One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2807407 |
| Date de publication | 2021-05-18 19:05:00 (vue: 2021-05-18 20:05:32) |
| Titre | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
| Envoyé | Oui |
| Condensat | ‘customs 0x4528f000 1635 20016 2015 2021 27075 27075: 300 31166 access account accounts across actively activity actor actors additional additionally affected afghanistan after against all allowing allows also always america analyst anchors android anomali antivirus any anydesk app applications applied apply apps apt apt36 apts are armed arsenal asked aspects assist att&ck att&ck: attached attachment attachments attack attacker attackers attacks attempt audio australia australian avaddon available avoid avoided awards azure babuk backups bank banking based beacon because become been being best blue both breached browser browsers bsod built business but bypass campaign can capabilities capture card carefully case center certain certificate channel charts check chrome city clicking client clipboard cmd cobalt code com/corporate/index combination command comment: communications companies company comprehensive compressed concert configuration configurations connection consider consistently contain continues continuity control cookie copy could countries craft create credential credential/credit credentials credit crimsonrat critical criticality cross crucial currently cve cyber cyberattack darkside darksupp data day ddos death decryption defense deliver delivered deobfuscate/decode depth described detect detection determine developed developer device devices diplomatic directory disabling discovered discovery discuss discussed documents dollars domains downloading dumping east edge effect either emails empire employees encrypted endpoint energy ensure entities escalating escalation esclation etc evade even execution exfiltrate exfiltration exists expands expected exploit exploitation extension fail fake fbi fee’ figure file fileless filelessly files finance fingerprint fingerprinting firefox flag flaws flood flooding focus focuses folder followed following forces forms fortunately fraud frequency frequently from fueling further future glimpse google government governments greater group groups grow handling harvest harvesting has have healthcare held high host http https://kc identified impact implement important includes including increasing india indian infection infections infiltration information infrastructure initial inject injection input install installed instrumentation intelligence interface involving ioc iocs iran iteration its job key keys knowledge known lateral latest launched layering lead leak leopard leverage light likewise limited line link links local logs looking lower machines macros made magazine main maintain maintenance major make malicious malware management manufacturing masquerade masquerading may mcafee meaning mechanisms memory method microsoft middle military mimic mimikatz minimum mitre modify more movement msbuild multiple mythic need netwalker network new news north not obfuscated obliquerat observed often once one only open opened operations order organizations other over own owner/user package; page page=content&id=kb94510 paid pakistan paramount participating partnered patched patches pay payload payment payouts pdf per perform permission phishing place plan policies portal possibility possible posted potential potentially present prevent preventing prevention private privilege process processes project prompt protect protection protections provide proxy psexec public published: quasarrat raas ragnarlocker ransom ransomware rapidly rat rating rats receive received recovery redirected redline redundancy reformatted registry related relatively release remcos remote requests research resets responsible resumes review revil risk root run runtime russia safe safety same scanned scenario scheduled scheduling scheme schemes screen scripting sectors secure security seen sending sensitive server service services session sets several share shellcode shining should side signature sms smsishing sodinokibi software solution solutions soon source sources spearphishing spread startup steal stolen stories strike submitted such summarize summary suncrypt sure sustain system systems t |
| Tags | Ransomware Malware Vulnerability Threat Guideline |
| Stories | APT 36 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.