One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3407078 |
| Date de publication | 2021-09-21 16:09:00 (vue: 2021-09-21 17:05:34) |
| Titre | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
| Envoyé | Oui |
| Condensat | “cve “manageengine “uid=0 “wabmig 2013 2021 38647 40444 40444” 4053 4chan 5005565 5005566 5005568 5005575 90's ability able abuse access according account accounts active activities activity actor actors add address addresses administrator ads adselfservice adversary advisory adwords affects agency agreements alert alexey allow allows along also alternate although always analysis analyst analyzing anomali anti antivirus any api appear appears append/write application applications apply appropriate apt architecture are around assets asyncrat att&ck att&ck: attached attachment attachments attack attackers attacks attempt attributed august auth authentication authenticity authorization authors automated automatically autostart aviation avoided aware azure back backdoored beacon been begin behind being believed bid binaries binary birth bits black block boot breach breaches browser bug but bypass cab campaign can capabilities capture catch center chain changed changes channel charts check cisa cisa: cisco claimed classic client clipboard cobalt code coding combination comes command comment: companies compromise compromising computers conditional conduct config configuration connected connections contacted contain contained containing content context continuing contracts control controls corruption could country crafted create created credential credentials critical crop crypter cumulative customer's customers cve cyber cybersecurity data database dates day default defence defender defense defenses deliver delivery deobfuscate/decode department depth designed details detect detected detection device didn’t directory disable discovered discovery discuss discussed discussing disk dissidents dll document documents domain domains domestic donations dot download downloading downloads drop dropper due dumping dynamic elevation elf email emails embedded employers enable enabled encoding encrypted endpoints energy engineering ensure environment escalation especially establish evade evading evasion event exe” executed execution exfiltrate exfiltrating exfiltration expanded expansion expect exploit exploitation exploited exploiting exploits expose exposed exposure failsafe fake far fbk feeds figure file files financial findings first five following formerly forums; found foundation four from function functionality gain get/change gid=0” glimpse google government groups growing harvesting has have header help hide highly his hives hollowing host hosts how identifiable identified identify imageboard immediately impair impersonate impersonating implement implementation important improved included includes includes: including increase indicator individual industries industry infection influence information infrastructure ingest ingress initially injected injection inky innovating input install installers instrumentation integrator intelligence intent interpreter intezer involved ioc iocs ips issued it's iteration its javascript jobs kill known labs land large later lateral latest layer layered layover layover: leak leaked leaks: least led legitimate likelihood link linked linux list living loaded loader local located logon logs lolbas lotus low lumen’s luring machine magazine making malicious malware man manageengine management manipulation masquerade match material means measures mechanism mechanisms media messages methods microsoft microsoft's might millions mistake mitre modification modify monitoring more most motivated movement mshtml msi mtic multiple named names native navalny need network new newly news nigeria nir njrat non not notifies now number obfuscated occurances off office often ohfeld omi omigod: once one online only open opening operation opposition organisation organisations organizations originate over owner/user packet page partition password past patch payload payloads pdf people pep perform peripheral permissions persistence personal personnel persons phishing phone pii place plus policies political politically port possibly post potential |
| Tags | Spam Malware Tool Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.