One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2996479 |
| Date de publication | 2021-06-29 16:29:00 (vue: 2021-06-29 17:05:32) |
| Titre | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
| Envoyé | Oui |
| Condensat | 000 128 13th 2019 2020 2021 21571 21572 21573 21574 able accepting access accessibility achieve achieved across acted actions activities activity actor actors additionally addressed addresses adequate advised affect after agencies all allowing along already also alternatively america among analysis analyst analyzed and/or anomali another any anydesk anyway approve apt are area around asset associates assurances assured att&ck att&ck: attached attachment attack attackers attackers' attacks attribute auditor audits australia's authors availability avoid backdoors banking bazarloader bec been behind being belonging benchmarks best biggest biology biosconnect bootkit both breach brute business but called campaigns campaignts can card certificate certificates charts check china chinese clarified class client clinic cobalt code command commands comment: common company complete compliance compromise compromised compromises concern confidentiality confirmed consists conti continue continued control controls copy core cost could counter crafted crafting credential credentials criminal critical critically culture current currently customer cve cyber cybersecurity data decrypted defense defenses deleted delivering delivery dell demand demands deobfuscate/decode deploy depth desktop detect detected device devices did difficulty discovered discovery discuss discussed disrupts distributed domain down downloader driver drives dropper due dumping during easily ecrime effective either elevate email emails employee empowers encrypt encrypted entities entry errors escalation especially evade even evolve execution executive expiration exploit exploitation exploiting exposed falcon false feature features fertility figure file files finance find findings fixed flaws folder following foothold force found four fraudulent free frequency frequently from full funds further future gain gaining general generally get gift glimpse good government greatly group growing had half handling hardware has have hidden highlights hit host however human hypervisors icedid identifiable identified identify impact impersonation importance important improve incident included includes including increase independent ineffective infected infection information infosec initial initially insecure/faulty inspect inspection install instances integrity intelligence internal inventories investigating involved involves ioc iocs issue iteration june keeping kind known lab large largely leaked leave legitimate leverage leverages ligooc likely link links locker locking logs losses low lure lures machine machine's machines magazine main maintained malicious malware management march mark matter: may means measures microsoft mid million minutes missed mitre models monitoring more most mount mountlocker much multiple naikon names need netfilter network new news nltest north not number numbers oag obfuscated office often old only operators order organization organizations other out over overall owner/user packing paid part particular partner/vendor parts pass patch patched patches patching patient patients paying payment people period peripheral personally personnel phishing pii png policies policy portions positive postures potential potentially prevent previous private privilege privileges proceed process processes profitable program protection protocol provide providers published: qbot question quite ragnarlocker ransom ransomware ransomware: rate rba rce rdp reach recent recently recognized reconnaissance reduce reducing regained regarding regular related released relies rely remain remains remote repeated report reported reports represents reproductive required research researchers resources response responses responsible results revealed review reviewd risk root rootkit running russia russian ryuk said scale scam scanning security seen server several shared should showed shown signed signing signs since social software some source spam spearphishing specific specifically spider stolen storage stories strike study subsequently success summarize summary suppor |
| Tags | Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching |
| Stories | APT 30 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.