One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2966761 |
| Date de publication | 2021-06-22 18:18:00 (vue: 2021-06-22 19:05:34) |
| Titre | Anomali Cyber Watch: Klingon RAT Holding on for Dear Life, CVS Medical Records Breach, Black Kingdom Ransomware and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Black Kingdom, Darkside, Go, Klingon Rat, Microsoft PowerApps, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Andariel Evolves to Target South Korea with Ransomware
(published: June 15, 2021)
Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack.
Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security.
MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros
Matanbuchus: Malware-as-a-Service with Demonic Intentions
(published: June 15, 2021)
In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures.
Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America
Black Kingdom ransomware
(published: June 17 |
| Envoyé | Oui |
| Condensat | 000 11510 163 2019 2021 26855 26857 26858 27065 500 able access accessed across active actively activity actor actually addition adversaries adversary advertised affiliate affiliate's after alerts all allow along already also although america amount analysis analyst andariel anomali anti antivirus any anyone api app appdata application applications apps arbitrary are aren’t associate att&ck att&ck: attached attachments attack attackers attacks attempts audi automate available bad banking beacon bec been began being belial belialdemon believes belonged best better between billion black blackkingdom both breach bubble but buyers bypass: called can canada capture carried carry case cases caused chain channel charged charts chats check circumstances cleanup client cloud cobra code code/no collection command commands comment: company compromise compromised computer configuration connection connections construction containing control controls cooperation could coupled create created credential crime criminal critical cross current custom customer customers cve cvs cyber damage darkside data database date days dear dearcry decryption defaults demonic deobfuscate/decode depending development directory disclose discovered discovery discuss discussed disk documents doors down downloaded drop dropped dumping early edr/siem educated either email employees enable enable/install enabled encrypted encryption ensure entities escalation establish evan evasion even event evolves exchange execution exfiltration expertise exploit exploitation exploiting exponentially exposed extremely february figure file files final finance financial fireeye flows fodhelper folder following forensic four fowler from gain glimpse golang google grant group groups gzip handling has have health healthcare hidden highlights holding home host hosted house identification identified impact impacted impacting implant implemented importance important inc included including increases individuals information infrastructure infrastructures initial injection input installed installer instrumentation integrations intelligence intentions interested interface interfaces intezer intrusion involved ioc iocs issued it's italy iteration japan jeremiah june kept key kingdom klingon known korea lang latest layer lazarus leak least led legitimate leveraged life line loader loaders local logged logs logs/activities longer low maas machine macro macros made magazine majority malicious malware malwares management mandiant manipulation manufacturing manuscrypt many masquerading matanbuchus matanbuchus: may media medical methods microsoft million minimal minimise minimize mistakes mitre money monitored more most multi multiple named need needs network new news non normal north not novel now obfuscated observed occurred once one onedrive only opening opens options organisations organization other out outgoing over overall party password patch patient pay payload payment persistence persistent personal pii place platform points possible post potential power powerapps powerful prevent previously price privilege proactive process processes processing program programs proper properly prospective protected protection protections protocol provide public publicly published: pull query ransomware rapid rat read/write records reference registry related relatively remote rental report reported request required requires researcher researchers responsible rest restricted revealed revil risk running same scanned scenario scheduled screen scripts second sectors securelist security senders sensitive separately service services set several share sharepoint sharing should shutdown sign since single sites situation smokedham smoking snapshot sodinokibi software someone's source sources south spam specific spider stage standard states stored stories storing strung sub such summarize summary supply suspicious switch system t1003 t1005 t1012 t1016 t1018 t1022 t1027 t1036 t1041 t1047 t1049 t1055 t1056 t1057 t1059 t1082 t1083 t1095 t1106 t1113 t1114 t1134 t1140 t1203 t1486 t1497 tab |
| Tags | Ransomware Data Breach Malware Vulnerability Threat Medical |
| Stories | APT 38 APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.