One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3100256 |
| Date de publication | 2021-07-20 15:00:00 (vue: 2021-07-20 15:05:27) |
| Titre | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
| Envoyé | Oui |
| Condensat | $12 $470 ‘block 000 19th 2020 2021 2345 26855 26857 26858 27065 31979 33771 360 400 able abuse access accuse accused across activate active actively activists activity actor actors addition additional additionally adherence adobe advanced advantage affecting africa against agencies agency aggressive aliwangwang aliyun all allies already also alternative always america analysis analyst analysts analyze and/or android anomali another anti antivirus any app application applications approximately apps apt apt28 apt31 apt40 apt41 apt: arab arabia archive are armenia around arrests asia asian assist att&ck att&ck: attached attachments attack attacked attacker's attackers attacks attention attributed audio authoritarian authority autoit automated aviv avoid avoided aware awareness back backdoor backed backup base based basis beacons bear been behind being best between biopass bitcoin blamed blocking blocks bodies both bps breaching breakdown broadcaster browser browsers business but cable called calypso camera campaign campaigns can candiru canduri capabilities capture carefully carried case cases catalonia caution cautious certain certificate chain changing charts chat check china chinese chisel chosen cisa clicking closely cloud cobalt code coincided collection colonial com coming command comment: communicates communicating companies company company's complex component comprehensive compromise compromised compromising computer conduct conferencing confidence configs configuration confirmed connected connection consultancy contain containing conti continuing continuity control copy corruption could countries cover created credential credentials crime criminal critical critics crowdsourced current customer customers cve cyber cybersecurity darkside data dates day ddos decrypted defender defense deletion delivered demands democracy deobfuscate/decode department deploy deploying deprecated depth describe desktop destination detailed: detect detecting detection device devices devilstongue digital diplomats directories directory disabling discovered discovery discuss discussed disk dll dlls doc documented documents doj domain domains double download downloaded dozen drive driver drivers’ drives drop dropbox drops dumping early easier east eastern educate education either email emails emirates employed employees enabling encoding encrypted endpoint endpoints enforce engineering ensure entities environment environments equipped escalation espionage establish etc europe evasion even evolving example exchange exe executables executing execution exfiltrates exfiltration expands exploit exploitation exploited exploits explorer exposes extensive external extortion facing failsafe famous fancy fancybear far fight figure file files firm first fixed flash foiled followed following forensic four from furthermore gaining gambling gangs gasket gateway georgia georgian glimpse global gobfuscate government governments group gru guard hackers hacking hafnium half harvest has have help helps hidden hide high hijacking historic hole honeymyte host how hunting hygiene identified identifying imessage impact implement important include india indicator indicators indicted individuals infect infected infection information infostealer infrastructure initial injected inside install installed installer instant institutions intelligence interaction interface internal international internet intezer intrusion investigating ioc iocs iphone iran isolated israel israeli issued it’s iteration its jack javascript jbs jointly journalists journalists' judgement july jumper justice kaseya kaspersky kingdom known korea krebs kryptonite language layer layered leading leads least lebanon legitimacy legitimate leviathan likely line link linked links live lnk load loader loading loads local located location locky log logs lsass luminousmoth machine machines magazine magicsocks mailto/netwalker main mainland maintaining major making malicious malito malware malware’s management manufacturing markets masquerading match maware measu |
| Tags | Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial |
| Stories | APT 41 APT 40 APT 28 APT 31 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.