One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2868449 |
| Date de publication | 2021-06-02 15:00:00 (vue: 2021-06-02 15:05:30) |
| Titre | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
| Envoyé | Oui |
| Condensat | $20 $200 14th 150 1879 2018 2019 2020 2021 30663 30665 30713 400 access accessible accounts activate activity actor actors actually added additional affect affected again against agrius all allowed along also always america among analyst anomali apostle appearance apple application apts are aspxspy associated att&ck att&ck: attached attachment attachments attack attacked attackers attacking attacks attempts aware back backup banking based bash beacon becomes been behind being best bits block both botnet breaches breaching browser business but bypass bypassed c++ campaign can capabilities capture carried case cases channel charts check china clearsky clipboard cloud cobalt code command comment: commit communication completion compromise compromised concentration conducting connection consent consistent constantly containing contains conti control cookies copy credential credentials crimson” critical cryptocore cryptocurrency cryptomimic currently customer cve cyber data date day days deals decrypt decrypters defense delivered delivers demanded deobfuscate/decode depth desktop destruction detection detonated different directories directory discovered discovery discuss discussed disguised disk disk; distribution dlp document documents doing dollar dollars don't double downloaded downtime drive dubbed due dumping east edr effective effort email emails emails; emerges emotet enabled enabling encoding encrypt encrypted encrypting encryption energy engaged engaging engineering ensure espionage estimated europe evolution exchanges executive exfiltrate exfiltrated exfiltration exploit exploits extension external extortion fail fake falls fbi figure file files filter finance finances financial first five fledged focus following foothold framework from fueling fully funds fusion gain gained gangbang gangs give giving glimpse golang good government group hackers hard hardware harvest harvesting/exfiltration has have health healthcare heists help hidden history host however html identified identifies identify impact implemented important including incorrect/poorly industries industry infected infection infections information infostealer initial injection installed instead intelligence involved ioc iocs ireland’s iso isolate israel israeli iteration japan java javascript jobs jpcert/cc jsworm keep keys kit known korea korean largest lateral latest launch layer layering lazarus leaked leaks least legitimacy less let leveraged leveraging like link linked local logs look macos made magazine make malicious malware managed many mask massive may mechanisms message methods mid middle milihpen military million mimikatz misdirection mitigate mitre money monitor monitoring more motives movement much multi multiple names need nefilim nemty network new news nobelium north not noted notoriety ntt obfuscated objectives offline offwhite often once online only open opened operational operations order organisations organization organizations other others out over owner/user pakistan password past patches payloads payout pdf persistent pertaining phishing place play political ports potential preferences prevent prevention privacy private process processes proper protocol protonvpn provide published: query ransom ransomware ransomwares rat rdp recent recently reduce reducing redundancy registry related released relied remains remote report reports resources responders responsible restoration restoring revolving rewritten rig risk role rules russia safe safety scan screen screenshot secondly secure security see segregation senders sensitive service shell should show signing since sodinokibi solarwinds solutions some sophisticated source south spearphishing sponsored standard state stealing stolen stored stories strategies strategy strike striking strrat subjects successful successfully such summarize summary sums supposedly sure system systems t1003 t1005 t1012 t1027 t1033 t1041 t1055 t1071 t1083 t1100 t1105 t1113 t1115 t1116 t1132 t1139 t1140 t1145 t1158 t1189 t1192 t1193 t1197 t1485 t1486 tags: target targeting targets teardrop |
| Tags | Ransomware Malware Threat Medical |
| Stories | Solardwinds APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.