One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3140285 |
| Date de publication | 2021-07-27 15:00:00 (vue: 2021-07-27 15:05:27) |
| Titre | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
| Envoyé | Oui |
| Condensat | $139 $69 “a “chernobyl “diicot “icacls “processes “system “you /inheritance:e” 11002214991 1100788392210 1809 2005 2019 2020 2021 3438 3438: 36934 380 abnormal abuse abuses access according account accounts active actively activity actors add addition additional admin advanced advisories affect affected affects again against ago alert all allow also always among amounts analysis analyst analyze android anomali another anssii antivirus any anyone apk app appear apple application applications apply appointment appraisal appropriate appsetup apt apt31 apts archive archives archives’ are argo arises around assigned att&ck att&ck: attached attack attackers attacking attacks attributed authentic authentication authority available avoid avoided aware backdoor backdoors backups based basic basis became been beginning being believed best bitdefender boost both botnet boxes browsers brute build called campaign campaigns can capabilities capable cert certain certificate changes changing character characters charts check china chunks cloud cluster clusters code command comment: comments commodity common communication compromise compromised computer concept concerned conditions conducted conducting config configured contact contacting container containers control copies copy could cracked create created creating credentials crucial cryptocurrency cryptojacking cryptomining cve cyber cybersecurity data date ddos debugging defender defense delete deleting deliver delivered delivering delivery demonbot denial depending deploys depth desired detection developing devices different directory disabling discovered discovery discuss discussed discussing distributed document documentation domain download downloaded downloaders downloading drive driver dubbed due during education efficient efsrpc eight electronic elevation email emails emergency employ employees enable enabled encrypting engine enrollment ensure entities environments escalation etc even evident exclusions exe execute executing exploitation exploited external facing fail family feature features february figure file files financial financially findings first five focus folder follow following force form formbook formbook/xloader forums found frameworks france french frequently from fully functionality functions further furthermore fwd: gained gillesl glimpse google gov grammar granted group guidelines has have help helpful here hiding high hijacking hivenightmare/serioussam hole home host how however hpsbpi03724 hta identical identified identify impact important include: included includes including indicate indicative indicator individuals infected infection infections info information inside installers instances institute institution institutions intelligence interface intezer involved involves ioc iocs issue issued iteration its jobs judgment july k8s kannix/monero keep kept kernel keylogger keylogging kind known kubernetes lan last later latest layer layering least legitimate like likely limit line lines linux lionel list loader loan local locally log logs longer machines macos magazine maintain malicious malspam malware malwarebytes malwarehunterteam man management manager manipulation masquerading may mechanisms messages met: metadata method methods micro microsoft microsoft’s middle migrates millions miner mining misconfigured mitigate mitigation mitigations mitre mobile mode models modification modules modus monero more mosaic mosaicloader motivated multiple must names native necessary need negatively network new news nist non not note noticed notorious now ntlm number obfuscated obfuscation observed obtain offer offered official often once one ongoing only open operandi operating operational operations orchestrating order organizations other others over panda parallel paramount party password passwords patched patches payload payloads per perform permissions persistent personnel petitpotam phishing phone pivoted place play point policies policy poor possible potential potentially practices prevalent preve |
| Tags | Malware Tool Vulnerability Threat |
| Stories | Uber APT 31 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.