One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3438959 |
| Date de publication | 2021-09-28 15:30:00 (vue: 2021-09-28 16:05:50) |
| Titre | Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious PowerPoint Documents On The Rise
(published: September 22, 2021)
McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance
Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials
(published: September 22, 2021)
According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.
Analyst Comment: Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.
Tags: EU & UK, China
Netgear SOHO Security Bug Allows RCE, Corporate Attacks
(published: September 22, 2021)
Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote c |
| Envoyé | Oui |
| Condensat | $11 “bulletprooflink “cve 000 001 055 100 1000 100k 2019 2021 300 40444 40847 798 able abruptly access accessible according actions activities activity actor additional addresses administrators adversaries affecting affiliated after agencies agenttesla aid all allow allowed allows also america amounts analysis analyst analysts analyzing anomali any anything api apis app apparently appears application applications appropriate approved approximately apps apt are around arrested asian associated att&ck att&ck: attached attachment attachments attack attacker attackers attacking attacks authentication authenticity autodiscover autodiscovery automated automatically available avoid avoided backdoor backup banking based basic beacon bear because become been being believed bevigil big bitcoin bitcoins bits blackmatter bleepingcomputer block brand brands browser bug bugs bulletprooflink business but bytes called campaign campaigns campaigns/tree/master/autodiscover can capabilities capture captures carry case catching caused causing certificates chain chance channel charts check china cisco claiming clearnet client clipboard cloudsek club cobalt code colonial com com/guardicore/labs comes command commands comment: companies component comprehensive compromised configure connect connections console contacted containing contains content contractors control controls convincing cooperative corporate corporate/home cost could countries covered cracking created creates credential credentials critical critically crypto cryptocurrency cve cwe cyber darkside data database days decryptor deletion deliver demanding deploys descriptive desktop destruction details detect detected dev developers devices didn't different disable disappeared discovered discovery discuss discussed distributed document documents does dollar domain domains down dropper due dumping duplicate early easier easily edr effort either elevated elon email emails embedded embedding employee emulator enabled encrypted endpoint enforced enforcement engine ensure enterprises essential even every exchange exchange’s exe execute executes execution exfiltrate exfiltration existing exists explaining exploit exploiting exported exposed extract eye facilitate fake famous farmer farmer's farmers feature features feed figure file files finance financial firmware first fish: five fixed flaw following forum forums found free frequently from fund get github giveaway glimpse going gold government grain grimm group group's groups guardicore guest hackers had handles hardcode hardcoded has have help here high his hit home hosting however htm html https https://github https://msto identified identify ids impact impacted implementation important inactivity include includes incorrect increase individual infect infected information infrastructure inject injection input installation installed instead intelligence internal ioc iocs iowa ironic it's it’s iteration iterm2 its javascript july keep keepass key keylogging keys kits known labs large larger lateral law layer leak leaked legitimate libraries like line link list local locations login logs looks low maas mac machine machines macos macro made magazine mail maintain make malicious malware man management manager many masquerades masquerading match may mcafee me/elonmusk/ messages microsoft middle million millions mimic mishandling misuse misused mitigations mitm mitre mobile models modify monitoring monthly months more morning most much multiple musk mutual name named names naming need needs negotiation net netgear network networks never new newly news non north not note numbers obfuscated observed occurred off offers office office/home offline often once one only opening operation operations operator operators order orders organisations organization organization's organizations other out outlook over own owners page paid parental part participate party password passwords past patched patient patrick payment period persona personnel phishing phone piece pipeline plaintext policies posing poste |
| Tags | Ransomware Spam Malware Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.