One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3028191 |
| Date de publication | 2021-07-06 15:05:00 (vue: 2021-07-06 15:05:29) |
| Titre | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
| Envoyé | Oui |
| Condensat | “cve ‘my 000 006 18472 2014 2018 2019 2021 210 24th 2fa 30116 34506 34506” 35941 500m 700m able about abuse accept access accessing accounts act activity actor actors actual adapt addition additionally addresses administration administrative advised affected affects afghan afghanistan after against all allow allows almost already alternative always america amidst among amount analyst and/or announced anomali antivirus any api appear appeared appended application april apt apt10 archives are arguments arm around asia asian assets assist att&ck att&ck: attached attachments attack attacked attacker attackers attacks attempt authentication authenticity auto automated available avoid avoided avoids aware babuck babuk backdoor backdoors backup backups bag because become been before began begin beginning being believed best book boonstra both botnet boxcaon brands breach browser btc bugs builder business businesses but bytes c&c c++ called came campaign campaigns: can cards carefully cascading case cell central certain chain chances charged charts chat check china chinese claiming clear cli client clients cloudflare code coding coincided collection colossal command comment: company company’s compiled comprehensive compromise compromised concept concern configuration confirmed connected connecting consider constant contact continually continues continuity copy corporate corruption could council countries create credit critical cross crowdstrike custom customers customized cve cvss cyber data database date day dc's debugging decoy decryption decryptors defender defense delivered demonstration department derived despite developed devices digital digital’s directed directory disaster disclosed discover discovered discovery discuss discussed disrupt divd dll domains down drive dropbox dropped dropper duo duo’ edge educate education elf64 email emails embed embedded employees enabled encoding encrypted encryptor encryptors end endpoint enforcement escalation espionage estimated esxcli esxi europe even every evolving exe executable executables executed executes execution exploit exploitation exploited exploiting export exposure external facebook facing fact factor factory families: fewer figure file files financial fingerprint first fivehands fix fixing follow followed following foreign found four friend from gandcrab gives glimpse golang google government group groups had has have hellokitty high hijacks however identified impact impersonates impersonation impersonator implement implementing important incident included including increases increasingly independence indigozebra individuals infected infection information infrastructure initial input install intelligence interaction interface ioc iocs issue issued issues iteration its ivy javascript jquery july june kaseya kaseya’s keeping key known kyrgyzstan labs language last late later latest launched law layer lead leafroller leaked legitimate life like lil’ line link linkedin links linux list live loader's loading loads local locker logs low lure machine machines magazine magecart magic maintain maintenance majority make making malicious malware malwarebytes managed management many mass may meterpreter metropolitan microsoft migration mitigate mitre mode monitor monitored monitoring month months more most msmpeng msp msps much name names nas national need needing negotiations network new newly news ngioweb north not note noticeable now nsc number numbers obfuscated observed occurred officials often old one ongoing online open opened opening opens operates operation operations operator options order organization other otherwise out over packer page panda parameter paramount part password payload payment perform personal phishing phone place plan plans poc point poison poisonivy police politically popular possible potential potentially practices president’s pressure prevent preventing previously privilege privileges process profile profiles prolific proof protection protocol prove provide provider providers pub |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat Guideline |
| Stories | APT 19 APT 10 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.