One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2704270 |
| Date de publication | 2021-04-27 17:24:00 (vue: 2021-04-27 18:06:01) |
| Titre | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
| Envoyé | Oui |
| Condensat | $557 11510 19th 20021 20022 20023 2019 2020 2021 22893 2509 36195 7zip 8243 8260 able above access actively activity actor actors addition additional advanced against aims all allow allows also always analyst android anomali anti antivirus antiviruses app applications applied approximately apps april apt apt5 apts arabian archived are arguments article/kb44755 asia ask assaults att&ck att&ck: attached attachments attack attacker attackers attacks attempt attempts authentication automatically available avoid backup bank banking based been began behaviour being better billing bitcoins bloomberg bloomberg's bmp bna breaking brian but bypass called campaign can carefully channel charts check china cisa claim clean clever clients cloud code com/support/product combination command comment: companies company compromised configured connect connection considered constantly contact contain contains control copy could creations credentials critical cryptocurrency customers cve cves cvss cyber cyberattacks cybersecurity date day days decade defense deobfuscate/decode deployed detect detections developed devices directories directory discovered discovery discuss discussed display document documents download downloaded drop east edr educated either email emails embedded emergency emerging employees enable enabled encrypt encrypted ensure environments es/hosted established etinu evade event excel exchange exchanges exe executable exfiltration exploit exploitation exploited extensive favor figure file files final finance first fixes folder following form found foundation fraud fraudulent from functionality get glimpse google government governmenteu group groups guidance habitsrat has have help here here: hes hidden hides hijacks hosting how hta https://kb https://www identified identify image impacting implemented important include incorporate industry infect infection information installation installing instead integrity intelligence intezer introducing invoice ioc iocs issued issues it's it’s iteration its javascript joker keep kept keys known korea korean krebs later latest launch launches lazarus legacy legitimate lieu like likely line linux listed locked logs machine macro macros made magazine mail maintenance makes malicious malware massive may measures message microsoft middle mitigation mitre mobile monitor more most multiple nanocore nation ncsc net/articles/pulse new newer news next normal north notice notification/security notifications novel numerous obfuscated obtain once one only opening operation operations organizations orgs out outbreak outside over particularly party password patch patched patches pay payload payloads peninsula permissions persistence persistent phishing place play play: policies port possible potential potentially prevent prior process processes product prolific protection provide publicly published published: pulse pulsesecure purchases qlocker qnap ransomware rat rats rebranded recover registry related released remote remotely reported reportedly request requires researchers resolve resource response responsible review reviewed risk risks run said scan scheduled schtasks score secure security senders sensitive servers service services shadowserver should signing since sms software solution solutions sonicwall sonicwall’s soon sophisticated sources south southwest spam specific specifically sponsored spread spreadsheet stage start startup state stop store stores stories submitting such summarize summary suspicion suspicious systemd t1027 t1041 t1053 t1060 t1065 t1081 t1083 t1105 t1116 t1140 t1158 t1219 tags: target targeted targeting targets targetting task thefts then these third those threat threats three through told tool tools topics: tor tracked tracking traditional treated trending trojans uk's unauthorized unc2630 uncommonly unknown unverified updates use used useful user users uses using variant various version versions very victims vpn vulnerabilities vulnerabilities/210416112932360/ vulnerability wannacry watch watch: wave way which who whom wild will w |
| Tags | Ransomware Malware Tool Vulnerability Threat Medical |
| Stories | Wannacry Wannacry APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.