One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2890622 |
| Date de publication | 2021-06-08 15:00:00 (vue: 2021-06-08 15:05:32) |
| Titre | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
| Envoyé | Oui |
| Condensat | 000 2016 2017 2021 250 abilities ability about access accessible accidentally accounts across acting active actively activity actors added addition additional additionally adds admin ads advised affected affects affiliates after agency aligned all allows also alto always america among analyst android announced anomali anti antivirus any anydesk anything app appear appears apple application applications applied apply apps apt apt28 apt29 apts are asia asian aspects assets assistance atms att&ck att&ck: attached attachment attachments attack attackers attacks attempts attention attracted attracting attributed audacious authentication autoit automated avoided awareness aws backdoor banks based beacon bear been before begins being belgium believe believes belonging best between biggest billion binary bitdefender black blocks bot both botnet bots breach breaching bypassing campaign can capabilities capture carbanak cards carefully carry cashed caution chain change changing channel channels charts check china chinese cisa click client cloud cluster25 cobalt code codes collect collection colonial com command comment: company company's complex component compromised confidence config connections contain containing content control core corporate countries cozy credential credentials criminal critical crucial cryptojacking custom customer customers customize cyber czech darkside data date day ddos default defense deliver delivered demanding deobfuscate/decode department deploy depth design designer detection development device devices different directory discovered discovery discuss discussed dll dlp documents docx does domains don’t down download downloaded downloader downloading dropbox during early easier educate educated effective eight email emails employed employees enables encoding encrypted endpoint ensure ensures entry enumerating environments estonia europe evasion even examined executable execution exercise exfiltration expanding expansion exploit exploitation exploited exploits extracts facing fail fancy fbi figure file files final financial firewall first flubot focus focused following foods foreign found france from functionality funds furthermore gang gcp germany get glimpse google government ground group groups guilty hackers harvesting has have help high home host house how however html iam identifiable identified identify images immediately impact impersonating impersonation implicate incident include includes including incorporates industry infection infiltrate info information infostealer infostealers infostealers: infrastructure injecting injection input install installed instance intelligence intended interface intermediary internal international internet intrusion investigated ioc iocs ips iso iteration jbs jbs: june justice kaspersky kazakh kazakhstan keylog keylogger keys known large last late latest launched layer layering lead leaks least legitimate levels line links lithuania loads local located locations logs looking loss macro magazine main maintain malicious malware malwares march may measures mechanisms media members methods microsoft militaries military million mini mining ministries mitre mobile mockups moderate monero money monitor monitoring month more morphisec multi multiple nato necro need needed netherlands network new newly news next normal north not now obfuscated observed occurred offered office official ongoing only opened opening order organization organizations orgs others out outside over overlay packages page palo passwords patched patches patching pay payload payloads payment payments peirates per permission permissions personal personally phishing php pii pipeline place platforms play player plugin plutotv points poland popular potential potentially ppc practicing prevention previously prior prison process processes product products program prominent prompted properly protection protocol provide provided proxy public published: purpose python query range ranges ransoms ransomware rat received recent recommended records redirected redline reduce redundancy registry |
| Tags | Ransomware Malware Vulnerability Threat Patching Guideline |
| Stories | APT 29 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.