One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3348508 |
| Date de publication | 2021-09-07 19:29:00 (vue: 2021-09-07 20:05:34) |
| Titre | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
| Envoyé | Oui |
| Condensat | $34 $37 'live some ‘taken 079 103gb 13379 1st 2018 2021 31207 34473 34523 462 804 976 ability about abuse accenture access accessed according account accounts acsc activity activity/task actor actors adapting addition admits admitted advisory aeronautical affect affected after against agencies ahead airline airways all alleged allow allowed allowing alone alpha already also although always ambush america amp analysis analyst announced anomali another antivirus any anydesk appear appears applications applying approximately apps apt are arrests assist att&ck att&ck: attached attachment attachments attack attacker attackers attacking attacks attempt august australian author babuk back backdoor backdoors backup backups bandwidth bangkok bankrupt been begins behavioural behind being believe believed between blamed blocks borrow breach breaching brief bug buisness bundled but campaign campaigns can cancer capable card carding careful cause centre chain chained charts check checked cis cisa cisco claimed claiming client closed cobalt code codes coincide colonial comfortable command comment: commonly company company's compiled compromise compromised computer concept connect connected connection connections consulting contain containing contains conti continuing copies corporate could cpu cream created crews criminal crypto cryptocurrency cryptojacking cryptomining crysis/dharma custodial customer customer's cve cyber cyberattackers cybercrime cybersecurity darkside data dating day decided decryptors defense defenses defi defray777 deobfuscate/decode departments deployed despite details devcoe devices did didn't difference different difficult disclosed discovered discovery discuss discussed distributed docs documents does don't drop dropping due during each earns easier eastern ecosystem educated effective employees enabled encryptors engineering ensure entry environment error esxi eth ethereum european evasion evolving exchange executed execution exist exploit exploitation exploited exploiting exploits exposure fall fans fbi february feds figure files fin7 finance finances financial firewall firewalls firm first flash flaws folders follow following forrest fortinet fortios fortiproxy forum from full functions fundamental funds furthermore gain gang gas get give glimpse global government great group groups growing hacked hacker hacking had has have haven't having high highlighting history holiday holidays host hotspot how however human' identifiable identified identify identity illicit illustrates impersonate important incident incidents including incorporated individuals information ingress initial installed installer instrumentation integrated intelligence intent internet interpreter ioc iocs ironbank iteration its itself javascript joint july june/early keep keys labor landing large last late leading leak leaked led legitimate lengths like likely limiting link list loan location locations lockbit locker lockfile logs long losing loss lost lures machine machines macros made magazine maintain maintained major making maldoc malicious malware manageable managed management manager market may measures member method microsoft militarynorth million miner miners mining mitre money months more most nas network networks new news non normal normally north not noting now number obfuscated occurred off offering offices often oil once one ons open opening operational opportunity opposing orange organization organizations other out outs over ownership package page part particularly passenger passengers' patch patched paused payment pen permission personal personally phishing phobos pii pilfered pipeline place plan platform platforms plugins/add points policies policy portion pos possibly post post’s potential potentially precautionary presence present preventing previous prices prime prior processes profile program project's projects prolific proof proper protect protected provide proxyshell proxyware published published: publishing purchases put pysa quickly quietly ransom |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.