don’t dookhtegan download drew drop during east education educational eggs email emails emerged enable enabled enables encrypt end enough enterprise entities environment environments escalation esentire establish etc evasion evasive even evidence evilnum evolve exploit exploitation exploited exploits exposed exposure failsafe fake false fashion figure file fileless files fin6 finance financial fla flixonline florida followed following foothold force forcing forensic fort fortinet from further gain gaining gang gangs get ghost given glimpse goal golden google government group groups has have healthcare hidden highly hits home hong hosts hours huge human hunters iaas important incident including incoming increases india industrial information infrastructure initial innovating inside install installed instances institutions intelligence interface internal internet intezer invest ioc iocs ips iran’s iranian it’s iteration its itself japan jenkins job karkoff kerberods keys known kong korea lab large latest lauderdale layer layered lead legitimate less like limited line link linkedin links linux little logs looking lost machines macos magazine mail mail's making malicious malware management manipulation many march masquerading match maze measures mechanisms medium messages messaging method methods mid middle military million mimikatz mitre mobile modify modifying money monitor more most multifactor needs net netherlands netwalker network networks new news north not offer offers official oilrig onapsis only operated operating operators organization originates other out over pacha packing party; password passwords patches pay payload payloads people performed permission persistence personal phishing picking place play point positioning possible posted potential practice privilege professionals propagate protocol provide provisioned public published: purpose ransom ransomware rather receive received recently recommended recorded redirects redis redundant related release rely remained remote replies replying reported research researchers resets; resources restrict restricted retooling returns reuse risk rocke running same samples sandbox sap scale scanning scheduled school schools score screenshot scripting sector security seems selling sensitive server servers service services several severity should since singapore single situation snooping software some soon south spear spearphishing spread spreading spreads ssh ssl standard state states stay steal stole stories strain strike strong |
| Tags | Threat Ransomware Malware Guideline Vulnerability |
| Stories | APT 34 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.