One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3472727 |
| Date de publication | 2021-10-05 18:28:00 (vue: 2021-10-05 19:05:33) |
| Titre | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
| Envoyé | Oui |
| Condensat | “big “ghostemperor “nobelium “pixstealer 12149 2017 2020 2021 22005 31207 34473 34523 37975 37976 4606 abilities ability able about abuse abusing access accessibility accomplished according accounts acquiring activate active actively activity actor actors actually addition additional adleman administrator advanced adversary aescbc afghanistan after against alert algorithms allow allowing also america amnesty analysis analyst analytics analyzed android anomali anti any api appears application applications apply approach april apt archive are asia asian asset assist assistance att&ck att&ck: attached attack attacked attackers authentic authorities available aviation backdoor backup bank banking basically beacon beaconloader been before behind being believed block both brazilian breaching broad brother” browsers bugs built bulk but c++ called campaign can capabilities capture carefully cases center certificate chain chaining chamelgang channel charts check china chrome cipher cisa client clothing: cobalt code codes collected combining command comment: commerzbank common communicating companies company's complex components compromise compromised compromising configuration confirmed connections contacts containing contains control could countries couple craft create credential credentials critical cryptographic cryptopp current currently custom customers cve cves cyber cybereason data database day days decrypted decryption defense deliver deobfuscate/decode deploy depth derusbi described desktop destructive difficult directly directory discovered discovering discovery discuss discussed dissemination distributed distributing does doorme download downloading dozens dubbed due dumping early east educational egypt emails empire encoding encrypt encrypted encryption energy engine entities escalation especially established ethiopia even events evident evolution exchange execute execution exfiltrate exfiltration existing experts exploit exploitation exploited exploiting exploits exposures facing fake family far fear features federation figure file files finance first flaw flaws focused foggyweb foggyweb: following forensic framework from frp fuel full functions gain germany's get ghostemperor ghostemperor: give given glimpse global good google government governmental group group’s gsoc hand hardware has have having healthcare hidden hide high highly hooking host hosted human hybrid hydra ibm identified imitates impact impersonates impersonating implemented important including incorporates increasingly indicator indicators industry infect information infrastructure ingestion ingress initial initially injection input inside install installed installing installs institutions instrumentation intelligence international international's interpreter introduces invaluable ioc iocs issue it's iteration its javascript july just kernel known koadic language largest layer leads least legitimate level leverage leveraging library like logs lucky machine magazine mainly malicious malrhino malware management manipulation manually many march marks masquerading mass maximize may mcafee mespinoza messages micro microsoft microsoft’s middle military mimikatz minimalistic mitigated mitigations mitre mode month more mouse mstic multi native need network networks new news nobelium non north not note notoriously now nso number obfuscated observed october official often once one online only open operated operations order organization organizations orgs other out over part particularly party patch patched patches paying pegasus penetrated performance performing permissions persistent phishing phone pixstealer pixstealer: platform point posing positive possible post potential potentially powershell pretending prevent previously primarily privilege privileges procedures process program programming programs propagation protect protocol provide proxy proxylogon proxyshell proxyt psexec public publicly published: purports pysa pysas query ransom ransomware rapid rapidly rat recent recommended recove |
| Tags | Ransomware Malware Tool Vulnerability Threat Guideline |
| Stories | Solardwinds Solardwinds APT 27 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.