One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3243789 |
| Date de publication | 2021-08-17 17:56:00 (vue: 2021-08-17 18:05:34) |
| Titre | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
| Notes | |
| Envoyé | Oui |
| Condensat | $50 $500 $600 $611 'no cve bank 000 0604 100gb 13379 1675 2018 2019 2021 250 28799 34527 36958 500 810 ability able about abruptly abuse accenture access according account accounts across actively activity actor actors added adding address addresses admin advanced advantage aes affect affected affiliates after against aggah aimed airline align all allow allworld already also alternative america amsi analyst android announced anomali another anti any app appear appeared appears appliance application apps apt apt27 apts architecture archive are arsenal artifacts ascii asia assets associated att&ck att&ck: attached attachment attachments attack attacker attacker's attackers attackers' attacking attacks attempting attention attributions august australia authentication authorization automated autostart available average avoids backdoor backing backup backups banking banks base64 based batch bbc because been beginning begun behind belt best between binance binary blacklist blackmatter blockchain blogspot bnb boot both brazil breach breaches breakwin bri bronze browser brute business businesses but bypass called campaign can capabilities capability capable capture card carding cards carefully case caused central certain chain change changed channel char charts check china chinese claimed claims code collection collision colonial combining comes comet cometrailway command comment: committed common communication companies company company's complex compromised compromises computers concept concerning concurrent confidence configured confirmed connected consultancy contact contained conti contract control controls conventional cookies countries country crafting create creates credential credentials credit critical cross crypto cryptocurrency cto currently custom cve cvv cyber cybercrime cyberespionage cybersecurity cyble damage dark darkside data date days decentralized decoded decryptor defense defenses defi deletion deliver delivering demonstrating deobfuscate/decode deployed depth desktop destruction details detection detects detonate device devices different difficult disallow disclosed discovered discovery discuss discussed disrupting divided dlp does domain domains double down download downplayed drivers dubbed due dumping during earlier early east ech0raix edr effectively egress elevation email emails emissary employees emsisoft enable encoded encoding encrypted encryption endpoint engineering enhancing ensure entities environment equipped escalation escape espionage eth ethcrosschaindata ethereum europe evade evasion evasive even every evolving exchanged execute execution exemplifies exfiltration existing expiration exploit exploitation exploiting exploits exposed exposure external extortion extracts fabian facebook facing factor fail family far fbi feature fell fields: figure file files filtering finance financial fingerprint fireeye firewalls firm first flaws flexible flow flytrap focus focusfjord following follows forcing forensics fortinet fortios fortiproxy found four free from fuel functions fund funds further gang gas gave geographic geolocation get given glimpse global google government governments group groups grow growing hack hackers had halted handling harmless has hash have having heads heavily helped hex hide hijack hijacked historic historically hit home host hours html hudson hyperbro identified identify immediately impact impact' impair implants implementation implementing improper improve incident include included includes including including: increased india indicator indicators indirect individual individuals indra industry infected information infrastructure ingested ingress initially initiative inject injection input inside insiders install installation instead institutions instrumentation intelligence intent inter interests interface internet interpreter intrusion investments invoice ioc iocs iran iranian iron israel israeli issuing iteration its january javascript july june keep key keylogging know known korea land large largest later lateral latest la |
| Tags | Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline |
| Stories | APT 27 APT 27 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.