One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3276119 |
| Date de publication | 2021-08-24 17:11:00 (vue: 2021-08-24 18:05:38) |
| Titre | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
| Envoyé | Oui |
| Condensat | “anomali 000 100 1380 195 2020 2021 22156 26411 28372 31207 34473 34523 35392 35393 35394 35395 36942 800 ability able about absolutely access accessed accessibility accounts accurate across action activity actor actor's actors addition additionally address addresses affected affecting affects against agencies agency aim alert all allow allowing allows almost along america among analysis analyst anomali anti aof api appear application apply appropriate approximately apt apt37 are asia aside assesses assessment asset assist associated associates asustek att&ck att&ck: attached attacker attackers attacks attributed audio august automobiles available backdoor backdoors backed badalloc bahrain banking banks based been before being believe belkin best blackberry blackberry's bluelight both breach breached breaches broader browser browsers built burden but cameras campaign can capability capture careers cause center certainly charts check chips cisa cisco citizenry cja claim claimed claims client cluster cmdb collect collection collectively combination combine combined combines comment: commodity common companies complete component compromise compromised confidence configuration confirmed connect connected consisting contains conti continue continues contrasting control controllers coordinated corporate correlate correlated correlating could credential critical crown current custom customer customers customers' cve cyber cybersecurity daemon danger data database date days dcs defenders defense deletion deliver deobfuscate/decode deploy deploying depth desktop despite detected detecting detection determine development device devices directly directories directory disabling discloses discover discovered discovery discuss discussed disruptions disruptive disseminated dlp dollars domain dozen driven driver due dumping early ease easily east edimax edr education eight elasticsearch eliminated email embarrassment enable encouraged endpoint energy engines entity environments equipment especially etc evasion even event events example exchange execution exploit exploitation exploited exploits explorer expose exposed external family fbi fbi's features federal figure file files finance financial finding first fix fly focuses following forms forum found from further gain gateways general generally glimpse globe government graph greatly group hama hardware harm has have having help hidden home host hosted hosting identifiable identified identify identity ids imei immediately impact imperative important inaccuracies include included includes including incompletely incorporated increasingly indexed indicating indicators industries industry infects inform information infrastructure ingest ingesting ingress initial inject injection inkysquid innocent input install installed instance instances integrated intelligence interestingly internal international internet invaluable inventories inventory investigation involved ioc iocs iot issues iteration javascript jewels json july june kalay keystrokes kind kit known korea korean lack large largely later lateral launch layer leaked least legal less leveraged leverages license like likely limiting link list lists lockbit lockfile lockfile: logs loss losses magazine majority makes malicious malware management mandiant manipulated manipulation manufacturers manufacturing march masquerading match may meaning means measures medical meet mexican mexico microsoft microsoft's middle military million millions misconfigurations mitigated mitigation mitre mobile moderate modify module more most mouse movement named names nature near nearly necessary neither netgear network neurevt neutralize new news newspaper nor north not now number numbers obfuscated observed offices one ongoing online only operating operational operations organization organization's organizations other others over owner/user p2p passport password patch patched patches patching people peripheral persistent personal personally petitpotam pii pivot plague planted platform platforms policies ports position p |
| Tags | Ransomware Malware Tool Vulnerability Threat Patching Cloud |
| Stories | APT 37 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.