One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2930142 |
| Date de publication | 2021-06-15 16:05:00 (vue: 2021-06-15 17:05:31) |
| Titre | Anomali Cyber Watch: TeamTNT Expand Its Cryptojacking Footprint, PuzzleMaker Attack with Chrome Zero-day, NoxPlayer Supply-Chain Attack Likely The Work of Gelsemium Hackers and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:BackdoorDiplomacy, Gelsemium, Gootkit, Siloscape, TeamTNT, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NoxPlayer Supply-Chain Attack is Likely The Work of Gelsemium Hackers
(published: June 14, 2021)
ESET researchers have discovered malicious activity dating back to at least 2014 attributed to the Gelsemium cyberespionage group. The group targets electronics manufacturers, governments, religious entities in multiple countries throughout East Asia and the Middle East. Gelsemium demonstrated sophistication in their infection chain with extensive configurations, multiple implants at each stage, and modifying settings on-the-fly for delivering the final payload. The dropper, called Gelsemine, will drop a loader called Gelsenicine that will deliver the final payload, called Gelsevirine.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Cyberespionage, Gelsemium, Supply Chain
BackdoorDiplomacy: upgrading from Quarian to Turian
(published: June 10, 2021)
A new advanced persistent threat (APT) group, dubbed BackdoorDiplomacy, has been targeting ministries of foreign affairs (MOFAs) and telecommunication companies located in Africa and the Middle East since at least 2017, according to ESET researchers. The group was observed targeting “vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment.” BackdoorDiplomacy’s objective is to access a system, use pentesting tools for lateral movement, and install a custom backdoor called “Turian,” which is based on the Quarian backdoor.
Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: |
| Envoyé | Oui |
| Condensat | “turian “vulnerable 20016 2014 2017 2019 2021 24096 31955 31956 4600 7481 able about access according actively activity actors adapting added addition additional adopt advanced advisory affairs affected affecting affects africa against all already always among analysis analyst anomali another antivirus any appear appears application applications applied apply applying april apt are around as: asia assertion assist associated att&ck att&ck: attached attachment attachments attack attacks attempt attributed available avoid avoided back backdoor backdoordiplomacy backdoordiplomacy’s backdoordiplomacy: backups banking based because been behavior behaviors behavioural being big blocks breached brick browser buckets business but called campaign can capabilities capabilities: carefully case cause cautious certain chain changes characteristics charts check chrome claims client cloud cluster clusters code command commands comment: companies company company's complex component compromise compromised concept conduct conducted configurations configured connect connections consider consistently container containers continuity control copy copying cost countries create created credentials crime crowdstrike crucial cryptocurrency cryptojacking currently custom cve cyber cyberespionage data dates dating day decryption defenses deliver delivering demand demonstrated deobfuscate/decode devices different difficult discovered discovery discuss discussed disguise disruption distinguishing distribute drop dropper dubbed each easier east ecommerce ecrime educate educated effective electronics emails employees enabled encoding encrypted endpoint engineering ensure entities entry environment environments equipment escalation escape eset evasion even events evidence execution exist expand exploit exploitation exploited exploiting exploits exposed extensive facing figure file files final find firewall firmware first fly followed following footprint foreign found from full funds furthermore gain game gang: gelsemine gelsemium gelsenicine gelsevirine get glimpse gone good google gootkit gootkit: governments great group group’s groups hackers has have having heavily here hijacking host how however hunting identified identify imitate imitating impact implants implement important including incorporate incorporated increase indicate industries infection infections information infostealer initial injection install intelligence interesting interestingly interface interfaces internet ioc iocs irc issued it’s iteration its javascript june kaspersky key keylogging knowing known kubernetes lack lastly lateral latest layer least lengths less leverage likely line links loader located locations logs lot machine machines macros magazine maintain maintaining maintenance make makes malicious malware malware’s malware: man management manufacturers masquerade may media methods microsoft middle mimic ministries misconfigured mitigation mitre modifying modular modules mofas more motivated motivations movement multiple nature need network networking new news next node nodes normal not note noxplayer numerous obfuscated obfuscation objective observe observed often old once one open opened opening operate operations organization organizations other others over packed packer paid part particularly party patch patched patches payload payment pentesting persistent phishing place plan plans points policies policy possible post posture potential potentially practicing prevent preventing previously primary prior privilege procedures process prometheus proof propagate properly protection protocol protocols provide provides published: puzzlemaker quarian quickly ransom ransomware rce react ready realize received records reformatted registered related release religious remain remote removable reported repos requests researchers resource reviewed revil risks run said same scanned screenshots scripts secure security senders server servers service services settings shell should siloscape siloscape: since social software some sometimes so |
| Tags | Ransomware Malware Vulnerability Threat |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.