One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 3531690 |
| Date de publication | 2021-10-19 15:00:00 (vue: 2021-10-19 15:05:24) |
| Titre | Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
| Envoyé | Oui |
| Condensat | $300 “cve “ironhusky **edit: 000 1259 18935 2008 2012 2018 2019 2020 2021 365 40449 40474 able about abuse access accessed according account accounts active activity actors adapt addresses adfind advanced advantage affected afghanistan after against all allow along also although always america american analysis analyst analysts and/or android anomali anti antivirus any apac api app application applications appropriate apps april apt apts arab arbitrary are artifacts asia aspx assist att&ck att&ck: attached attachment attachments attack attacker attacker’s attackers attacking attacks attempt attempted attempts australia authentication authenticity available avoid avoidance avoided backdoor backed background backup backups base based basis beacon became because been before begins behalf behavior behind being believed best binaries binary blender block both breach breaching bug business but called campaign campaigns can capabilities carefully case chain changes channel channels charts check checkmark checks china chinese cisco client cloudfront cobalt code colleagues collect colombia combined come command commands comment: communicate communications companies company compile compiled composed compromise concept conditionalformatting consider consistently consists contact contacted contain content continually continuity control conventional could crafted create creating creation credentials crucial currently custom customers cve cyber cybersecurity dangers data date day decryption defense deobfuscate/decode department deployed depth detected detection detectors developers different differentiation diligent directed directory disclosed discovered discovery discuss discussed dll document documents does doesn’t domain done download downloaded downloading downloads driver dual dubbed dynamic east easy editing editor education effective emails emirates employees enabled encrypted endpoint engage enhanced ensure escalation eset especially europe evade even evidence evina evolving example excel execute execution exfiltrated exfiltration exist exploit exploitation exploited exploits extort facebook facing fail fairly fallback family figure file files fin12 fire firm first focus followed following fontonlake forms found france free from full fulnerability functionality generate geographical get give given glimpse goal google governments graph graphon grooming group group’s half harvester: has have healthcare heap help helping here heuristic hidden hide high host hours how hunter identical identified illicit impersonated implement important include includes including increased increasing individual individuals indonesia infection infections infiltrate inform information ingrao initial injection injections inky insert install installing installs instance instrumentation integrate intelligence interact interactsh interpreter intrusion involves ioc iocs ireland ironhusky it’s item iteration its itself javascript just kaspersky kept kernel key known korea landscape large lateral latest launched layer layering lead leak learning least legitimate less less: likelihood link links linux list local located location logical logon logos logs long look machine machines made magazine maintain make malicious malicous malware management mandiant many map mask math mathematical maxime may mechanisms media messages metasploit method methods microsoft middle million mindful mins mitre mobile modify modules monitoring monthly more movement multiple mysterysnail names nation native nature ncc necessary need negotiate negotiations net network networks new news non nor north not notable noteable notify now number obfuscated observed obtained occurring october office often one online only open opened opening operations operator optical order organization organizations orgs other outside over pacific paid part parts patch patched patches patching path pay payment payments peek performed permissions persistent personnel philippines phishing photo place plan platform play poc policies policy popular port ports potent |
| Tags | Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.