One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3369753 |
| Date de publication | 2021-09-14 15:00:00 (vue: 2021-09-14 15:05:33) |
| Titre | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
| Envoyé | Oui |
| Condensat | “anomali “branding “cve “enable “fudpage “fudsender “fudtools “saim “scampage “the ’s 2015 2016 2020 2021 26084 31st 40444 ability abuse accelerate access account accounts aci aci's across actions activate active activex activities activity actor actors adapt add additional admin administrative administrators advertising advised affect affecting affects after against alert all alla alleged allow allowed also always america among amounts analyst android anomali another any api app appear apple application applications apply apprehended apt apt41 arbitrary are arm arrest arrests assets atlassian att&ck att&ck: attached attack attacked attacker attacks attempt attributed august authenticated authentication author authorities automation available avoid azure azurescape backdoor backdoors banking banks been before behind believe believed benign bilal blackfly botnet brian briefed browser built bundle burhan but bypass caas called calling campaign campaigns can capabilities capture cases center charts check china chinese chosen client clients cloud cluster clusters code combination comes command comment: common companies company company” complex complexity components compromised computers concept conducted conducting confluence confluence’s consider considers container containers content context continued control cookie cookies could covid craft crafting create credential credentials credited crime crimeware critical cross cryptocurrency cryptojacking current custom customer cve cyber cybercrime cybercriminal cyberespionage dashboard data database date day ddos dealing decade defence denial deobfuscate/decode deploy deployed deploying deployment depth designed despite detect detection developer development difficulty directory disable disclosed disclosure discovered discovery discuss discussed disguise disrupt distributed distribution document documenting documents documents; does doing domain domains dormant down downloading due dumping editing” email empire encoded encrypted enforcers engine environments eset establishing etc eval evasive even evolving exchange execute execution expected exploit exploitation exploited exploits exposed extracted facilitate facing fake fareed features february figure file files finance financial finding firewalling firm first focus following forums found fowl frequently from fudco fudpage fudsender fudtools full fully function functionality functions furthermore gang gave get giving glimpse google granted graph grayfly grayfly: great gref group guard hacked hacker had haq has have heartsender heartsender; help helps hide hiding highlighting hijacking hosted hosting hosting” html identifiable identification identified identity images impact implementing important improve include indicators infected infection information infrastructure ingest ingress initially injected injection input install installation installed instances instrumentation intel intelligence intentions interaction internal internet interpreter ioc iocs issued issues iteration its itself jenkins karachi keep keylogging kit known korea krebs kubernetes lahore language large latest launch leading leave legitimate lengths like likely littered lived loader located locations lock login logs long low magazine malicious malware man management manipulaters manipulation manipulators”; many mass match may measures member mexico microsoft microsoft’s middle mimikatz mine miner mitigate mitigation mitigations mitre mobile modular monero monitor monitoring more motivated mshtml multi multiple multistage multitenant mysql name national native navigation network new newly news north not notified notorious number obfuscated object objective observed obtain october offering office official ognl omer once ongoing online only open option options organization organizations originates other others over overlay packing pakistan pakistani panda panel particular party passwords past patch patched payload people permissions permits personall |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat Guideline |
| Stories | Uber APT 41 APT 15 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.